Andy Novocin: All righty. Andy Novocin: so Andy Novocin: i'm almost the same where I want to start like counting down the number of days you have left. You know Andy Novocin: what it is last 23, maybe. Yeah. So. And when I start getting down to kind of like double digit classes left or okay, there was always something Andy Novocin: that's down that single digit classes left. Andy Novocin: Then I start thinking, what are the last stories I really want to tell, and things like that, and how I pack them all in, and I can take it solely off the rails also, like the the questions on the B caps, like 16 or 20, or whatever things like that, you know. Sorry I got a little grumpy about that stuff. You know this Andy Novocin: because I want you to care, you know, for caring sake, because there's a great in between us. You know it's great. It is a stupid transactional thing when you're dance. Andy Novocin: This is Andy Novocin: this is mastery, you know, anyway, but I know it. It is all about the great at the end of the day, but Andy Novocin: I don't maybe i'd be better off at a liberal Arts College, or something like that, You know I just have a contract that you write with me like i'm gonna learn this this semester. Andy Novocin: hey? Andy Novocin: So some of you are done with the class now, right like speed runs done 1620 PCB. Is done, whatever things like that. Yeah. So pick up that request. All right. Well, it's still got 11 left, so you know it' Be a good sport and follow along and try and do it, anyway. You know. Just set it up through. Oh, hey, we'll be back Andy Novocin: just for the level. Andy Novocin: Alright, so I want to do a complete example Andy Novocin: of what I call our baseline heap exploit. This is it. This is, you know, I I My approach. This semester is we've got one expert we most want to do, and then we want to figure out why it doesn't work in some context, and then like tweak it, and things like that, or whatever, and so on, and then start like Andy Novocin: growing in other approaches based on that kind of just in time learning. So my goal is to complete T. Cache poisoning use after free exploit that i'm going to try to do from scratch using free hook in Melloc. Andy Novocin: So I've only said those out loud, we haven't actually done it since we're gonna do. But basically there's this magical target. You hit it, and you can replace it with an instruction pointer of your choice. And that's the third part of a kill chain. Right? So our kill train is, how do I get around to address randomization? Andy Novocin: How do I write? What, where, and how do I control the instruction form. So in this case i'm going to generate my leaks with this kind of use after free viewing business, and i'm going to. Andy Novocin: I do my right. What? Where with the use after free editing business? And then i'm gonna target the Free home Andy Novocin: alright. and and then we'll start playing around what goes wrong in other cases. Andy Novocin: Probably that's enough. That's just the day I'm just gonna try to do that from scratch. Andy Novocin: Okay, and basically I already have this problem running on a port. So i'm gonna tackle that one. I'm just not going to use the wind function guys. So this is my normal playground. But I added this like the you know, the check a target thing that will pop a shell. I'm just not going to use that. I'm just gonna go after Andy Novocin: the one I want to go after. So just regard menu. Item 5, and we're good to go. Andy Novocin: Okay. Oh, I fix this. Yeah, Look at that. You see that one from Mono text to seriff. Andy Novocin: Well, that's that's because I didn't have an end to code tag here. Alright, so Andy Novocin: here's my plan. We're gonna do the default one on 2.3, one. That is, we're gonna have to first generate a G lib C leak. Andy Novocin: I'm gonna do that. I'm gonna make a big old chunk. I'm gonna free it and look. and that will be enough. I have to identify where that leak is from things like that, etc., and use it to find the base of G. Lipsy. Andy Novocin: All right. Then we're going to Malloc, 2 small chunks of the same size, and our samba and 3 notes Andy Novocin: that we're going to now like. Now, I've been s for free. Andy Novocin: right? Yeah. So Andy Novocin: basically, every time we were having a child, my wife never had any drugs or whatever we use samba music, and like this kind of like, meditative, you know, Back, rub thing in order to like, push through the pain and stuff, you know. So I just got this deep connection to that. That, anyway. Alright, Sorry Keeps popping up. Andy Novocin: Okay, Can you guys, do you? Andy Novocin: Do you know why I'm going to write into a small shop Andy Novocin: so I can use it for a system. Call and do. Will I know the address of that chunk. Andy Novocin: No, I mean I could if I wanted to. But I don't need to. Andy Novocin: because it's i'm going to use up to free. So if I free it, it knows the address of itself. Andy Novocin: So i'll know that index 3 has been sh another work. Andy Novocin: which is kind of cool. I I was resting with that last night. We're writing it. I was like, oh. Andy Novocin: do I need to know that? Yeah, I don't think I do. Just there. Andy Novocin: That's kind of cool, right. But