Record to the cloud. Okay, I'm going to be in-class setting. Right. So where we ended on Friday was I tried to convince you that the FASB and do might always exist or could conceivably always exist. And where we left off is that we had successfully made the head of a linked list inside the main arena, whatever value we want. And that means that the very next malloc of that size will give us that address and we can write to it whatever we want. Okay? So the question now for the next stage of this, and I think that, that exploit is relatively simple, free, a freebie for yet, okay, T0 cash gets a little bit annoying in a way or whatever. So the question is, what do we do with that? Right? Like how do I choose the target and why? And at first that question sounds really simple. You're like, well, okay, take any of the places where we've learned to control the instruction pointer and target. One of those, a read on the stack or a GOT table or the PV array. And I've hinted at the malloc look free hook a couple of times, but maybe I could hit one of those things. And in my model of proning any number of places that you can control the instruction pointer is like a new type of strategy. So you can mix those with any of the other things to get, you know, thousands of exploits that you know how to do at this point. Okay? But there is an annoyance. The same concept work second, still want to target something I'm gonna target. But now here's the thing that makes fascinating duple little bit annoying. And that is that whatever I target has to have a valid size field. Recall that we look at chunks, we're seeing, you know, size field and then userData. That size field has to match the size of what I'm asking for. So if I'm asking for a hex 20 size thing or I'm asking for 24 bytes, which should be hex 20. I need a hex 20 just before where my user data will start. Okay? Which means that the thing I dropped, the main arena has to be right at around that size field. Now how do I find the valid size billet ball, right? So I'm going to, here's the algebra. And, and, and what this means is that we now have kind of two targets in mind. The target that I really care about, and like a fake target nearby, that can pass the security job. Security check is that you are actually writing to a previously existing fast been chunk of the correct size. Because remember fast Ben's existed and this is the recycling thing. So when I get a new recycled chunk of size hex 20, it's saying, Hey, is this actually recycled chunk effect size 20? How does a check that just looks at the SysML? All right, so so for us the lie to them. Make a fake like a fake ID or whatever, so we can get drinks. We'd have to figure out kind of a place that's good enough for us to get to the real target. Okay. So I've got kind of, I don't know, three words here. I'll find it, put it in code. Oh, I did put it good there, but none here. So I'm gonna use the word c there to be the thing that I, I plants into the main R0. So you free a, free, be free a, and I write something to a. And now that when I malloc, malloc, malloc that'll be in the main room. Targets is going to be the thing that I actually want to control in the old school way. I GOT table malloc hook, Finney array. One of those things will take over the instruction pointer address in the stack where return address might be or whatever. And, and seed is going to be this place that I kind of can pull something off. So here is the exact mechanics of it. And then I'll show you kind of most default one. And then we're gonna go into kind of a daily Po1. I set it up as a libc. I probably spent too much time setting up an actual server with the actual exploit. So yet again, no shower. I'm sorry. But I just it's just like a natural six foot radius. The form. So the so I setup one that has playground, but it gives you a little glimpse the leakage beginning. And it's using to point 3 0, which is we'll talk about the last little security check. But at malloc hook goes away. The malloc and free will go away. And 2.34, as you will add the 1 gadgets. And that's what we'll talk about. The mechanics. Wherever you seed and domain arena, your payload will be 16 bytes later. Do you know why that is? Cyclical diagram? Okay. I think I just threw all my diagrams and Class 25 second, I always up there. Um, this is kind of what we think of as a chunk, like a freed chunk or whatever. And these are fast been chunks, so they are even dumber. These, here's a fast been chunk that has been free. The address that is stored is actually this invisible one here. This is the address that is stored, that is the arenas version of the beginning of the chunk, which means that that's the seed. But I'm going