Well, I pledge allegiance to Mom's spaghetti and to the exploits for which she stands. We conquer address randomization by viewing an unsorted bin after it's been freed, by taking a pretty big, you know, 420 bin and throwing it into the unsorted bin, freeing it, and then looking at that glibc leak. Once we have that glibc leak, we're going to hunt down the address of system and we're going to hunt down the address of freehook. Then we're going to make for ourselves a little tcash poisoning opportunity by putting two bins into a tcash bin. Take the second one, the most recent one that has been entered, the last one that was freed, and edit the address in it with a use after free and point the address to the free hook. So that if I malloc twice, I will be returned the address to the free hook and then I will write system into the free hook place. so instead of all null bytes it'll be the address of system then i'm gonna free a bin a chunk that has bin sh written in it if i free bin sh instead it will call system on bin sh and that's my shell all right that's mom's spaghetti that's our morning routine uh and we've now done it a couple of times um have you guys gone and done it oh no you're too worried about grades and other things or whatever who pledged allegiance to mom's spaghetti this is a blood oath man this is not grades are not a blood oath there you go alright that's correct alright so I considered jumping right into all the places that mom's spaghetti gets harder so like on Monday I was kind of teasing that like okay next up we're going to move on to 2.32 glibc and 2.32 is going to have encrypted pointers and things like that and here's how we get around the encryption and stuff like that but i decided instead i'm going to back off and we're going to look at those flow charts now that we know mom spaghetti before we go into like the next sets of cool exploits uh you know instead we're going to visit some college campuses or whatever you know before we leave the house so we'll we'll still take mom with us or whatever we're gonna stay in mom's spaghetti for just one more day and i've been wanting to tell the tale of the five bins um and like and i want you in the back of your mind to go through these flow charts with the following task in mind think about how to get a chunk into any particular bin you got five bins that matter and out of the various bins any of these that have like an s on them you know they've got multiple bins of that size or whatever there's lots of tcash bins there's lots of fast bins there's only one unsorted bin there's lots of small bins there's lots of large bins so thinking about what samba could you play to get a chunk into one of the five bins and be able to answer that for all five of them you're like hey this exploit needs you to throw something into the large bin you're like okay i'm gonna think about that here's how i get it into the large bin you know um so that's the thing in the back of your mind and you are hunting through my words and the flow charts everything else like that looking for how do i get a thing into that bin how do i get a thing into that bin how do i get a thing into that bin now which of these bins do we know best right now tcash how do you get anything into the tcash bin so challenge one all right kids i need you to get a chunk into the tcash ox50 bin what's your samba you guys are looking guilty but you should go with this it's fine all right i'll put it in the discord since maybe maybe audio cues are not your thing or whatever you know let's let's go over here we'll say okay kids get a chunk into tcash's ox50 bin yeah chat gpt how do i get a chunk into tcash's ox50 bin uh what is the samba yes chat gpt what the samba is to do that no it won't know maybe it will i don't know it has definitely trained on my notes yeah yeah honestly you could even do that with two steps less like malloc and free is enough but what size what size do i want to malloc no no i want to be in this exact bin it's 50 minus eight uh the 420 gets me out of tcash so so to say if i want to be in tcash in that particular bin i do malloc ox48 free and and i guess here i could say malloc you know one and then free one something like say i got to store the address somewhere and then free that address that's my samba in two notes that will get a bin into tcash 50 okay ah and alex asked a really wonderful question don't i need two to avoid the wilderness is she right is she wrong she sounds right but tcash ignores the wilderness tcash is so like primal and speed focused or whatever that it doesn't even bother with any of that other crap tcash is just like i'm my own heap man tcash is the way that i do professoring you know it's just like fuck all your shit grades are dumb whatever i'm just gonna do my thing man that's tcash you know first in first out last in first out but like fine this is just to say tcash um doesn't get sucked into the wilderness all right cool but it you know that question is a question that i ask myself every time i'm going through this thought process or whatever and you guys don't have picture perfect memories of every word i've ever said or whatever and things