it's a thing to think out right is is because any of you guys are in the speed runs now, or whatever half of the time. The thing that's most annoying is there is no bin. Sh! You have to put it somewhere. It has to be an address that you can control or like, predict, or something like that, because you have to have not been sh in the argument, but an address to B S. H on the but that's a little bit. Andy Novocin: Oh, Kitoki. and this will be our right. What? We're going to Target. Andy Novocin: We're gonna target the free hook address, and we're going to write the system address to the free hook and try to call system on Thin Sh by actually calling free on the chunk that has been essential. Andy Novocin: That's our goal. Just kind of like the go overwrite where it thought it was doing puts. But it actually did system. Here it's going to think that it's doing free, but it actually does system. Andy Novocin: And what's in the chunk that i'm going to free, then S. H. Is written there. So it just is the argument to system, which is cool. Andy Novocin: Okay, you with me on the plan. Andy Novocin: All right. Let's try to pull it off. Now, there's one extra thing. So in theory, some of you think you could do that if you ever mess with the free hook before you had almost a question Andy Novocin: right? Andy Novocin: This is something completely new. This is like my badass starter script Andy Novocin: and my badass starter script is kind of if i'm going after a heap. Andy Novocin: This is what I like crappy and paste in at the beginning to start doing stuff in particular. This Andy Novocin: is is pretty cool to do. Gdb. Andy Novocin: Setting all the breakpoints and stuff, or whatever that I want, or you know, being able to do my thing, splitting it into 2 windows. So I've got python on one side and Gdb: on the other side, using teams, which is something we haven't done before. But what I've done as my like fake team up is just spin up 2 terminals every time. Andy Novocin: and so team up is the terminal multiplexer. Andy Novocin: and all it does is let you hit control V and some magic things, and split your terminal, like your one terminal into seemingly 2 terminals, or 3 terminals, or whatever. And so you can have little windows scattered about things like that. I mean like Andy Novocin: i'll just show you in real life. But team ups demo Andy Novocin: any image. Andy Novocin: Yeah. So you take your terminal and you turn it to 4 terminals or whatever. That's what team does. So i'm going to show you how to do that, and i'll probably fart around with it, because you know, I've dusted off, and every time you do deep stuff this time of year whatever, and so we'll see it Andy Novocin: if i'm not rusty on my team. Andy Novocin: I try to do this without over preparing, so that you've got the thought process of the whole exploit. Hopefully. That's interesting, you know things like that. But the body language yesterday Andy Novocin: on Monday. It was like, you know, kind of board, or whatever things like that, so like I don't know, maybe. Do you? I do. You guys like Andy Novocin: you with t cash poisoning like I think I get it. I i'm ready for the next exploit. Is that that kind of that With that okay, i'm ready for the next set of it. Cool, fine as long as you're getting team boxes cool. Alright. So so we'll do that free hook is noon, but free hooked melook. That's new. That's a great target Andy Novocin: all the way up until you see 2, point 3, 4, Andy Novocin: and then after that you have to get really complex. I'll show you the complexity if you want. But Andy Novocin: yeah, it's very painful. Andy Novocin: All right. Here we go. Andy Novocin: Let me take the actual binary running on the actual thing. Sec. Dot: prof that ninja slash Ctf. Andy Novocin: and I'm basically just taking Andy Novocin: this guy T. Cache zip at that exact place. I just won't use the wind function Andy Novocin: All right. Here we go Andy Novocin: in class Andy Novocin: cheese. Andy Novocin: by the way, that little like flaw. Andy Novocin: I I've started to name the urls and websites that I host based on my ability to tab complete the entire URL, you know, or like Andy Novocin: It's it's poisoning me. Andy Novocin: Okay, so let's double check that this thing just works. It's pre-patched. So that's cool. I'm just gonna do everything about 5, 1 2 4 or what we're after. We want to make little guys and say, Hi! And that kind of thing, etc. Andy Novocin: All right. Andy Novocin: So magic Step number one here. I'm going to type t months. All that change is put a green bar at the bottom in the back. You can't see the green bar. It's a green bar at the bottom. Andy Novocin: bye. Andy Novocin: Now, what I want to do is kind of get this exploit going. Andy Novocin: and here it is great. Andy Novocin: All right. Cool. Andy Novocin: Now. This kind of starter script, you know there's 3 things that are interesting in it. Andy Novocin: You know this here is gonna be our first time doing this kind of like split terminal debugging process with python. So it's running a python, and I just like, go over there and can set breakpoints and Andy Novocin: and inspect the stack and all that stuff like that, whatever which is really cool. And