to put into the main arena and my user data will start 16 bytes, legal quad word quadrant. So this is the address that I target. This is where I need my size to be eight bytes after my firewall. So then my real target must be somewhere in the chunk. Maybe my real target is here or something like that. So I've got like three numbers to keep track of in my algebra. Where's the thing I can fake with minus eight is what I seed. Plus 16 is where I start and then I fill in payload until I get to the place that I actually care about. All right, so that diagram helps that. Let's see that as kind of algebra. And here's the TLD are if you've got a fake, fake chunk size at address X and your true target at this address. Why? Seed x minus eight to your main arena. And then your payload is going to start at x plus 8. And you had your payload with your target, your desired place minus x minus 8. And you'll note that your target has to be within that many bytes, like within the size of the balance sheet. So, so when it comes to finding like one of these fake targets, I'm looking for something that has a fake font size field and is within that many bytes of my target. Now might feel really constrained be right this second like that ever possible. When does that ever happen, etcetera, etcetera. And I'm going to convince you that that's actually really, really common. And this is how I do my algebra. So this is the quintessential example of a fast been duped target that bypasses the second security check. And, and it's such an interesting thing to me that if it's possible, just try this first. Okay? Now, this is what a valid size looks like. Now, this is me being a little bit silly with my algebra. A is like a variable I should put like ex husband, but, but a is a variable, star is anything, and then a bunch of zeros. Now, this is in little endian. So when you look at that, it's OX a star. And that's what that size field always looks like. 21, no x 41, whatever. This is only in the fast bin size because that's what we're, we're, we're attacking is the fast bins. And whatever that a is, this is how many bytes I have 8 times 16 bytes within the target I actually care about. Right? There is a GDB. Gdb, it's actually a pound bags will call find fake fast. Or I can pass it an address. And it's going to look behind that address for anything that could qualify as a size that's within range of the target. Your effort, say, I find a fast chunk near my target. In this case the malloc I did. This is the free hook, it wouldn't exist section. But we don't know much about those yet. But here's what I want to show you. This kinda picture here. Wonder if I can open it in a new tab and kinda zoom the right one. All right, Take a look at this picture. This picture tells the whole story in a way that should feel a little less complex than what I'm saying with my hands. No Lao-Tzu. Find a fading fast tongue near the malloc. Okay. The malloc hook somewhere around about here. Take a look at what they did. Saying, hey, I can make a size chunk of seven f. How do I take essentially any G with C address and cut off the least significant bytes. Take these bottom 25 bytes away. And if I just sort of like the tongue's it off, like decapitate that. Do you see address? What I'll get is a whole seven F chunk right after. If you think about that, that makes lot of sense like all the address randomization we've seen. We've learned to recognize G, C addresses because they start with seven out and then crap, well, it's in little endian, which means the seven F is the right-most thing. Which means after that seven, that is just a bunch of zeros. At least two guaranteed. But if the next codeword is empty, but it's, then it's enough. So what I do here, and you'll notice that this fake address that you're going to do, instead of weird offsets right side of the 0 RNAs, they're just sort of shifting the whole picture and pretending like the chunk has started and it's not check all the alignments it bought. So this security check doesn't check to see that address ends and MAPE or 0, like Momo chunks would. Maybe future. That's it. That's a reasonable future security check that they should do there and they probably will be. Okay. But this for now, I can compress on and I get that seminar as in Tom. Okay. Well, what caused that seven have to exist. What's an address and see what happens when I run a program over and over again, my g, Let's see, addresses this crap and here is randomized every time. But the top is the same and the bottom is the same. So who cares? You know, like the 7 Up will tend to, because I've never once models he has 17. Let's run it again. So you get a 78. We know that's okay most of the time