Andy Novocin: Okay, okay. Andy Novocin: So Andy Novocin: my theme for the week is kind of playing around with. Andy Novocin: you know. little diagrams. Andy Novocin: little diagrams like this. I think they can help tell the story. Maybe something like that. Mom's spaghetti is t cash poisoning. Andy Novocin: And so the question is, what do I do in other contexts and things like that, and that's the story I've been telling for like a week now. So Andy Novocin: here is Andy Novocin: Here's my concept in Class 28. The Andy Novocin: okay. Andy Novocin: In this case Andy Novocin: the Andy Novocin: next big idea, and and honestly, I could just I I we didn't finish the house of Ninja. Andy Novocin: We could finish house of venture real quick, too. Andy Novocin: So that's that's like okay with me. Andy Novocin: But I think the house of Ninja is immediately crappier than the house of BoT cake. Andy Novocin: And so here's the house of BoT cake. Andy Novocin: It's, and and i'll do this in the contrast with the previous gist the previous gist Andy Novocin: that I liked. I I like this. This makes me happy. that's to say. Andy says there's 3 parts sending kill chain. How are you gonna take over? You know how you gonna get system like, what are you gonna do? The instruction pointer? Andy Novocin: How are you going to get your leaks? And how are you gonna get it right? What Where Andy Novocin: this t cash version. That's the one that I want you to know. Stone cold. Have in your heart tattooed on your head, you know, right here, like you know the Manson murder, or whatever you know, like. Okay, how you know t cash poison. I just know it. Andy Novocin: So these 3 components Andy Novocin: and the exploits here are that I have a use after free. This is this is the big No, no, for the developer. So all we're doing is replacing a house, a a use after free, with a double free. If all I get is a double free, what changes right Andy Novocin: in this case? Our leaks Andy Novocin: actually do change a little bit, but they only change it just like one malloc right here I have to do is just do one more malloc before my view. That's all I have to do here, so so I should probably add that to my house, and by kick one, so the leak has 2 extra lines. Now I can a malloc. Andy Novocin: you guys clear on Why, that is like why the the leak needs one extra thing. Andy Novocin: and that's because my my viewing. if all I have is a double- that's taken away My use after free the developer got smart. Andy Novocin: I I can't view unless I have it in use, which means I have to malloc the chunk. Andy Novocin: Everything here still works. Andy Novocin: but I have to put it back into use, and as long as nobody cleared out the data, then i'm good to go. Andy Novocin: so all I have to do is just add one more malloc right here. I can say malloc, 30. X. 18, and then view 3, and everything else is the same. Andy Novocin: Yeah. And here the big boy, all I've got to do is say, Malloc, you know 5 Andy Novocin: O. X, 4, 18, and then view 5, and I've got my G Lipsy week. Andy Novocin: Okay, you guys, don't seem that impressed by that, like, All right, i'm sick of hearing all this stuff. Let's let's see something new. Alright. So let's talk about something new. Andy Novocin: I'm not going to change this one at all. This is still our goal. We're just going to go free. Hook system. This is pre 2.3, 4, Starting Friday. I'll teach you the cutting edge version of that, and it's going to take us 2 weeks, and the class will be yet at half the size again at the time i'm done, you know. Andy Novocin: Is it dry. Maybe I don't know just oceans 11. The oceans 11. Is it dry? It's. It's not drive, but they have a montage. This is our Montage moment. Andy Novocin: All right. So Andy Novocin: okay. Andy Novocin: so Andy Novocin: well, what I really want to concentrate on is a new version of right, what? Where? And what i'm calling. This is overlapping chunks. Alright, so we've had like a couple of big concepts here. Not a lot, not a lot of concepts Andy Novocin: use after free and just screwing with your linked lists. That's our baseline. That's Mom Spaghetti is screwing with your link to this. Andy Novocin: One thing we had to do is fake chunks Andy Novocin: make chunks. We played with that notion. I can use a fake chunk to get a, you know, to get something that I wouldn't normally be able to get okay cool. Andy Novocin: The next concept was like this: fast bin do. I don't feel like we've like finished that concept. But but we can. Okay, it's fine. Andy Novocin: This one is yet another idea. Andy Novocin: And it's basically this. Andy Novocin: All of these things that they have in common is that I want to screw with your linked lists. How do I screw with your linked lists. Well, I need to be able to edit Andy Novocin: the address in a linked list while it is in the freed state. If I can edit anything that is in the freed state. I win Andy Novocin: all right. So what are ways that I can edit something that has already been freed? Andy Novocin: I have to trick it. Andy Novocin: you know I have to like either overwrite it from behind. The idea of the house of Ninja is that i'd like or get something just behind it. That kind of creeps up into the thing, and I hit the thing that's largely the same concept here. An overlapping chunk is saying, I hold a chunk. That's this big Andy Novocin: and right in the middle of it is a freed chunk of some other type. Andy Novocin: and i'm allowed to write all that's between