then these I said 3 things I Andy Novocin: said, 2 things. Andy Novocin: Is that loud? So whatever mismatched off by one area, 3 signs as hard. So these 4 utilities are just gonna kind of go through the Menu Crappy process for me, right? So i'm just gonna say malloc, and it's gonna automatically put in one Andy Novocin: it'll put in. You know the index that I provide it, and you'll put in the payload that I provided. That'll just do. The whole malloc process is like a one-liner. So that way i'm not like sitting here parting around with. Andy Novocin: you know all the send lines and things like that, or whatever. Andy Novocin: And Andy Novocin: the view is gonna give me probably a little bit too much data here. But you know that's fine. Andy Novocin: So these little utilities kind of make life nice. Andy Novocin: In fact, I could maybe even start by saying, i'm going to Malloc to 0 24 Hi, there. you know. and then Malloc to one Hi, there Andy Novocin: and Mall up to 2. Andy Novocin: Then. Sh. Andy Novocin: I suppose I also need to Andy Novocin: malloc 2, 3, something big. Andy Novocin: right? Okay. Andy Novocin: and crap. I I probably did that all out of order. Andy Novocin: the the 3 0 to one doesn't really matter. But just the Oct. Here, you know. Andy Novocin: Why did I move the big? Oh, okay, Why did I move the big one to the front? Andy Novocin: Because if I free a big one and it's at the top chunk it gets sucked back in. Andy Novocin: so I've got a paranoia. Andy Novocin: a healthy paranoia to always have a buffer chunk. Andy Novocin: So don't get sucked back into the little some sort of Stephen King, or something, you know. Andy Novocin: This is the index Andy Novocin: of of what I'm Mallocking. Andy Novocin: Probably the program should manage that for me. But this playground is just like wide open. He prep. So i'll say the exact index I wanted to like write to in it, and it has an index of 100 pointers. So at index 0 is the pointer for this first one and then 1 2 3 4. The next is the size of the chunk. Andy Novocin: That's the size that i'm passing to Malloc, but Malloc is going to give me more than I asked for, you know. So so, except for the 24 cases, it'll give me 32 but not really meet to me. It'll take 32, 8 for it. 24 is for me Andy Novocin: 1049 it's going to round up to. Andy Novocin: I don't know what's 1048, plus 16, etc. Andy Novocin: Okay. Andy Novocin: So i'll have a big boy in there, and all I really want to do here is just see that it works. So here's the fun part Andy Novocin: I When I run my scripts I put a minus sign in there and make them interactive. You know. I think I've been doing that all the time. I don't know why I'm send it out loud now for the first time. Andy Novocin: Okay. Andy Novocin: So this just split my screen into like some sort of badass hacker, which I am. Andy Novocin: and I've got python on the left and the thing on the right. Okay. Now it's actively running. Andy Novocin: and it's kind of actively running where my consciousness is over here. So all I need to do is hit, control, c. And now I've kind of stepped out of the running program into like debugger repo. Andy Novocin: and all I'm really here to do is type this: now, this looks pretty ugly like this. So now I'm going to do a team up thing to zoom this side of the window. Andy Novocin: and it goes like this. All team up. Things are Control B and then another command control. Be something. So be something that way, you know. They They know that you're here to type into other windows. Stuff like that. They're like, what will nobody ever do? Control? B. That's what they won't ever do. Andy Novocin: So they're in a control B, and then the instruction for email. So i'm going to hit control. B Z. To zoom this one. Andy Novocin: Alright. Andy Novocin: Now I want to scroll back. But because i'm in team months I can't scroll back. I always forget the command to do that. Andy Novocin: But I can Google because I am a child of the Internet not. Andy Novocin: you know, like you, but maybe a teenager of the Internet Andy Novocin: team ups scroll back Andy Novocin: else. Andy Novocin: There you go. Andy Novocin: This guy Andy Novocin: control B Colon and enter this command. Okay, sounds good control. B Colon. And it went yellow down at the bottom if you're in the back. Andy Novocin: and then I or whatever I just copied and pasted, and now I can scroll Andy Novocin: so there's the t cash. There's the big boy. Andy Novocin: and here is Hi, there! Hi, there! Hi, there! Hi! There! Hi! There're bin, s h, 0 1 2 3 in the index of our Ch. Alright, cool. Andy Novocin: Now. I can keep going, you know, or I can just kill the whole script and do it all from the python right? So Andy Novocin: you with me. you guys look a little board. It's my I I can dance again some more. I don't. Andy Novocin: So what we're gonna do now is kill this thing. Now, if I want to go back and forth, I had 2 windows, so when it was cool, but I wanted to zoom in, because, you know, screen space limited things like that. I can it control the end, and that will go to the next team box window. So control the ends is actually kind of a team ups lesson control. Nope, I I lied as a controlled Andy Novocin: all right, totally Did