that seminar. So what that means is that this is a really reliable fake size from an address. If it's a heap address, what, what, what is it like a heap address typically startle or X1, 55. All right, so if that's the case for gravity heap address somewhere, I could use a fast bin size OX 50. So I can target something 50 near a heap address. I can target something 70 near a Genome Atlas. Okay? Alright, so this is kind of a reliable way to generate one of these things to bypass that one security check. Now, this happens to be right next to a thing that will control the instruction pointer. So all of a sudden this malloc hook became a lot more important. This function should get triggered when malloc gets called, either to trace the malloc for profiling or to replace the malloc or whatever. So what this means is that we're going to replace it with something and it's going to get called as if it's malloc. Malloc takes an argument of it like some sort of a size. I could maybe control that arguments. Like I could write system into that. And if I can pass in SH is the arguments about analog, maybe that just works. But in general, the kind of default, I'll call it the School Book Fast been due, works like this. The default strategy is take malloc hook minus 35, where this fake thing lives into the OX 70 main arena. Malloc until you get that fake chump backs returned addressing these 16 bytes later, or minus 90 pad with 19. And then find some sort of a one gadget in the library. So if you call malloc, it just triggers the one bullshit. Okay, so that's the general school books strategy. But I now want to try. I did not get this working in time to get here. So I did make it easy. I didn't have it hosted on a remote server and it was 953. And subheads listen to put on some shirts and run water through my hair or whatever. So I wanted to have that like working exploit, but it's mostly there. So we're going to fart around with it together as if it's daily Po1 to make the default one work. I didn't spend a lot of time on it ahead of time, but that's the idea here. Okay. Oh, I totally didn't stop hitting code at the end of this. So all of this looks like it's code now in my CSS. I'll fix that real quick. I'll show you sort of the next level. And this little iceberg is what happens if they don't allow you to hit that malloc hook either in GDB, C2H4, or they're restricting the malloc size is to never let you get NOX 70 or no, it's 50, something like that. And you are going to do the fast Bindu. Other things we can do. I'll say I'm real quick, I'll say real quick, whatever. And then we'll just dive into code. And we'll fart around and go. Public speaking awkward because it's lifelong. Every time we do this, do what ends up happening. My payload, when I do free AIML, okay, Again, I write simple bear. My payload ends up in the main arena. What that means is that I can do that multiple times. I can do a fast been dupe in one bin size and go fast been due from another bin size, et cetera. I can control the data in the main arena. Which means that I can actually put a fake chunk size in the main arena. So instead of giving it an address that I want to actually malloc, I'm just gonna put a value that I just want to store the main arena. And then I'm gonna do another fast been due to target the spot right after that. And now I can write whatever I want into the memory. And if I can write whatever I want into the main arena, I can overwrite where the top chunk lives and I can kinda do a house, a force thing. We're more whatever I want, the main arenas, a lot of cows. Now I can make a big chunk inside the main reason. That's going to be a theme as we get into like cooler and cooler exploits is a lot of big chunks. To make a fake chunk inside a chunk, we're going to take two chunks of merging together to make it seem like a bigger than they are. So would I, I gotta do and see we got an ad or whatever. You know, there's just all sorts of wacky ways we're going to make fake chunks all over the place. Okay? So, so an alternate idea is to exploit memory. And the, and the, when I said the Friday one is probably a little too part. That's what he did. He got himself a G C leak, targeted the main arena, overwrote main arena, and then pulled off a house of force by going to the top chunk and filling it with a large value and then coming back around or whatever. So and I think we went back around. He went back around to the free hook. And the free hook is a little bit easier to get a shell out of because you can replace the vehicle system. And if you can control what's in your chunk, you can just three a chunk and you control the payloads of their system all been S8, you just write bin SH into