my L 7. We need fingers here, and right in the middle of that L 7 we need is a chunk that has been freed, and that is a type of use after free where I've got a chunk in the middle of another chunk, and if I can overlap chunks in any way like that. Then I can edit your addresses. I can edit your address. I can do Moms spaghetti Andy Novocin: and do my right Where? Andy Novocin: Okay, with me on the concept. Andy Novocin: Okay. maybe maybe not ask questions. You young folks don't ask questions enough, you know. Andy Novocin: I think we got it. Maybe i'm going too slow. I got it's impossible for me to tell. I've never successfully taught the heat right? I'm trying. I need your feedback to in in real time. Be like, okay, I think I get it, or whatever, or for you to go and play with it right Andy Novocin: now. One of the things that makes this a little complex is that I've offered an a in the class for Pcp 26, or whatever right crack PCB. 26 you get a in the class. Andy Novocin: I won't say no questions asked. Somebody is like, oh, i'm struggling with all like the speed runs or whatever. But i'm gonna go after pcp 26, and it's like Andy Novocin: what that's crazy okay, I can haven't. You did that? But not though all right. Maybe so. Questions asked. Alright, fine. It's not. It's up for you. But you know, if you've earned you to be 26. Great cool! You've done it up for like a transcendent request cool if you've done it on G. Lipsy 2.3 7 Andy Novocin: great, your avatar and the last area of under whatever you completely you have it. Our State. Andy Novocin: Okay. Andy Novocin: that complicates this. because Andy Novocin: the thing I want to do is like, do a complete walkthrough of you the like free a criteria so like maybe I shouldn't have offered that, or whatever, so that I can like, do the test problem, you know, or whatever something like that. Fine a little complex. Okay. Andy Novocin: Now, i'm a little nervous. But fuck rates. They're so transactional. It's it's it's just dehumanizing everywhere. All right. So Andy Novocin: let's do this. Andy Novocin: I hope you like this formal. I like this format. This this is, and i'm going to like treasure these little gist. So part of the reason I was like a little late, because I wanted to make this really good. Andy Novocin: and and I want to make this good because i'm just gonna like PIN it in the Ctf discord and come back to it whenever I want right and be like, okay, cool. Here's my reference. How do I do that? That that's how I do that. Right, you know. So so these are good for me in that sense. Andy Novocin: Okay, here we go overlapping chunks. I want a chunk that starts right in the middle of another chunk. Okay, here's how i'm going to do it when you get 2 bins to consolidate with each other. Andy Novocin: We've talked about that like once. Kind of you know, fastens consolidate. What does it mean to consolidate means that this chunk is eating the this junk, and now they're one. Andy Novocin: So 2 chunks become one chunk. That's consolidation, right? How do you do that? You you like. See that the chunk before you is not in use. You adjust the size of it. Andy Novocin: and you adjust the size of the previous chunks down here, and you, and kind of like jump here ready to size. And then you're good. Andy Novocin: So consolidation is not that expensive, and it does it all the time. Is that how you avoid fragmentation? Andy Novocin: Okay. Andy Novocin: we're going to every time. I'm going to do one of these overlapping things. Andy Novocin: The basic idea. And I've seen a lot of these, and they all have different names. That's why I think how submit just should totally be a thing. This is not that complex, whatever Andy Novocin: is that if I can get a chunk into 2 different bins same time, that's effectively like a 33, Andy Novocin: so like in our fast bin loop, we got a chunk in the same fast bin and loops on itself. Okay, cool. That's good. In this case. I'm gonna have the chunk in 2 different bins. Still the same deal. I can malloc from this bin and right into that, then. Andy Novocin: you know, whatever. So the idea is that i'm gonna have the same chunk in 2 different bins at the same time. That's my goal, right? I'm gonna pull that off. Andy Novocin: There we go. Here's the pseudo code. It's like working kind of half pseudocode. Andy Novocin: Okay. Andy Novocin: malloc, 7 boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom, boom! Andy Novocin: I'm going one to 8 Why, am I going 108, Andy Novocin: because I want to skip the fast pence Andy Novocin: right now. I got a little screwed up the other day because Andy Novocin: I had this in my head, and I thought, oh, maybe there's fast been stop at 90. But but I was thinking, decimal so so fast and stop it. Bd. Andy Novocin: You know obo, and it stinky pits right I my guys way past stinky bits. So we're cool. Alright, but it looks like it's not, and it looks like it's the number after 90, right? But it's not well past that. Andy Novocin: So i'm getting something that is big enough to skip the fast pence. That's all America. Andy Novocin: but totally filling up tea. Cache, Man. Okay. this is a little pythonic 7, is the it was not actually made here. So this is 0 through 6. Andy Novocin: Then i'm going to make 2 more. All right. Now. These 2 are gonna go into the unsorted bin because there are 2. There's t Cache is full. and they're past the fastest in size. Are you with me on that Andy Novocin: fastens? Only go up to the bio. Andy Novocin: See? Cash goes up to 420 Andy Novocin: for 10, and I Andy Novocin: sorry. Now, it's just contemplating the legalization of Marijuana and Delaware. What that'll do to the State with my kids, or something, you know, like Andy Novocin: fine, squarely thought back to focus. These are gonna go on. My own sorted them. Andy Novocin: and they're gonna go straight to them. Sort of been because they're too big for the fast button. Okay, great. And what is this one? This is my paranoia, or it's not even paranoid. To say this is totally necessary to prevent those on sort of bins from being sucked into Stephen King's. Andy Novocin: you know, top chunk Andy Novocin: cool. Andy Novocin: This class has gotten very repetitive. I just keep saying the same things every single time. Andy Novocin: But Andy Novocin: yeah, unless I feel like you're saying them to me then, and then I i'm gonna keep on repeating. It's exactly what i'm gonna tell you that I'm gonna tell you that i'm gonna tell you that i'm gonna tell you what I just told It's okay. Andy Novocin: So unless you can do it. Cold. Andy Novocin: great Andy Novocin: attempting to heap slowly. Okay, ready. Let's fill the tea cash free free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free, free freeze. Andy Novocin: This is the new insight for the week. Andy Novocin: What does that mean? That means that my 110 bin is a linked list that points at Chunk 6, and then 5, then 4, then 3, and then 2, and then one, and then 0. Andy Novocin: I thought about adding an extra an arrow that says null. After that, you know, because this 0 is actually chunk 0 not address 0, right? So Andy Novocin: this is 7 distinct chunks. But I didn't want to make this from range one to 8, you know, like it's kind of weird. So range 7 was made me end it with a 0. Fine. Andy Novocin: Okay, Everybody on board of this. This is like classic for us now, right? We've built up a T cash. We have 7 chunks in there we freedom all that's one t cash bin completely filled up all the rest of the T cash bins completely empty. But hex 110. Andy Novocin: There we are. Andy Novocin: Okay. Now the tricky bit. Andy Novocin: I have my 2 chunks Andy Novocin: that are going that are the same size as the full T Cache men. What happens when I free them. Andy Novocin: Now I have an answer to that. Here. This is the flow chart of freeing. Andy Novocin: So we haven't looked at these flow charts too much. Last time when I taught this, I started with the flow charts. Andy Novocin: and I think people just got scared because it's too much complexity too soon. So instead, i'm taking, you know, a tracer bullet Approach one Andy Novocin: mom spaghetti, the mom's spaghetti approach. That's this semester. We'll see how it is Andy Novocin: Okay, I'm: going to free a chunk? Is it in the T cash range? Hell, yeah. Does the t cash have space? Nope. Is it in the fast bin range? Nope. Andy Novocin: Okay, what i'm gonna try to do. I'm gonna try to consolidate backwards. That's the first thing I want to try to do. Andy Novocin: Well, i'm freeing something, and the previous chunk is in use, so I can't consolidate backwards right now that Great is the next chunk to the top chunk. Andy Novocin: Well, no, we put a little buffer. Andy Novocin: So had it been I'm going to consolidate with the top, John. Fine? Andy Novocin: Okay? Well, then, i'll consolidate forward. Is there somebody after me that's not a news. Can I consolidate those Andy Novocin: in this case? No, it's just the first one is is just out there between the little buffer and and something in use. Andy Novocin: Yeah. maybe. Andy Novocin: Yep. Yep. Because i'm stopping at line 17 and not 19. So at line 19. It's totally gonna consolidate. But i'm just really looking at what happens at line? 17. Andy Novocin: So at line 17. What does my stack look like? I've got 6 chunks, 7 chunks in a row that are all in t caches. Andy Novocin: and then Chunk 7 is in use. Chunk 8 is the one getting freed and Chunk 9 is a little buffer, and then the top jump. So i'm looking at what happens to 8. So it's previous neighbor is in use. Andy Novocin: and the post neighbor is in use. Alright, so all we're really saying is, it's going to go to the unsorted bit. Andy Novocin: That's all that this first little flow chart says, but it's nice to see that consolidation is possible. So in this case I cannot consolidate backwards, because previous chunk the chunk above me is in use. Andy Novocin: I can't consolidate forward the chunk after me is in use. Andy Novocin: All right. Done. So so then what do I do? And i'm not near the top, so I can't do any of these consolidations. Okay. Andy Novocin: So what will I do. I'm gonna link into the unsorted bit. Andy Novocin: Okay. Andy Novocin: And i'll try to consolidate fast bins. Okay, cool, cause that's what fastens do investments just want to consolidate anytime they can. Andy Novocin: Yeah, because there's an infinite number of them scattered all over the place, with nobody taking care of them, you know, whatever. So fast pens are like the lost children. Andy Novocin: and they like reproduce. I don't know they like that. I don't know. I don't have an allergy fast into rabbits. I don't know whatever it's a linked list that's like sprawling over those Don't deprive them Andy Novocin: alright. Andy Novocin: is my size above the fastened consolidation threshold. Yeah, yeah, sure it's return done. So this is the only thing that really happened. There was that link to the on sort of them. Andy Novocin: Okay. cool. Andy Novocin: You guys look bored of shit. I don't know we could look at it, you know, whatever. But Andy Novocin: it's Andy Novocin: we're doing oceans 11. Andy Novocin: The guard is even a hot dog Andy Novocin: alright. Cool. Nothing wrong yet. Andy Novocin: Okay, now we free 7. Andy Novocin: So what's my situation? I've got Andy Novocin: free, free, free for you all in t cash victim chunk that i'm about to free. Andy Novocin: 3 on free. Andy Novocin: So this is 7. One after me is totally free. Andy Novocin: The ones before me are all in the T. Cache. Andy Novocin: Okay, let's take a look at what happens here. Andy Novocin: 3, 7. Andy Novocin: I'm. Telling you that it will consolidate with Chunk 8, Andy Novocin: and what will happen is that the unsorted bin will now point at 7 plus 8, a big old Consolidated chunk. Andy Novocin: and it might be nice for us to like. Look at this in in Gdb, and see that my arrows match up. Maybe that'll Andy Novocin: let's let's. Yeah, we could do that. Andy Novocin: Ssh: 59 vip exec Andy Novocin: hot cake. Andy Novocin: hey? Andy Novocin: Let's copy exploit that keyw to kinda a py. Andy Novocin: so you that P. Y. Andy Novocin: Not still you Andy Novocin: Oh, and you too Andy Novocin: right. We get to play now, for I I guess I can copy paste. Andy Novocin: alright. Andy Novocin: for I in whatever. And we've just done this. And my promise to you is that the unsorted bit now has 8 min. Andy Novocin: Okay. Andy Novocin: T. Mux. Andy Novocin: What about play. Andy Novocin: Okay. control, c. Controlled easy. It was all right. So what do I have? I have 7 things in the T cache then. and Chunk 8 is in the unsorted bin. Andy Novocin: If I look at this with the visualizer of the chunk. what I have is the little buffer at the back. you know there's a cheap little guy. Here is the one in the unsorted bin. This is Chunk, 8 Andy Novocin: chunk, 7 still in use. Andy Novocin: Chunk 7 is in use here. Andy Novocin: and then Chunk 6 5 4 3 2 1 0 are all in t caches. Andy Novocin: Okay. Andy Novocin: I don't know if that's any better than me. I think me using my hands is just as good. But you can trust that's true now, or validated, I guess you know whatever. Andy Novocin: Yeah. Andy Novocin: So Andy Novocin: if I free 7 and then 8. What would happen? Andy Novocin: I don't know I've done that thought experiments in my mind. Andy Novocin: The reason I want 8 Andy Novocin: is that Andy Novocin: 7 is the one that i'm going to like use to edit 8 eight's, the one that i'm going to put into the T Cache. So what i'm actually going to do is 8 is currently in the unsort of bin. But i'm actually in the trick 8 into being in the T. Cache. Andy Novocin: and that's the trick. So 8 is going to be in the T. C. And so I write from 7 into 8, had a freedom in the opposite order. I think it would work the same way. but Andy Novocin: but I haven't tested that we can test it. Andy Novocin: But but first I just wanna make sure that people are with me because it's boring like everybody looks really bored, but it's awesome. And so. Andy Novocin: you know. Andy Novocin: i'll dance one Alright. Andy Novocin: Okay, what else you gonna do? There's less dopamine in the second half of the class. The first half of the class. I get dopamine every frig and day. You're gonna do me once a week. Oh. Andy Novocin: all right, that's okay. Teaches the grid teaches the Andy Novocin: all right. So we're going. We're gonna continue over here now. What i'm doing. Oh, somebody is telling me a thing in chat. Andy Novocin: We could. So 7 is so big because you want to right into 8. 7 is a big 7, and 8 are the same size. Andy Novocin: but what i'm going to do is I'm going to consolidate 7, 8, Andy Novocin: and then make a chunk that starts at 7 and eats into 8, while 8 is in a T. Cache. That's my trick. So i'm going to have 8 live in 2 chunks at the same time, 2 bins at the same time. Andy Novocin: Alright, so i'm gonna go over here. And now i'm going to free 8. Andy Novocin: Let's do this. Where, like I I I do this when i'm teaching somebody how to code for the first time, you know. Andy Novocin: to just be between this. All right. When I teach somebody to code, I I say, predict what will happen, and then we see that it happened right? That's a good thing to do for mental reps. So predict what will happen here. We're going to free 8. No, we're freeing 7, 7 is just before 8. 8 is free, 6 through 0, or all in t cache and reverse order there. Andy Novocin: So the question is, what will happen. Well, am I in t cash range. Yes. Is there space? No. Andy Novocin: Am I in fast been range? No Consolidate Andy Novocin: consolidate? Backwards? Okay, that's actually non-trivial for you guys like? Why, doesn't 7 consolidate with 6? Andy Novocin: And the answer is because that's how t cash works Andy Novocin: t cash doesn't actually look free. Andy Novocin: It doesn't actually set that 1 11 to a 1. 