not do that control B z alright, fine, so I guess zoom does not make a separate window control. V Z. On does my zoom. I I think I can hit control be left. Andy Novocin: And that pivoted my little pointer over to the python side. So now, when i'm typing, i'm taking python side control, be right, will ship me over Luckily I haven't lost my left and right arrows my keyboard yet, so I can still do that. Andy Novocin: Still. Be up. Nope, forget it. We're done, Girl Andy Novocin: Okidoki. Andy Novocin: Now that's aoning. We want to, you know, and and what this is really all about is just debugging, you know. You know all the speed runs and stuff like that. You can have all the great mental models. But you guys have all now suffered with Andy Novocin: the idea that you have what you think is the right mental model. The crap didn't work, and you start to question your work. You know. Don't do that. That's a shameful habit. You know your mental model is wrong. Just see where it's wrong. It's probably off by one, just like a 1 million. Other people make mistakes every day, whatever things like that. But when All you can do is fix your mental model. Andy Novocin: You have to. It gets really existentially and depressing, really quick, right? But if you can debug it, then it's just okay. I just made a simple mistake. It's not. My whole thinking is wrong. It's just I took a misstep Andy Novocin: way. Different philosophy approach. If you start with debugging. So here we go. We've now done the first 3 steps of this thing Andy Novocin: and has it. Now, what do I want to do? I want to free a free B. Oh, crap! Nope, I didn't do step one. Andy Novocin: I I did these out of order. Whatever step one was free. A large chunk all right time. Andy Novocin: This will be a little bit annoying. Andy Novocin: so i'm gonna go. I'm gonna do this. I could do this in the script. I probably should do this in the script. I'm gonna see if I can't make it work in interactive mode here, so i'm gonna hit. See on the right hand side to continue the program. Andy Novocin: And it says, continuing. Andy Novocin: i'm going to go over to the left hand side, and i'm going to free 2 0. Andy Novocin: Okay, fantastic. And even give me a little feedback message, whatever. Andy Novocin: Now the key to this, if I if I can go, look at it, and i'll see a. G lipsy address in the very beginning. Are you guys with me on that model? Maybe not. Everybody did that Pcp. Where you leaked the G Lipsy address. But. Andy Novocin: big guy. I didn't. I didn't need a linked list here. Andy Novocin: I actually it's a non-trivial question. Why I didn't need a linked list like in terms of mental models at the moment. You just kind of like I free a large chunk. It has a Gmp address on it. The reason is that it's a doubly linked list. It has forward in the backward pointer. Andy Novocin: and and it's a doubly linked list from inside of G Lipsy. So the G lipsy address points at it, and it points back at you. Andy Novocin: It's forward address, and it's backwards. Address are both G lib, C. Because it's Andy Novocin: yeah, 11 alright, fine. Andy Novocin: We'll talk about that more in a second, but that's because it's in the unsorted them Andy Novocin: All right. Let's view index 0, Andy Novocin: and there it is. You see the leak Andy Novocin: over there. Now, the reason I wanted to do this interactively before I just move into the next thing is that getting that leak and actually processing it. It's a little bit different every time everybody's got to take on that, etc. I like to do my like over engineered Andy version. I also like to just save it in a variable when i'm doing this, so i'm doing rest equals underscore to kind of pull it into a response like string. Andy Novocin: Here all right. I i'll hit clear. I did rest equals underscore. Andy Novocin: Oh, gosh, I just I just. Luckily the last thing I did was print rest. So I'm: okay, that is not a command that is like, repeat, safe, right? Underscore means the last output. You run it more than one soon. Andy Novocin: You know life in your own hands. So import regular expressions, regular expressions, Store dot find all Andy Novocin: I want to capture Andy Novocin: anything that is sort of 0 through 9 a. Through f like 6 to 16 times Andy Novocin: in risk. Yeah. Andy Novocin: because it's not a beautiful leak. It's an ugly leak, all right. Andy Novocin: Well, that's why i'm testing it. So so what can I do? I can res Dot split on like the crap right before it. Andy Novocin: Yes. all right. So now I've got like what came before and what came after. you know. alright. Andy Novocin: And so a clear Hello! Andy Novocin: That's what i'm working with for those in the back. Andy Novocin: I want to isolate this thing kind of in code, you know. Andy Novocin: and so I could say, resp dot split square bracket one we the second half of the split Andy Novocin: I could almost like, split again on the new line, you know. Andy Novocin: Take 0. There's my week. Yeah. Andy Novocin: Why is it only 6 by Andy Novocin: some addresses? Don't Aren't fully 8 Byte, so but that's an important question, hey? That thing is an 8 Byte. So there's 1 2 3 4 5 6 Byte there. Andy Novocin: And in order for me to actually like Parse. This