like that right you know like that's not the way that's not i'm not gonna memorize all this crap so here's the point of today's lecture we've got some flowcharts let's look at some goddamn flowcharts all right here's the malloc flowchart we're going to ignore that one for this one we're going to go straight to the free flowchart flowchart uh yeah baby chart do do do do do Um, so we're going to the free flow chart. All right. So what is happening when free happens? Free is going to consume an address. The address that it has, all it gets is the address. So the first thing it's going to do is it's going to like look eight bytes behind the address to see what size the chunk is, right? So the reason that every one of these chunks has eight bytes taken away from it is because as the previous little metadata, tells it the size of the chunk. And you know, we've got plenty of like here, if this is my chunk, the address, the pointer, is it to this little yellow block, the size is the blue block. And so this guy's here and the size is there. This guy's here, the size is there. Okay. All right, so step one, Is the chunk m mapped? Let's pause for a second. What the hell does that mean? mMap is like a sys -level instruction that will create a whole new segment of memory. So during the execution of the code, it could say, you know what? I need a whole new segment of memory. And just like we have a stack and a heap and all of our little battleships that like randomize or whatever, I can call mmap and get a brand new ship. Just like Thanos snapped back into existence at some random place. And I can set all the permissions on that. So if ever you guys get like the ability to call a syscall and control the syscall, you could make your own segment of memory that has read, write, execute and do old fashioned shellcode in it. You know, whatever, I don't know. Or whatever it's worth. If a chunk that is getting freed is mmapped, it will set one of the little flags. I'm going to lose you. I'm going to lose you. Shit. I don't have a nice picture of the flags here. Dude, my reference materials need the flag. Okay. That's okay. Let's take a look at this. If I go to sec .prof.ninja, here's a secret link. Bible.pdf. You'll get... Yeah. Yeah. i did not write this no this is the one i wanted here i borrowed it from max max is great uh nah it um he's got a couple of udemy's on heap exploitation where this thing was all right sorry max thanks max all right now yeah yeah yeah that was your job that's your job Okay. But I have never shown this exact diagram. In fact, let's take a screenshot of it now for future reference. If ever you've wondered, what are the flags? So today I'm just going to do all the technical crap that I just thought would be too boring before we actually knew how to exploit anything. So like now we've done a full mom's spaghetti, and now we're going to like learn this stuff, but we have like context in mind, right? So that should make it less shitty to learn this stuff. Okay. The metadata. We've seen this number. It said 21. You know, what does that mean? Well, they've got eight bytes borrowed for the size. All sizes of all chunks are multiples of 16. which means that if i'm a multiple of 16 and i'm expressing it in binary 16 uh in binary is one zero zero zero zero all right uh meaning the bottom four bits are always zero of a size so they overload that they're like you know what we're always gonna be multiples of 16 we don't actually need like a byte for byte size of this thing so i'm gonna borrow the bottom four bits for flags. In fact, they only need three of them. And so they're going to have three of the bits they're just going to turn on or off. 1, 1-0, 1-0, 1-1 -1, whatever, things like that. So in fact, I don't think in all of my years of heap exploitation, have I ever seen 2-7, you know, like I've never seen 2-7 as the thing, but it's totally possible. Here's what 2-7 would mean. So if that size value said 2-7, that would mean that all three of these flags are on um two one means that it's uh you know a hex 20 size thing and this one's off this one's off this one's on all right so two two zero would be off off off two seven would be on on on uh two two would be oh off on off you with me on how that works just binary okay what do the three flags say the bottom flag is the one that's most important and that is is the chunk before me in use yes or no right so the bottom bit says is the previous chunk available for me to cobble together so just like in our used car example if you gave me a 747 i got this big thing and then you need a sedan i just like slice off part of the 747 and give it to you you know which is the weirdest part of the car example we can also do the opposite oh look i've got a whole bunch of little miatas and i'm just going to smush them all together and give you a 747 um that that's a thing that it wants to do so um and and so it wants to know if like chunks nearby it could be stolen uh and so if that's a zero it's like oh i could steal a chunk behind me if that's a one i cannot okay you with me on that these other two are very rarely used but if this thing if you asked for so much memory