10 t cash is like so temporary, but it doesn't even mess with any of that funky stuff like who's in use or not in use, or whatever it's just like you know what Andy Novocin: i'm not even gonna like. Andy Novocin: I'm not even gonna take the keys out of the car, because I know that the next person is just gonna drive it like I'm like a rental car unit. And people are just coming and going every day, or whatever i'm just leaving the keys in there Andy Novocin: versus like taking them out, putting them into inventory, whatever stuff like that, so so like the t cash doesn't even seem free Andy Novocin: from the perspective of this consolidation. And and you know what i'm what i'm really saying there is. Andy Novocin: I come over to this side. Can I scroll up a little bit? It's this 1 11 is not a 110. What? I'm really saying. Andy Novocin: this 1 11. This is the one that we're about to free. If that a little 1, 11 was a 1 10, then it would consolidate backwards. But how is it going to check to see whether or not the previous chunk is in use. It looks like that one right there. Andy Novocin: That's how the poison all byte will work, too. By the way, the poison null byte will trick this into thinking with the previous one has been freed when it hasn't. Andy Novocin: or something like that. Andy Novocin: So in this case, because it says 1 11. And why does it say 1 11? Because t cache is fast and loose t cash doesn't even care about all your own sort of crap t cache is just Andy Novocin: use it. Take it back whatever. I've only got 7 of them. Andy Novocin: I don't care, you know, so to t cash is Andy Novocin: a gray accountant. I don't know I don't know what it all right. So consolidating backwards. Nope, can't do it, because Chunk 6 is in t cash that's off limits untouchable. Andy Novocin: Next, some talk, Chunk. that it wasn't a sense next chunk top chunk. Andy Novocin: Sally sells top chunks. No, not next jump Andy Novocin: alright, consolidate forwards. Yes, now I will consolidate forwards. Why? Because 7 is right behind 8 and 8 is not in use. 8 has been freed in the unsorted bin. How does it check that? Andy Novocin: The check on that is a little bit funky? Andy Novocin: I jumped forward 111. I jumped forward 111 more. and I look at this one right here and see a 0. Andy Novocin: So it comes all the way forward twice in order to see that 0 right there to know that the chunk after, and that's why it wants to consolidate backwards. First, that's cheaper. Andy Novocin: This shit's optimized down to the Flop. Andy Novocin: Because this what runs the world and the world needs to be optimized. So it it consolidates backwards, first because it's cheaper to check the backwards one with a single bit. Then forward, forward! I have to jump twice instead of jump once. That's why they do it the order that way. Andy Novocin: All right, Cool so consolidate forward. Yes, I'm going to consolidate forward. So what will happen here? Andy Novocin: This one is going to leave the on sort of been Andy Novocin: and join up with this one. And now this blue and yellow, this glorious kind of Ud color thing is going to become one giant chunk of size 220. Andy Novocin: Alright, so this is going to go to a 221. Here. Andy Novocin: Okay, let's check it out. See if that's true. Boom Andy Novocin: Good Nope. Yep. Yep. Andy Novocin: Control C: Andy Novocin: bins. Okay, there's only one in the unsorted bin. That's good Andy Novocin: and Andy Novocin: vis 200 and 56. Okay. Andy Novocin: Did Did I lie Andy Novocin: that doesn't look like a thing changed. Andy Novocin: I just double freed myself. Gosh! What does that do? I don't know, man. I have no idea. I just double freed. and I think it just ran with it. That's kind of weird. Andy Novocin: Why, didn't that crash shouldn't that have crashed Does it on? Sort of been? Do no checking Andy Novocin: which has happened. Okay, I just totally double freed. You're You're absolutely right. I: yeah. Okay, Good. That's that's more like it. Something went wrong. I don't know what. Thank you. Zach: okay, we go again. Andy Novocin: Play that Py. Andy Novocin: What you guys should have caught me sooner. It was about to hip free. 8. It's a free 7. Andy Novocin: Hmm. Andy Novocin: Alright. Andy Novocin: so 3, 7, 30 Andy Novocin: control C bins. Yep, there's one control. B, Z. This, 2 5 6, There it is! Look at that. Andy Novocin: Blue and gold. No more baby just blue Andy Novocin: 221, as predicted. and right in the middle of it is. Andy Novocin: you know, a non chunk looks still like a Chunk looks, looks and acts just like a chunk. Andy Novocin: But now it's in the middle of a big, larger Consolidated unsorted bin thing. Andy Novocin: Okay, you with me on that. That's a. That's a brand new concept for us. We haven't really looked at the flow charts much that's consolidation. Andy Novocin: It's a in order to avoid fragmentation. All right everybody with me on that Andy Novocin: still board board. Andy Novocin: Now Andy Novocin: let's get mean. Let's get Andy Novocin: malicious. Let's let's. I feel like there's a line in the black IP song like that, like let's get. Andy Novocin: Anyway, I think that was a song that got taken off the radar, you know, like people no longer likes the title of that song. Yeah, anyway. All right. Andy Novocin: I think it's just let's get stupid somewhere. So let's get stupid. Andy Novocin: All right. Here's my goal. Andy Novocin: I will take that 8 which is now in the middle of an unsorted bin. a giant on sort of ben. Andy Novocin: and I want to stick that 8 into the T cache. That's what I want to do Andy Novocin: now in order to do that the t cash is full, so I just have to make room in the T cache. So i'm going to do one quick little malloc. Andy Novocin: Just pop it off. Throw it away. I don't care. I just want to make room with the T cache. I'm gonna go from 7 chunks down to 5 6 chunks. All right. Andy Novocin: so i'm gonna do one little mellon. And then Andy Novocin: i'm gonna double-free. This is the this is the developer's fault. Shame on them like this should not be