dumb thing with phone tools. Fun tools is a great tool. Andy Novocin: but it needs to be padded to 8 Byte. All right, so I want to pad it with 8 Byte with a null byte on the right. Andy Novocin: All right, I i'll call this like partial equals that Andy Novocin: all right fine clear. Here's my partial. Andy Novocin: I want to say like. Andy Novocin: is there like an R fill or fill. or I know Z. Bill. Andy Novocin: Yeah. Andy Novocin: Had I mean, I could just do it. I feel like there's a cute python way to do it. I'm going to do one Google search real quick. I mean a child in the Internet. Right? So python Andy Novocin: pad to the right Andy Novocin: L: just spaces on the right. And can I do like L. Just default character? Andy Novocin: L: Just Andy Novocin: there you go, yeah, 5 and replace with X. So so that'll be good. So L: just Andy Novocin: 8 Byte with a null byte. Andy Novocin: Oh, wait, no, that's me. That's me. Andy Novocin: Gotta end. My strings. Andy Novocin: Okay. Good. Andy Novocin: Now, why did I do all that crap? Well, I did all that crap because Andy Novocin: I can now run the beautiful command you 64, Andy Novocin: and that will take a little Indian address that was printed out as nonsense, and put it back into the big Indian number, or whatever you know, into a number that a human can use here. Andy Novocin: So that's awesome. Andy Novocin: And if I look at hex of that, i'll see there's the address that I expect to find in G Looks right. Somebody's asking in chat. They probably, said El. Just so. It's Katie Jd. Andy Novocin: Just a few acting classes, and he'd be teaching the class, you know as well. Andy Novocin: Okay. So Andy Novocin: now we just have to like codify that right? So now we've got our leak. It's a. G lib see leak. Andy Novocin: Now i'm going to hit control. D to exit python. Andy Novocin: It killed the team up in the right and killed the python on the left. Yeah. Andy Novocin: I Andy Novocin: 2 reasons: one, my mental model Andy Novocin: and 2. I'm going to debug it. So Andy Novocin: you're right. We know t cash so far, and t cash is always like pointing at other chunks that are inside the heap. Andy Novocin: And so I'm leaking heap addresses when I need to. Andy Novocin: But we also know from Remember that treasure map the biggest thing in t cash is hex 410. Andy Novocin: So I went to Hex 420, Andy Novocin: added one, and ask for that. Andy Novocin: That thing left t cash Andy Novocin: at this point in time. I have not talked about all the other types of bins we've only really talked t cash. I'm ready to start the tail of the 5 bins at the moment. You just have to say my professor told me so. Andy Novocin: but the better answer. Andy Novocin: If you take a look at our Bible. Andy Novocin: This thing went into the unsorted bin. which is inside of G. Lib, c. In the main arena. and the unsorted bin Andy Novocin: is linked like this. Andy Novocin: so chunks that are not chunks in the unsorted. Then have a forward pointer, a backward pointer. They have distinct sizes. You'll see that sizes are all different. Andy Novocin: and the backwards pointer will be pointing back to the main arena, the forward pointer. We point to the next chunk. We had the only thing. So both the forward pointer and the backward pointer are pointing back at the main arena. Andy Novocin: This is a circularly doubly linked list. and that's how I know that it's a Andy Novocin: Now what g lipsy leak is more important than how right the how is, you know? Fine! You could but surround with it until you find one. Andy Novocin: But Gdb. Will tell me what the the leak is, which is far more important. Okay. Andy Novocin: here we go. Andy Novocin: No. Do I remember everything. I just did free 0. Andy Novocin: I'm gonna put a bunch of new lines in here. So you guys can the back and see Andy Novocin: rest equals view 0. Andy Novocin: I already have regular expressions in here, so it's good to go alright. Andy Novocin: My week. Oh, gosh, I don't remember this part. My leak was rest. Dot split on something. Andy Novocin: Hmm. Andy Novocin: Yeah, I want to get that exact. Andy Novocin: There we go. Andy Novocin: That'll do. Andy Novocin: Yeah. Oh, I right? I'm: not in Vim. Andy Novocin: Okay. Andy Novocin: Okay. So this is like, i'll call my raw leak Andy Novocin: equals that. Andy Novocin: and then Andy Novocin: padded leak equals raw leak. Dot l just 8 Andy Novocin: by x 0 0, and then the week equals u 64 of the padded leak. Andy Novocin: And now one thing I like to do is just kind of print hex of the leak. Andy Novocin: and maybe even like Andy Novocin: raw leak, you know, and and that lets me know. I'm like looking at the right thing. Okay, cool. That should be my leak. Andy Novocin: What do I do with that week. I need to do some stuff with that leak. I'm. Using it to get G lib. C. Addresses right. I need to find system. I need to find the free hook. I need to find crap like that. Andy Novocin: Okay. Andy Novocin: So let's run this thing. Andy Novocin: We're over here on the left. You can see Bo. There's my leak on the left. So it's done all this stuff automatically. Andy Novocin: I can see 7 F. 79 2 2 6 9 CEO. And I can see the videos on the right, or whatever looks good to me that those are