Exploit Education Phoenix · heap-two

Heap Lab

Two adjacent heap chunks. strcpy with no bounds check. Walk through the overflow as if you were single-stepping gdb — each byte lands where the allocator put it.

Step 1 of 5

Benign input

16 bytes fit in name[32] — nothing outside the buffer is touched.

SAFE auth->auth = 0x00000000

Memory x/12gx 0x555555559290

gdb session

Heap layout · chunk A → chunk B strcpy writes left → right · base 0x555555559290

chunk A meta 16 B

auth->name[32] 32 B · strcpy target

auth (int+pad) 8 B

chunk B meta 16 B

strdup("owner") 24 B

metadata name[32] auth flag service overflowed

The vulnerable source heap-two.c

struct auth {
    char name[32];
    int auth;
};

struct auth *auth;
char *service;

int main(int argc, char **argv) {
    auth = malloc(sizeof(*auth));
    memset(auth, 0, sizeof(*auth));
    service = strdup("owner");

    if (strcmp(argv[1], "auth") == 0) {
        strcpy(auth->name, argv[2]);   /* no bounds check */
    }
    if (auth->auth) {
        printf("you have logged in already!\n");
    }
    return 0;
}

Phoenix heap-two → CVE-2025-43300

	Phoenix heap-two	CVE-2025-43300 (ImageIO)
Vulnerable call	`strcpy(auth->name, argv[2])`	DNG SamplesPerPixel loop
Attacker-controlled length	`argv[2]` length	SamplesPerPixel vs SOF3
Buffer size	`name[32]`	per-component sample buffer
What gets corrupted	Adjacent `auth` flag	Adjacent heap object / vtable
Outcome	Authentication bypass	Sandbox RCE
Class	Linear OOB heap write (CWE-787)