possible. That's the developer's fault right there. Secure Software design title earned Andy Novocin: That's fine. Andy Novocin: But what that's gonna do is that's gonna stick 8 into the T cache, Ben alright. as all the sizes, as all the trappings looks like a t cash chunk. It's just right in the middle of something Andy Novocin: that 8 is going right into the T Cache then. and now I've got an address that is in the middle of a t cash bin, or in a t cash bin, and in the middle of an unsorted event. So all I have to do is just ask for a giant chunk of space. Andy Novocin: and it's gonna look. Find the unsorted then. and it's going to give me. Andy Novocin: You know, Hex, 140 of that and return it to me. And now I can write whatever I want to that which will include Andy Novocin: the top of the T cash bin thing. Andy Novocin: Alright, so now we'll have an a t cash bin with an overlapping chunk. That's what we're getting on Andy Novocin: with me on that. Andy Novocin: It's like contemplating. You know we kind of picture what that looks like. I got on sort of been. It's all one big thing now, but i'm going to put this one in the T cache, and then i'm going to ask for enough to cover up. Its little to 10 little head. Andy Novocin: and then I got Mom spaghetti. Andy Novocin: Now I can edit an address that's in t cash. Andy Novocin: and i'm right back to where we've always been, which is. Andy Novocin: alright. I can smell the spaghetti cooking. Andy Novocin: Here we go. Andy Novocin: I saw I I saw a Andy Novocin: you know Youtube shorts are like Tiktok for older people, and one of them had like angel hair pasta, and they put it through their vitamix, and then added some egg, and they made their own pasta out of pasta that's kind of what we're you know. That's the stage of Mom Spaghetti. We're at right now. We're like making our own pasta for spaghetti. Okay. Andy Novocin: alright. Andy Novocin: That's fine. These analogies are dumb. I don't know Andy Novocin: Okay, Ninja, you know, out of here. Andy Novocin: Continue. Hmm. Continue control. B Z. We'll go over here Andy Novocin: all right. T cash has 7 chunks in it. Andy Novocin: I need to make room in the T cache. So what i'm gonna do i'm just going to malloc something. I don't remember my index. I'm just going to malic at the index 50. I don't care who I want to wait. Andy Novocin: Screw this guy. Andy Novocin: There you go! That guys out of the t cash. You're done. What do I want to put in the t cache 8? It's my winner. It's a it's a hell of a chunk. Andy Novocin: I love it Andy Novocin: that didn't crash us that didn't crash us. That's great. Okay, let's go Take a look at the world that we we just made for ourselves. Andy Novocin: Spins. Andy Novocin: Okay. this guy Andy Novocin: is way further away than these guys. These are like 7 6 5 4 3 2 like. I can see these guys counting this one is way deeper. Okay? And Andy Novocin: It's right in the middle of this. Ao chunk. Andy Novocin: Let's take a look at that in the biz Andy Novocin: tea. Cash bins right in the middle of a blue Chunk. Andy Novocin: Okay, All right. Great Andy Novocin: great. All right. This is on sorted bin. That's a T. Cache man. That's the same chunk Andy Novocin: I have. I have made homemade spaghetti out of your crappy spaghetti. Andy Novocin: Okay. Andy Novocin: All right. Now. how do I cook the spaghetti? I just need to boil some water now? Right? So all I have to do is I ask for a chunk of size. Andy Novocin: I don't know this big. You know enough to get out past that address. That's all I really need out of this. Andy Novocin: So instead of 1 10, I'm. Going to ask for 1 30 Andy Novocin: something like that. Andy Novocin: Then I have to do a little bit of math on how much to to calculate, like how much to fill in, so help help me count. Oh, sweet! I was about to say, help me count these rows. Take a look at just the convenient of these addresses. Andy Novocin: I'm just going to count the rose multiplied by like 2, and I know how many. but it literally is counting for me. Andy Novocin: Row 1 2 3 4. Andy Novocin: So so I just kind of jump to here. That is, 17, Andy Novocin: 17 rows of craft, and it's kind of like in this case. 16 and a half Andy Novocin: will fill me up to here Andy Novocin: and then. Now this is the difference between, you know Andy Novocin: if I write a 1 11 here, I can actually do this right? What we are more than once I can like, sit and reuse this over and over it's like uses you like i'll out this guy and free it all out Andy Novocin: like I is awesome. Andy Novocin: So that's like a star trek. Andy Novocin: I was forgetting Andy Novocin: I was getting Andy Novocin: yeah. So, bye. Andy Novocin: he's now. whatever. So 17, Andy Novocin: 18. So what I want is like 17 rows of crap, and then the eighteenth row. That's Andy Novocin: the address. That's our team cash boys. As soon as I can edit that address. I've changed the entire. We. Andy Novocin: you know they actually Andy Novocin: what question. Maybe it's like, i'm not at you. Andy Novocin: But i'm gonna watch the lecture later if I pick that up. Okay, I know that. But I Andy Novocin: if there's a question that I could answer right now. That will catch you up, you know. But there's not i'm way behind you, Phillips, that sucks. I'm trying to go really slow trying to get good on you for being here, though. Alright, yeah. Andy Novocin: sure Andy Novocin: of this. Yeah. Okay. So that's a good question. I got a big chunk in the unsorted bin. Andy Novocin: Somebody asks me for 75% of it. Andy Novocin: What happens? Andy Novocin: You know what the ons sort of been does. It gives me 75%, and the rest it's made into a brand new chunk that goes into that sort of thing. Andy Novocin: In fact, what's interesting is that that new chunk will be in the middle of this t cache PIN so I could like, do my right. What? Where? And then do another right little layer into the unsorted bit if I wanted. You know I haven't taught you how to do that. Yet the name of that exploit is called Unsafe on linking. Andy Novocin: which is, if I exploit the addresses in an unsorted chunk like, imagine that I could. Andy Novocin: Well, if I can add those 2 addresses, I can also do a right. Andy Novocin: but it's a beer right over there, because Andy Novocin: it expects to find an address here that points back to it, and then it has a security check, so to like. Follow the back arrow and see that the forward arrow of the back is the current one. Andy Novocin: So I have to make like a big address that points for. Andy Novocin: you know. Andy Novocin: But it's not that hard, actually. And it's like really weird and tricky when you do it. Andy Novocin: But you guys are talking with me now you're gonna struggle with me there even more so so nice and simple. That's like beef. Wellington, you know. Alright, fine Andy Novocin: Mom don't make that. I grew up on Hamburger. Help her kids wrong side of the tracks, you know. All right, anyway. That's okay. Andy Novocin: 17 rows of crap Andy Novocin: and then the target address. And we're right in Mom spaghetti. Let's do it Andy Novocin: Writing Andy Novocin: I can. I can go back and reference my notes. Now, I want to malloc enough space to get what I want. Okay. Andy Novocin: 11. Andy Novocin: So Zach's question is, what does that do? What does that do? Exactly. Andy Novocin: Let's take a look. Andy Novocin: this 2 5 6 doing. Take a look at that beauty. Andy Novocin: This was all blue. Just a second ago I asked for 138, which is 1 40 What does it? Do. It made it for me a hex 140 size tone Andy Novocin: that completely overlaps the T cache bit right here. and then it made a whole other chunk of size, E: one Andy Novocin: which got thrown into the unsorted B. That is the rest of the child. Andy Novocin: That's how that works. Andy Novocin: Scroll down a little bit. Andy Novocin: Yeah. Andy Novocin: So this is a brand new chunk that got created, and that's what happens to you on on sort of it, because the space you need this much space Cool Andy Novocin: this much. I'll save the rest. Andy Novocin: Okay. Andy Novocin: So that totally means that we do this right? We we can also like, keep going and over Andy Novocin: the Andy Novocin: but this exploits so cool, and i'm just going to use this. We want to over. I'm just going to edit this one over and over again. I'll just like Andy Novocin: use this. Andy Novocin: and almost like I can make as much spaghetti as they want. Andy Novocin: That's a spaghetti factory. Andy Novocin: This is pretty cool. It's pretty cool. Andy Novocin: Okay. Andy Novocin: you with me on the beauty of that. Andy Novocin: Not quite, not quite. Andy Novocin: Yeah. Chuck it, he's in the back. It's like Andy Novocin: dude is amazing. I don't know what you're missing. This is like, you know, and and he's right. He's right. This is totally amazing, and i'm not selling it with my body language. Andy Novocin: because i'm reading your body language and reflecting back, and it's like all right, not I'm not hitting the home, but I think it's because you have to go, do it. Just have to go. Trials, kill 6 h, or whatever, and try all the thing it shouldn't take you actually 6 h. But but maybe. Andy Novocin: Yeah, clear your afternoon and go heat. Andy Novocin: This is our target. Andy Novocin: The the tattooed exploit is T. Cache poisoning, and that is overwriting. A linked list address that's a link to this address. Let's say i'll prove that to you. That's sevenfoot type bins Andy Novocin: sevenfo is this one. Andy Novocin: If I edit sevenfo. then what will it look like Andy Novocin: i'll point at 8, which points at target. So if I replace this with a target, then this linked list got a whole lot shorter. Andy Novocin: and the next address after that is mine. Andy Novocin: Okay, you with me on that. That's the mom's spaghetti attack is to overwrite one of these addresses. Andy Novocin: Okay. Andy Novocin: I was thinking, thinking I didn't take the time to write this, because I knew I was running late already. So so you know we did that math on the fly together. Andy Novocin: So let's do it. Andy Novocin: Continue Control easy. We're going to edit Chunk 11, and what I say? Andy Novocin: 17 chunks. Oh, do you remember my numbers Andy Novocin: 17 times 16, rose. Andy Novocin: and I think that I wanted to do 16 chunks Andy Novocin: plus another 8, and then I can put in p 64 of hex, 111, and then I can use this over and over again if I don't corrupt that chunk. This is me being a nice guy. Andy Novocin: and then i'm going to put in target here Andy Novocin: what I want to put in for target. Honestly, I'm: i'm just gonna write like. Andy Novocin: you know what? Let's just go like P. X. 64 of 137, 137. You know something like that. I just want to see that it's there. Andy Novocin: Okay. did it Andy Novocin: control? C. Andy Novocin: Vince. Andy Novocin: Oh, look at that. Andy Novocin: Okay. Andy Novocin: And here that is an arrows and arrows that's just saying this. After that thing I have overwritten this and now head 110 points at 8, which points a target. Andy Novocin: We did the math right. Andy Novocin: so that this thing is literally pointing at 137, 137. I can make that whatever I want. Andy Novocin: And now I just malloc 1. 