a match. Fantastic good work team. That was the coding part of the challenge. You know the rest is intellectual Andy Novocin: control. C: Andy Novocin: Let's get this out of the way. Andy Novocin: Control. B. Z: Okay. I wonder if I can still scroll? Yep. I can still scroll. So that's great. I don't like to do that once per session. That's cool. Andy Novocin: And now what do I want to do? I will. I want to run this. Andy Novocin: Okay. this is the address I need to understand. What is this address there? If I type bins. Andy Novocin: this literally shows me all the I Andy Novocin: actually. Yeah, there's nothing in t catch to them, for you need a small guys. Yeah. All I've done is for one thing. The big. Andy Novocin: It pointed from main arena here, and this points back, and it literally tells me this is that main arena plus 96 that's enough for me to. By the beginning of Andy Novocin: I watched a lot of good place with my daughter. She might be a little young for that, or whatever, and so like. There was a professor suffering Nihilism for a little bit, and and he a big Chili pond, is like. Andy Novocin: Make it taste by, you know you should do that new class, and like so weird, anyway, so Andy Novocin: I don't know what made me think of that. Andy Novocin: But we've got a leak. Oh, cause we're going to Walmart and at Walmart you can buy peeps. That's that's a dumb. That's a dominant leap. All right. Andy Novocin: Now I need something else. Here, I predict, is going to be awkward. Andy Novocin: I predict Something's going to be awkward here. Andy Novocin: But let's go quick. Andy Novocin: Quick. Andy Novocin: Main arena plus 96. Okay, do you? Andy Novocin: I want to look at some symbols on this G. Let's see. I I think there's smarter ways to do this. I don't need to do it the smartest way. I don't have much to prove that was giant. Andy Novocin: I will put that into a file. I'll call these my symbols. Andy Novocin: Okay. And I want to grep Andy Novocin: for free hook Andy Novocin: in my symbols. There we go. Alright, that's what i'm after. I want that free hook. Andy Novocin: I guess. I also want to greet for main arena Andy Novocin: and my symbols. Oh, shit Andy Novocin: all right. I don't have the main arena in my symbols. Oh. Andy Novocin: okay, all right, back to debugging. But first let's store this. There's my free hook Andy Novocin: That's gonna be awesome. Let's also grep for the malloc cook. Andy Novocin: There's a malloc cook. They're right next to each other. These are magical things. This is the magical new part of your, you know exploitation lesson today and 2 months. These 2 new things make it clear and do that from the back. Andy Novocin: I grew up Andy Novocin: all right. These are my targets. Andy Novocin: I'm: going to save that target. Andy Novocin: Yeah. Andy Novocin: free hook equals that. Andy Novocin: This is really the free hook offset in G Lipsy. Alright, so if you have the basic G lips that I get the for you. Now, I got a big problem. My big problem is, how do I find Main Arena plus 96 Andy Novocin: in reality, because I know I've got a leak for that. But I need to know what's the offset of main arena plus 96, and I didn't have main arena my symbols there. Maybe i'll get it in Python. I don't know. But here's what i'm gonna do. Andy Novocin: It's okay. Andy Novocin: I'm going to run my exploit again Andy Novocin: and get my week on the left. I get my thing on the bright. Andy Novocin: I'm gonna hit control, C: Andy Novocin: Okay, one of the other beautiful things that happens inside of Gdb is, I can look at the virtual memory map Andy Novocin: and see all the segments that exist over there. So let me go. Vm. Map. Andy Novocin: All right, Control B Z. There we go. This is the beginning of G. Lib. C. At that particular moment. Okay. So maybe I don't Andy Novocin: have the symbol for main arena 96. But I can reverse so when this particular one is running the leak that I particularly got is going to be an offset from that address, and so I can just subtract and get my offset. And now it didn't really matter, you know, whatever, so I take it back Andy Novocin: what didn't matter as much as why or how control busy control the left. This guy is the base of G. Lib. C. And this was my week. Andy Novocin: No, no, no. Andy Novocin: I have a variable leak, too. That's true. So this Andy Novocin: should be main arena. 96 offset. Andy Novocin: Okay, it's driving me. Did see see? This is weird, because as soon as I like, go with the mouse, it's Andy Novocin: It's done with me. Right control. V: I got it. Okay, I got it. Andy Novocin: Yeah. okay. Andy Novocin: If you don't see that anymore. Yes. Andy Novocin: yeah, it's a little bit like being on a cruise ship. Andy Novocin: The cruise ship might be in the Bahamas, or it might be in Alaska. But if you go to the front of the ship Andy Novocin: and you go down these stairs and 3 to the right, you'll find the Casino. Andy Novocin: And so you know the address to get to the Casino in the ship doesn't matter where the ship is, and so the whole ship is moved over here. Andy Novocin: Fine. Andy Novocin: But all the offsets are relative to the ship. Andy Novocin: Yeah. okay. Andy Novocin: for the same reason that your binary