your chunk and call free, where free isn't replaced with system, and that just kinda works. Okay? Versus the malloc hook, I kinda need like a one gadget or a really loosey-goosey size. I need to translate the word bin SH into a giant integer. Pass that as the argument and hope it's like smaller. Okay, blah, blah, blah, blah, blah. Let's try it. And it, any questions on like the main concept here. So like you'll need this when it comes time to do it in reality, you'd be like, I found a fake size or whatever. And I want to know where my offsets are. You ask for the thing that's eight bytes before the fig size, you add 16, that's your user data. You patents, they get to the place you care about and ought to be within the size of a fast bit of the size that you're able to beat. The other nice thing about this backup plan, because at any place that you can control data, you can make a fake Systrom. So if I can control data somewhere in the stack or something or whatever and I haven't, and I know where that data lives. I have a leak of that data. Then I can make a big jump there and target. So essentially any place where I have an address that I know and I can control some data. I can make a big time. Okay. All righty. Let's try it. I ask for your patients and forgiveness at a time in case I don't get it working by the end of class, we'll see o'clock is roughly accurate. We've got 30 minutes. Okay? And if I'm done too fast, then when you do it on Linux, and that was my plan. So okay. Let's say in on this thing. So one thing to say, if you were to follow along at home, I made a zip file that has everything. It's got the source code. It has the GitHub sees that I'm using. It has the malloc dot c in there for your debugging or whatever and things like that. I mean, it's Peytchev and all that stuff. And here is where it's running. You'll see that it looks just like my playground, that playground a super insecure and one of those things you should do is like a scavenger hunt. As you go through these weeks, are you catch up or whatever? See how many distinct ways can you pull in this playground? You can pick the G lib C, really great, and 223, I can put it in 10 weights or whatever. Just collect those mentally be like All right, I think I can literally 200 different ways. You don't have to do all 200. Let's take you out, but you can just write down and do the combinatorics. And we want to change this in these ways. It's still get through this. Okay, so all I've done is add a G C leak and fix it to 2.3. All. If we take a look at what the G Let's see leak is. I just like to see the visual alarm. Thank you, Josh. So M hook dot c to malloc hook. Here's my banner. Welcome to heat vulnerability playgrounds, you see leak percent p. And if beginning of main, I say print f, the percent p is literally the address of printf or GLM. See leak is the function print f inside of g. Let's see. That should be enough. Vocal. Now, from Friday, I gave you a playgrounds for messing around with this stuff. Part of the playground that matters. We've got a thing here. I've added a lib C handler, so I can just look stuff up and then we're going to do all this ribbon, two things inside of G with C, okay? And I'm attaching GDB. Here's my little utilities for doing a malloc, a free and edit. It's possible that I might want like a malloc, you know, I might copy this, make like a I don't know. I'll call it malloc shell something. And I just won't do the last line. Since after I give it an index size, that's when it does malloc and then it writes to it. But if I'm overwriting malloc hook, then that's the moment where I might get my shell. So for the last one, I don't actually want to send a payload there when I would just take over. Okay. This is the stuff I was playing with before I got here. I should probably do this from scratch. Scratch, just in case I'll copy this back up. So here we are. We've got our thing, we can see much into it. We have our helper is we have all this stuff. So step one, there is a leak in this function. I bet everybody has a slightly different strategy for beating elite. I don't know we do with it. What do you guys do when you read your leaks? Receive until I like it the OX estimates. That Let's click. Okay. I think I'm like a little geeky. I'll do your method. The method is done P dot received until B O X. And then we'll say leak ra equals t dot receive until new line. Then I'll say the leak or equal int of weak rock from the 16. And then I'll print hex of the leak down. And let's try that out. I'll do this in chunks. Now the zoom controls are up here. There's a week on the left-hand side. And if I did like telescope at is it does it prints out like that. Okay. That's fine. Is 