my analogy for this is that you come and you want to buy a car for me and you're like i need a car that can house the entire human race i'll be like all right fine you have a planet um it's just way more than can fit my segments or whatever things like that but i'm always going to give you what you need here have a planet um that was m mapping so m mapping gives you an entire planet for you to use for your data. Okay, cool. If you give it back to me, I'm like, motherfucker, I don't have room in my car lot for your planet. I'm just gonna snap it out of existence. No more planet. So that was the first part of our flowchart. Go here, go here. We're at the flowchart for free. You're selling me a car. I'm like, oh, is it actually a planet? And you're like, yeah, it is a planet. Okay, cool. No more planet. And that's the end of the free. All right? So just say, if you're trying to recycle a planet, I'm just not even going to process it. I don't care. Okay. That's line one. You with me? Okay. No. Ask questions then. Ask questions then. I appreciate your honesty. Should we see it, maybe? Well, so the question is, how do I get it to do MMAP? So in order to do that, I have to be on the malloc side of things, where now I'm on the malloc flowchart. Here, all I get is how many passengers you want. So I'm like, okay, is your request size less than 420? Is your request size less than 0xbo? Is your request size less than whatever the small bin range is? Can I do anything? Whatever, blah, blah, blah. Is it in the large bin range? Is there enough space in the top chunk? cool um do we have anything fine nothing works and there's not enough space in the top chunk finally i'll do the m mapping um and let me see if there yeah there we go is your is your request bigger than what m map can even handle there's still an answer to that you know but if it's what m map can handle then i'll give you m map so it's like that in order to get there we have to ask for just the right amount of data and i don't even know what that number is you know like i gotta like be bigger than top chunk but not so much bigger than the top chunk that it does this other crap i guess they have a grow heap uh function they can call i've never i've never we could probably write a ctf problem where like we force it to grow the heap you know that does something wacky i don't know um that'd be fun okay so in in order for me to like get that flag to be on and like i say i've never ever like really seen a problem where that that have cared about anything but the yellow flag uh it's just like big ass chunks where you need these other stuff so i'm going to ignore the planets largely and just say okay but it's line one of the flow chart which is what's annoying about the flow chart right it's like you know it's the it's the epitome of the well actually right so like what i want in the flow chart just go to the stuff that matters to me but like the first line is some sort of other crap that i've got to think about you know it's like oh i don't want to have to think about that so here's my blessing to never think about it okay cool but if you want to if you want to think about it they're recycling a planet all right cool you run a reuse car lot they're gonna try to sell you a planet you're like all right i'll take it because i'm like the pond stars guy or whatever i'll just buy anything uh and i'm just gonna like snap out of existence cool no more planning all right now your free something for me. Is the size of the thing you're freeing less than OX410, 410 or less? If so, I'm going to check to see that TCash bin, does it have less than seven things in it? If so, I'm going to throw it into that TCash bin. That line we have done a lot of. We've done this line many many times all right and this is the line we just did in discord you know um so the question that alex asked is don't i need to to avoid the wilderness it's a very good question it's a good question and the answer is not in this exact case because the wilderness is this box right here consolidate with top chunk so uh that is to say you're freeing a thing is it less than tcash range ox4 10 or smaller um if no it's really interesting if no then it's going to say are you less than fast bin range but guess what fast bin range is smaller than the tcash range so like you know if you happen to have been flowing down this pipe right there like this answer is always automatically no but it'll check it anyway um it's only if you come from this pipe that that question matters because in order to get into fast bin i have to overflow the tcash and that is to say it's the eighth thing into a small tcash bin that could possibly get into the fast bins and so our job in this is to like get me into the tcash bin that's this box get me to the fast bin that's this box get me into the unsorted bin all right that's this box um all right i feel like i need one more flow chart uh Actually, no, that's fine. Getting into the small bins and the large bins, that's a whole other story. And today is the day to maybe learn that story. But it's not on this flowchart. Okay. All right. So I feel like this is the flowchart we kind of know the