doesn't Andy Novocin: edit itself. Malware does often. Now, where has sort of transcended files? You know. It could just like exist in your RAM, and it'll x or all the payloads with some random stuff and self edits, you know, and things like that, or whatever totally. Andy Novocin: This is Andy Novocin: having files that edit themselves, or whatever or something like that. It's like a weird world, you know it's a weird world, and and Andy Novocin: sure, sure. Randomize the smaller chunks inside of G Lipsy, or whatever. Yeah, you can build your operating system, whatever. But these things are all hashable. I can hash a binary and know that's on my white list of things that I proved wrong a little bit. Andy Novocin: you know, right like, so i'd never want to edit the binary itself. So your concept is fine for all segments of junk. So whatever now I do run an Ld. And I see 40 things that I need. Yeah, that's okay. Andy Novocin: That's a trend in web dev which I ate. But it's a trend. It's what made me just like the latest version of fire. Andy Novocin: Hopefully, I haven't undone my offsets. Andy Novocin: Okay? Well, what was that offset? 2 that was that was like the leak off step. Andy Novocin: Okay, all right. So what that means is that G Lipsy base is equal to leak minus leak, offset. Andy Novocin: And just to confirm that Aiden. I'm gonna like print the hex of the G Lipsy Base. And I like to see big old 0 0 0 is the back of that that always makes me happy, you know Andy Novocin: I could even confirm it by seeing that it matches the address of Cnb. And Map on the right, if I want, you know, which would make me happy. I'm missing one more offset that I need. There's cool python ways to do it, but i'm in this kind of reply. Mood! Andy Novocin: I want to know where to to find the system. Call Andy Novocin: here. It is 5 to 290 in case it sucks Andy Novocin: not. Andy Novocin: Yep. There we go, right? So system offset Andy Novocin: all right. Andy Novocin: And that means that the system address equals G. Lipsy base. plus the offset to system. Andy Novocin: Okay. I now have the address where I can do a system call. Andy Novocin: How did you see? Because I'm at Walmart Baby? I also. Yeah. Andy Novocin: I learned a lot about physical security the other day, you know, and so like. just Andy Novocin: went in there and turned a little thumbs through with mobile tool. And now i'm into well. Andy Novocin: although they never closed. So all right. Andy Novocin: Now what we go back to our guide. Go back to our guide. We now have a leak to G. Lipsy. Andy Novocin: We know the base. Now we have to do the right what we are. Andy Novocin: Alright. Andy Novocin: So all we've done so far is conquer. Address, randomization. Andy Novocin: fantastic, not bad. Andy Novocin: Now we do a right what? We're Andy Novocin: okay. Andy Novocin: We also kind of have our target. You know. We've done half of 3, maybe something like that. Andy Novocin: Okay. So i'm going to free a small chunk. I'm going to free a small chunk, and that should create my linked list, and i'm going to edit the linked list. and that should let me take over the end of the linked list. Andy Novocin: and then I can malloc Malloc and get to my address and confirm that I get my address in hand. Andy Novocin: and then write the actually, this. So this is wrong. I wrote edit here that's actually malloc Andy Novocin: with the free address, you know, and the malloc has to be the same size as the small chunks with me on that. Andy Novocin: Okay. Andy Novocin: here we go. Andy Novocin: We have Malloc, one and 2, and we have malloc 3, Andy Novocin: all right. So now what do we want to do? We want to free? One. 3, 2, edit. 2 Andy Novocin: and right p 64 of Andy Novocin: Oh. Andy Novocin: G lib C base plus free hook offset. So i'm gonna write my target first. Andy Novocin: and then i'm probably gonna have to debug this like I don't, you know i'm gonna my up to 10 Andy Novocin: and Malloc. Oh, no, I this is wrong. I I I pass it 24, and say. Andy Novocin: don't matter. Andy Novocin: And now I think this is the one where I get to write what I want. So I think here Andy Novocin: I put system, address. Andy Novocin: and I think if I've done my job right? So so I think I might actually like comment that out. Andy Novocin: Let's double check that the next malloc will give me the the free hook Andy Novocin: right. Andy Novocin: I don't need to over shoot and do it all in once. It's double check. It's methodical. Andy Novocin: all right. Andy Novocin: Oh, what did I say? I wanted to see 0 0 0 there. Andy Novocin: I do not see 0 0 0 there. All right. Rats right? Andy Novocin: Yeah. Well, that sucks all right. Well. one let's type bins. Andy Novocin: The address is pointing at main arena next, and then it points at this other thing. Andy Novocin: I've done something done all right. Let's see what we've done wrong. Andy Novocin: Okay? And Andy Novocin: Alright, so my leak offset Andy Novocin: isn't right fine. Andy Novocin: and and my edit didn't seem to do what I hoped it would do. Andy Novocin: So let me see what i'm editing. This is my target equals G Lipsy base, plus 3 hook offsets. Andy Novocin: and I want to like print hex of my target. Andy Novocin: Okay. And