7 f 08320, a B29. Be sweet. Cool. So that's so whatever they call print f, I've got prints out. That's my weak receive. All right. Now MAP-kinase were the only ones nodding their heads. That makes me really nervous, but it's acre. Little dance. Then refresh. Okay. What do I do with that leak? 0, 0, 0, I mean, just, I'm just going to use it to set my libc library to be useful. So sorry, Maybe you're thinking to advance, I'm just going to be this real quick. So this will take whatever they thought was as an offset subtracted from, I, call that the base a, G, C. Okay? All right. Just for fun, we can take a look at this to see if it looks like a nice clean little addressing. All right, so we're getting 59 E whatever. If I type VM map. A little bit annoying to look at. But 07 FB 59. Are there, the red one? There we go. That's the beginning of g. Let's see. Before that it's dupe me. And g. Z gets like four segments. Yeah. Okay. Cool. Oh yeah. I have a little story from the weekend I want to tell you, but I learned how to make an NES game in 60, 50 to assembly from scratch or whatever. Which is like a whole different architecture. But it's very pleasant compared like this X86 back and forth to like that's like the Commodore 64, Atari NES, like all those guys are like very pleasant. So my NES game says, Hello. I'm going to make a CTF remnant of that sin. I don't know if you'd want to have a lecture on now the NAS system or it's some really on point, but okay, now we have a G lips the address. So according to what I've been saying, we're going to use that to find main arena and no malloc hook. And the malloc Coke is an address. Go ahead, put a function there when I call malloc, call my function instead. That's the idea. And the 35 bytes before it, we should find a fake size field of seven f. One of the notes I put my, one of the gotchas that I have in my notes here. And this is, this is weight. I know that sometimes I'm saying seven f. And we're used to seeing OF 71 or something like 0 to 1. It means that all the bits are set to like, you know, previous chunk in use is M map, there's like three bits there that matter. Somehow seven F is okay, but not all possible second nibbles are okay. I don't know which ones are okay and not okay. So there's some of them that are not okay. In the end, these fake chunks, I don't know which ones are which. Somebody can look that up and tell me what's wrong. But I think 707571, like anything that feels odd, feels okay. I think I think if it's a 0, then I need the previous size also be something interesting or whatever, and that's a little harder. Okay? So let's note to self, we go. All right. Well, how do I get through back to where we were on Friday? What's the next step to start? Fast been duped by sizes and the seven F range. I need to fill up the tikka share. Or I in range seven. Malloc Pi, 68. I'd like to actually see what is 68, What's six times 1610000. Right? Now, I'm going to ask for a couple more right away. So we're gonna go all the way up to index 80 through eight. We're melting. Okay? Now to fill the T0 cash, we're going to free the first seven. Okay. Then we're going to free number 7, number 8, 3, 7. And let's pause there and take a look at what nonsense we've made. A nice greeting. Contender to that thing will see bins. Okey-dokey. So we see a faulty cash was seven things. And the fast bins are a singly linked list from here to there, there to there, there. Back to the first one. I will say that when I see that left arrow, it makes me like more nervous than seeing a right arrow at it. It's weird to me that it's a left arrow, but that's the value that it finds their telescope book. So we'll see, I think any questions on that? Like that's like the big exploit that will always live. And the rest is like all the hard ways to use it. So the concept is really easy and in fact, there's something It's a little bit annoying about this. You go to how to heap, I'm like, Oh, I'm going to learn how to go through this thing. And you pick these things and you go fast. Been Duke. And the example for passband do it stops there. Now this was an insight from Friday that was really cute. And I, and I dropped it in our channel. Because looking at this example is a little bit confusing to us. It's not really, but it is. We fill up the T cash. We free seven of them. And then they when they did a malloc, remember on Friday aids where it's like, hey, wait, doesn't that malloc come from the D cache? And I guess it does. Re-used cow lock. And the example, Kellogg's skips T0 cash. Jerks, right? Catalog will allocate many. Here's why it's gypsy cache. It will allocate money. It will allocate one chunk of this size, but I could make this 20 