Level 11

Chunk Corruption

You must corrupt the heap in order to gain arbitrary control of this program. Do recall, the application is using phkmalloc.

Reading Material

BSD Heap Smashing

Once upon a free()

Advanced Doug Lea's malloc exploits

Exploiting the Wilderness

phkmalloc code

Code listing (level11.c)

 1 #include <stdio.h>
 2 #include <string.h>
 3 
 4 
 5 int main(int argc, char **argv) {
 6         char *p;
 7         char *q;
 8         char *r;
 9         char *s;
10         if (argc < 3)
11         {
12                 exit(0);
13         }
14         p = (char *) malloc(0x800);
15         q = (char *) malloc(0x10);
16         r = (char *) malloc(0x800);
17         strcpy(r , argv[1]);
18         s = (char *) malloc(0x10);
19         strncpy(s , argv[2], 0xf);
20         exit(0);
21 }