Andy Novocin: i'm editing number 2. Andy Novocin: Okay. Andy Novocin: So I know I've got 2 problems to solve here. One of them is that Andy Novocin: i'm not seeing 0 0 there. But I do now want to see that second number in my bins. Andy Novocin: I do not see that number in my bins. All right. I'll see what i'm doing wrong. Andy Novocin: Hmm. Andy Novocin: Oh, you're right. There it is. I was just looking at the unsorted bin. You're totally right there. It is okay cool. We got the target. The next malloc will give me literally my target. All right. Now. I only got one problem, not 2. That's great. Andy Novocin: You'll see that it doesn't have like a nice purple. This address means something, you know. That means that I'm. Definitely just pointing at some random place, you know. Andy Novocin: Fine. Andy Novocin: Let's take a look at the Vm. Map again. Andy Novocin: Can I make sense of this control? V. Z: Andy Novocin: My legacy base ought to be. Andy Novocin: Probably. I just copy paste it all Funky. Andy Novocin: Okay. Andy Novocin: So I've got this number on that. Andy Novocin: This number minus that number 2 0 1 8 2, 70, that looks a lot bigger than what I had before. Andy Novocin: Oh, yeah, that that looks right. That feels right. Okay. Andy Novocin: All right. I just had the wrong leak. probably just from all this copy paste nonsense, because copy basing is hard inside of these weird terminals. Looks like you're trying to copy to the paste Board for now, supporting. Andy Novocin: Okay, maybe it's trying to help me exactly the way I need. Andy Novocin: And I just said, Get out of here, Geek. Andy Novocin: All right. Andy Novocin: What have I done? Bring back the link. Okay. Andy Novocin: alright, I think I think that i'll do the job. Andy Novocin: I python 3 minus. I exploit. Andy Novocin: Let's go 0. 0. That's what i'm looking for. All right. All right. Now. The other reason i'm running. This is because I think Andy Novocin: i'm right. Andy Novocin: Look at that. Look at that beauty that purple up there, and the t cash. It says free hook. Andy Novocin: Yeah, all right. That means I just Malloc and I get to write whatever I want to the freedom Andy Novocin: alright, cool. I mean, that means we can finish this in the last 3 min. That'd be great a complete keep exploit one day, you know. Full grain, 2.3, one a full green, you know Andy Novocin: All right. Great Andy Novocin: alright, so class, finish it for me. What do I do now? Andy Novocin: Clearly I do that. That right system to the free hook. Andy Novocin: And now, how do I call? I just free? 3, Andy Novocin: 3, 3. Andy Novocin: Now, at this point I think I've got it, so I go back up to the top of my thing, and I turn off this kind of like Gdb debug thing, and I just turn on the process. Andy Novocin: And now I can go P: that interactive and just sort of feel it as its own terminal Andy Novocin: 5 1 3, and a shine. Actually. Andy Novocin: Yeah, baby, let's go Andy Novocin: all right. Now we can point that remotely, and get the other server the Andy Novocin: and you'll note that it's very important that I had the exact G lipsy they have right like. So if I'm misconfigured this in some way, or whatever I've got it working remotely. Andy Novocin: No, Biggie. Okay. So I go to the top. and I just i'm gonna swap out my p equals process for P equals remote. Andy Novocin: but in my thing Andy Novocin: and the other thing. Andy Novocin: probably 1 3 4 4, and Andy Novocin: then memorize the IP address. But you know, should be this one. Andy Novocin: I don't want to run you anymore. Andy Novocin: Let's go. Let's go all right. Andy Novocin: It's nice. It's nice. Okay. Andy Novocin: And now we've got a root kitten. Whatever things like that we're talking to Moscow, you know, C. 2 servers. We're all we're exulting. You know we're Andy Novocin: talk to the cyber expert from Td Bank on Monday Totally wants to hire all you guys, because you know they they're like we doing their whole Ir staff, whatever it's like, hey? You know Andy Novocin: It's probably teaching what to do once you've got the shell, you know, like that whole thing Once you're in. What are all the bad things that people do I? I I don't. You know I just put the foot in it. That's the hardest part it's been to put the Andy Novocin: But what you do next. That's an important thing to think about, too. anyhow. Congrats! That is a non baby. No when function full green fortified Gcc. No flag. Andy Novocin: Keep exploit in toy, you know, as real, just dynamic memory Crap right? 2 errors. What are the 2 errors of the code are made Andy Novocin: use after free Andy Novocin: in 2 ways viewing and editing. Andy Novocin: They didn't get rid of their pointer after the you know the the free. Then it's just a matter of Andy Novocin: okay alright, cool. Well done. That's awesome. Alright, i'll see you guys. Friday.

Complete UAF exploit

From Andrew Novocin April 12, 2023

57 plays 0 comments You unliked the media.

Zoom Recording ID: 4159319948 UUID: Vymo31P9Q0e2Odi8JGiTKg== Meeting Time: 2023-04-12 02:11:25pmGMT

Tags: free_hook

Department Name: ECE
Department Division: Engineering
Date Established: April 12, 2023
Appears In: x86 and Secure Software Design 2023

Comments

Add a comment