chunks if I want, which is not worth bothering with T0 cash. If they're expecting me to get a 100 bullets and I'm using calloc to get my bullets. The seven and T cash aren't working. So so Kellogg's skips over T cash, which is yes. So if you see it nice how to keep examples. It's their way of skipping pasty catch, right? They filled it anyway. But then everything else like disregards, which is a little bit annoying. And also it ends right where we are now, which is not the hard part of this exploit. The hard part is what do you do next, right? Okay. Okay, I'm fine with this. So we can mess around a little bit before going back to my exploit script. We can do, oh wait, I think I need to continue for a string. I just said one of those moments where you look at a word, it feels misspelled for a minute. You know, like which that always happens, man, which always feels misspelled. Weird. So I want to I don't want to I now want to validate that we're not cataloging will not skipping a T0 cash essential. So what I want to get is like a pointer in hand or I'm like APA place from about to do something evil. So this should have cleared the T0 cash and moved all of our evil stuff into the T0 cash. That's part of the flowchart. Now, if that's not clear to you, I've spent some extra credit time kind of looking at the flowchart. If we pull up our flowchart here, you'll see that after I get into the fast spin arena, like the FASB an area, things are going to get dumped back into the cache. So whenever possible they try to dump stuff back and see cash flow. Okay? So what do we think is in the passbands now is going to get split up them. Okay, that's fine. So now this should be the first thing in that linked list down here. The next address I get should be this one. So let's find out. Malloc. I don't know if I needed to use after free here, but I'll I'll put it in 9.99 or 99 was totally viable and this super severe thing for my three. Actually, let's be careful with that PI3. Here. I kinda wanna put an address in there. Now I'm telling you guys the place to target is malloc hook minus 35. So if I want to put that in there, this will be p 64 of lib C dot sim malloc hook minus 35. Okay, cool. So now let's go take a look at that. Beautiful. All right, so let's take a look. The bins are anti. Think that this is now like this is like the second part of my LinkedLists theta3. And outputs here that one's at this spot in the deep sea level. I'm a little bit nervous about seven articles like what i 1, 2, 3, 4, 5, 6. Feels a little off. It feels a little off. Let's try to validate my 35, but maybe 35 changes in time. So it was fine. Fast. They'll find fake fast at malloc book. Let me say before D. So size seven, F, There's the thing. Okay? And you'll see, okay, this is nice. The forward pointer they have is one needs in seven. That's the value I see it there when we 2007. They've got credit size as one needs these 78. Yeah, okay, that makes sense. 16 bytes later is where the user data sets so that the fake, the size is like the first eight bytes of the chunk, then my size, then my user data. That's what we had, 16. Okay. This feels okay. That's fine. All right. Let's continue. Thank you. I literally said it out loud and then but now at this point, I'm pretty sure I can just put junk in here. We're going to be super slow and paranoid and just keep checking. So I put junk in there because it it, it that was already written to the main arena at the time that this fold over my address is now just in some chunk that has been back and use, so he doesn't care anymore. All right, so me being super slow and objects here, I think I can also put junk, but I'm going to put my thing again out of paranoia. This addresses the next one I should get. Okey-dokey. So let's try it out. We're going to pop this next address off and we're going to fill it with stuff. Now the address I'm going to get is this one. I'm going to go and do some wanna go and do some math here. This is the next address I'll get. Okay? And I have lib C, sim dot malloc. So 35 bytes beneath that, that's going to be, I add 16 to that, right? So, so I'll be at, I add 16 to this thing will do it like this. So that means I should have 19 bytes of junk before I'm at the actual malloc Hooker place. Now what am I missing here? Actually missing my strategy for winning the game. Now I said the default strategy is to find what's called a one gadgets. They've done a lot of that in this France for two reasons. One, it's a little bit cheap and too, they slowly gotten rid of them in the latest versions of C. So learning one gadgets isn't as useful to your career ten years from now as other thing. So I haven't concentrated on them, but they're kind of