best. You free me? Are you less than 420? Cool. TCash. um is tcash out of space and you're less than bo um cool you know and it's easy to remember all right stinky pits and marijuana joints all right um that's those sizes okay now we get into this guy this one's interesting i i i kind of want to gdb this i want to like go to the playground and gdb this one it just says consolidate backwards it's not a choice it's not an if statement not anything else like that it's saying hey you got this chunk you're giving me this chunk right now you all right well um is the chunk behind you available to just eat then i'm just going to merge you with that now honestly you put a gun to my head and say which direction is backwards and which direction is forwards i have no idea so uh uh like is backwards the one closer to the beginning of the heap or is it the one closer to the top chunk i think it's you know gun to the head i think it's closer to the top of the heap but i don't know like you know so that might be worth like just sitting here and farting around with or whatever like all right get it get two chunks to consolidate backwards you know instead of forwards all right oh wait i think i know the answer i know the answer entirely by logic i was being too weak i'm sorry i apologize for not knowing my own strength it consolidates backwards every time before getting to the question about the top chunk backwards is obviously further from the top chunk because it wants it wants the wilderness to eat even more all right i think i could be right okay okay it could go the other way like like Like I could get closer, but I don't, you know, it's, it wants to consolidate and then get eaten by the top chunk. All right. I'm curious now. I'm very curious. I'd like to try that, but let's first figure out small and large bins. What are they? But these things have a lot of really fascinating heap exploits, a lot of really fascinating heap exploits um and and the reason i don't really care about whether backwards or forwards is which direction i think is because when i am abusing this as a hacker which i do um often i do it by synthesizing a fake chunk and another fake chunk and i make sure that these two are both not in use and they know about each other and they're going to consolidate and so i get it to like merge two fake chunks that i made or i make a fake chunk and have it merge with a real chunk so now i've got a chunk that is in a state of being use after free even though the developer did nothing wrong all right but that's super power you know that that's that's it's super advanced we're just learning the mechanics today so the reason i don't care is because i'm the one forcing the consolidation to happen i'm the one who knocks you know uh and so like i'm gonna make these two chunks and i'm going to force them to consolidate and they're going to do evil stuff on my behalf because i'm the hacker okay um now once i have consolidated forwards or whatever i've merged with everybody i can that isn't top chunk and i still exist then i'm going to link you into the unsorted bin all right that is to say if you just avoid tcash and fast bin your fate is either the top chunk or the unsorted bin all right what does that mean the unsorted bin is is that recycle bin full of crap in the recycle bin on ud all of our recycle bins have like one destination written on them or whatever or you know one source or some crap like that they're basically just saying hey throw all your crap in our recycle bin we'll sort it for you later all right those poor little kids um so i'm gonna put all sorts of wacky sizes into my unsorted bin and here's why i'm running this free i'm trying to get your bullet off the screen i'm trying to make your game run as fast as freaking possible so i don't want to take the time to do some crazy sorting algorithm inside of some bins of crap or whatever things like that i'm just going to throw you in the recycle bin so i don't have to think about you again just like the way that you guys throw out your stuff you know you're just like okay cool that was half a second of effort for me to put it in this trash can you know no big deal if you had to go and bury a compost hole and things like that when i lived off the grid was eating edible weeds and reading the humanure handbook or whatever every poop i know exactly what my digestion is doing i gotta go and manage it cover it up you know whatever just put it in the you know like make sure that you're cycling the manure and like this manure is not yet safe for food until six months later whatever you know like like you are in charge of all of it right like i've lived off the grid and it's cheap but like your hours are all taken up by just the act of surviving uh and i was like you know i'll just go make money that's fine like i thought all this freedom and you know thoreau stuff or whatever nah man just like fucking learn how the world works like don't be a loser it's fine um but anyway but if you want to spend all of your time managing your own refuse and septic tanks and crap or whatever you know then then fine but if you just want a quick answer it's the unsorted bit the quick