10. I'll get this address, and one more Malloc and I get that address. Andy Novocin: Now I can write to that like this. That's a right Andy Novocin: No, ask the questions. That's the question. He's a you know chuck's like having a he's like super happy back there. He's not in the class. He took it last year, so he's like a year later. It' be like, okay, i'm ready for you. Andy Novocin: Let's take a look at this. Andy Novocin: Here's what that looks like in practice, and I and I carefully put that 1 11 right back into place. So we just did the math, and we wrote the 1 3 3 7, right there. And now we've got to write where Andy Novocin: and I just pop pop, and 137 will be in my hands, and I write whatever I want to 1 3 3 7. One. Andy Novocin: Okay. That's the house of BoT cake. Andy Novocin: Okay. Andy Novocin: that's the target congrats we win. Andy Novocin: And I write whatever I want at that spot. Andy Novocin: Okay. cool. Andy Novocin: That's the right one. The the parts of this that are missing is are the just the same as our baseline. Andy Novocin: So all of this it just replaced this part of our t cache poison. This was a little bit easier when it see cash poisoning. We just made it a little bit harder, but maybe more useful. I can do this over and over and over again, which is kind of cool. Andy Novocin: That's fine. But if you need to actually get a target, then first you do some leaks. and then in this case we can go after the free hook. Andy Novocin: Call it replace free with the system. Maybe we take that little buffer chunk, and we write bin, sh into it just free my little buffer. Chunk and i'm all good Andy Novocin: system advantage. So these 3 components are exactly the same. I'm just replacing this one Andy Novocin: with a slightly novel idea. Andy Novocin: Okay. all right. That's how it's about kick. Andy Novocin: If you go and apply that to pcp 26, you transcend the class and get a free yet Andy Novocin: so Andy Novocin: cool. That's incentive. Yeah, alright. Andy Novocin: alright, it's beautiful stuff, man, beautiful, beautiful stuff. But but those of you have questions or or like feel lost in it, or whatever Andy Novocin: try to put into words Andy Novocin: where the disconnect is right, and then try to Andy Novocin: yeah. Andy Novocin: walk with me over Evans, whatever, and just like, talk it out, you know. Be like, okay. I was with you until here. Andy Novocin: But what happens? Like I used to. I used to make my living as a math tutor in math. There's this thing that happens right. Andy Novocin: Somebody's with you. They're in the topic or whatever. And then they say, like linear algebra, there's like, shut down. Andy Novocin: Yeah, like static. It's up to you to say, you know what i'm a badass. I can actually process this. I'm not gonna shut down. Andy Novocin: And then, like, if you don't shut down, then you're like, I can do this. Andy Novocin: Then you actually take those first steps into the unknown, and you're like I lost you here Andy Novocin: right in order for you to tell me where I lost you. You have to first not go statically at the thought of it. Andy Novocin: and which means you have to whiteboard out or attempt the thing from yourself, or whatever something like that. Andy Novocin: Yeah. So like, attempt it and be like I understood this, or whatever, as opposed to just being like copy paste, passive. You gotta be like I I want to understand the thing you're saying. Andy Novocin: and I can. Here's the place where my mental model falls apart. Andy Novocin: Okay, I need you to do that, so that I Andy Novocin: Yeah. So it's less awkward or just so show up. That's okay, like, you know. Or just so. That's all right. But you know Andy Novocin: that's the goal. That's that's where we meet you. You got to meet me halfway, right Andy Novocin: alright, awesome. So Andy Novocin: for those of you who got that great it didn't Andy Novocin: do the t cash poisoning and figure out where it doesn't make any sense to you. But don't go stack you at the moment that you try to do it. You sit down. Anything static. We need some words. We need some whiteboarding. We need some, some things that you don't go static Andy Novocin: you with me on that on my right. Andy Novocin: Yeah. So Andy Novocin: you know, like this earlier. But you're like, yeah, it's all static to me, man. I don't know. Okay, Where did it become static like At what point, you know. Andy Novocin: you get the idea of the heap. We get this thing, whatever we got, things list or something like that, so like you just have to like, sit and walk through it, and maybe teach your friends right. They They won't get it, either. But but when you attempt to teach it you do a much better job of like internalizing it for yourself. Right? So get your mental model right? You gotta make mental less. Andy Novocin: Okay, cool. Andy Novocin: Oh. Andy Novocin: i'm trying. I'm trying.
House of botcake
From Andrew Novocin April 26, 2023
27 plays
27
0 comments
0
You unliked the media.
Zoom Recording ID: 4159319948
UUID: DQltkAksTBe/FhHGCNZVJQ==
Meeting Time: 2023-04-26 02:16:01pmGMT
…Read more
Less…
- Tags
- Department Name
- ECE
- Department Division
- Date Established
- April 26, 2023
- Appears In
Link to Media Page
Loading