a cheap when we're going to do a cheap ones here. I'll say. Okay, so I'll talk a little bit about one. Get it. But first, let's just try this out. Right. Thanks Kim. Continue. Okay, malloc, 12, 10 for 19 bytes of junk. And we'll say P 64 of, I don't know, 1337. Oh, I see. Okay. So now that bothers me. That bothers my 54 ru. Ru not what I want. So the one gadget won't matter if this is wrong. Underscore, underscore FMLA to minus 35. What address or retargeting? Retargeting u0, v0, 4 D. This is where we were targeting. I CA is I seaweeds. It's an EB 5D. And what's malloc? Eb seven. Oh, okay. Why am I? So I thought it would be 19 bytes. But very clearly, I've dropped my 1337 at this address. And where I want to be is this address. Right? So here's where I am. Okay. Well, you know, okay, Now this is 1337. Maybe I should look at this a little bit more like. Dq at let's go to the place I'm targeting. And let's show I don't know, like 24 line 00, 00, 00, 00. That's on how that works. That's fine. Dq there. Okay. Now, I think it's just a little bit of this leg. Offset math. Where do I want to be? B7, D, not be seven. D, B 70. Okay, good. So if this is the D, then that's an E, that's an F, That's the 0. So I think that's where I want to be. So I'm like 16 bytes shy of where I want to be. I don't quite know why that is, but I'm going to add I'm just going to make it 35 and sediment Team, Missy. Okay. So this is what it is. I don't know that. Okay. But this is actually the most important thing like debugging. Like it's better than having a mental model trying it doesn't work and you give up. Like Okay, well, I'm doing sudden. There it is. It's just not where I want it to be. So I'm going to keep on muslin and push it there now, actually I'm a little bit wrong. 4141 is like Yeah, I'd like these are the bytes that I've got. So I think I've got 123 bytes of a's. So I want to more bytes of A's and then 16, so maybe 18 more than when I'm giving it 1937. Okay. Then try and try. Control D, Control D, do this thing. Now I kind of regret not having all of that in the exploit. So we go, what did we do? We just did are free and we need to like for I in range 17, malloc 5142, empty cache, and then malloc 9, 10, 4. And here was my target. I think the target was good because it didn't fail the security check, right? So this is just buy off debt as well. So P 64 lib, C dot, dot underscore, malloc hook minus 35. Then malloc, Hen, I had junk. Last time I put my payload again, just set a paranoid am, but I don't think I need it. Let's see if this Let's see, I don't think it will. I think the person is momentum. And finally, 19 plus 18 plus p 641337. Yeah, so like 539 is 12, 37, right. So that's fine. I didn't do that, but I do have two A's there. So when I subtract two A's for my payload and try again, which was my original 16. I guess it is tripped myself up from all the little endianness. Yeah, sure, sure. It's actually a super elite tests to see whether or not you can convert back and forth between decimal hex in your head. It's hardcore. Hot then. Okay, thanks. I don't know. I had to add 16 their ads. That probably means that my notes are a little bit wrong in some way that I'm not aware of. But the target is right. The concept is right. Let's go. Oh, it's 1102. That's when it all right, real quick. Here's a11. Get it. There's a tool called one got it. And run it on liberty that, SO that six, these 31 gadgets are places where in that library they're literally exists something that pops a shell for you. You just gotta get to that address and satisfy these constraints. The constraints are about which registers are null or not or whatever. So typically we can try them in this order. These are ones are often null, no biggie, and it's, either one is fine or it points at a null. So, so I'm gonna try this 1 first. Now it won't be 13, 37, there'll be this plus lib C dot address. So that was an offset into lib C. I've already got my leak. Now that won't give me the shell yet. But that's why I did malloc shell. This one doesn't matter. I can ask for any size I want. It doesn't matter and then go pee. Interactive. Alright, if this works, it works and we're going to feel good. We'll take away the Tmax. Like totally. Our 12 is not good or 13 is not good. So that's a bad one for us. Then try the other one. Got it. Sorry. This is also your easy but finish this up. Let's try this one out and take away the t months. Packed in there. Alright, doesn't sound okay. There's the default one. Works. Not an idiot or a little bit, but that's all right. That's the default. Fast bended.
Fastbin Dup Pt. 2: the malloc_hook trick
From Andrew Novocin April 25, 2022
76 plays
76
0 comments
0
You unliked the media.