answer is Just, hey, throw your crap here and I'll deal with it later. Okay. That's what the unsorted bin does. Deal with it later. Live next to a river. That's the top chunk. So I say, hey, I just shit in the river, man. It's fine. Engineering solution. That's right. And then I'm not running a factory, you know. Somebody else is downstream. I'm going to live upstream from that guy. Yeah, exactly, exactly. So just to say, I don't want to think about it. It goes in the unsorted bin. That's what the unsorted bin is for. Okay. And that's why there's only one unsorted bin. There's one unsorted bin and it takes in all sizes. You got a chunk, you got another chunk, you got another chunk, whatever. Just throw it in the unsorted bin, man. We'll figure it out later. All right, that's the unsorted bin. Okay, now this one's interesting. size above fast bin consolidation threshold i honestly do not remember what size that is probably it's oxpo but if you if you are freeing something that is more than the fast bin consolidation threshold which is just a parameter that i gotta go look up it will then take all the fast bins and go through and consolidate them and that's pretty cool uh so that is to say every once in a while you free something of just the right size or more you'll get into the unsorted bin fine you might even get consolidated with the top chunk don't even care you free something big enough it's going to go through and trim the fast bins that's really fascinating to me that the fact that it attempts to consolidate fassbens is proof of why okay just one thing i want to say once right like is this so here's the thing i want to say with the fassbens uh we just i was at a friend's house for passover seder on saturday night all right and in the passover seder they've always got one part of this weird little ceremony where they like kids ask questions why is tonight different than all other nights or whatever all right fine all right fine um why is the tcash bin uh why does the tcash bin have a count on each bin and the fast bins don't that's a question much like alex's question that i think you should be asking you know like maybe you're not asking it or whatever something like that um yeah uh the reason is this question to say why put any limit on it's a linked list the linked list could just point forever you know why limit it to seven um the performance of the linked list won't get bad uh and the fast bins don't have a limit i can put as many things as i want to a fast bin as ever um but the answer is that if i let any of these shitty little singularly linked lists take over it'll be like inviting ants to my picnic all of a sudden all my food's covered in ants you know um i have a secondary goal as the manager of the heap which is to not get defragmented i i want to always have room without asking for more ram so they are space aware especially in the 80s everything was like space aware computing it's like how how much space does this algorithm need to run nowadays we're a little you know like chips get bigger and things like that we get a little lazy you know and stuff but like those ladies who coded the apollo guidance computer with like threaded copper fucking geniuses geniuses and they and i think the reason they were geniuses because they had a very constrained computing environment doesn't match any of your environments or whatever and i love it i love thinking about that computer a lot i should make a ctf problem entirely in that apollo guidance computer like you know style or whatever like a literally a sewed computer so crazy anyway anyway okay go look up the apollo guidance system you will not regret that like rabbit trail okay but uh if i am not careful about limiting my linked list's size then they will take over my entire heap and you're um i don't know if i have the exact link to this this is like 747 shuts down after continuous usage uh i think there's been so many bowing problems since that like that it's gonna get dominated by these things or whatever um uh i think i think this one maybe um in essence if you ran their software long enough it would just shut down and force a system restart um and the reason for that is because of the heap the reason for that is because they like had a memory leak stuff wasn't getting recycled and consolidated in the right way and it just asked for more and more and more memory until it ate up all the available working RAM um and all of a sudden the fans come on and you know it sounds like a jet engine um so like uh to say if i do not put limits on the tcash the tcash is going to get overflowing with little ox20 chunks somehow and if i don't put some sort of consolidation in the fast bins i'll get overflowing with this stuff uh so they both need to solve both need to solve the problem of infinite fragmentation tcash solves it with like not solving it they're like you know what fuck it i'm never gonna consolidate i'm gonna do any of that boring crap that you guys do you guys enjoy your paperwork or whatever i'm just gonna like i'm sorry i'm now speaking as if i'm tcash uh they just cap it at seven they're like you know what i'm just gonna cap it somewhere i'm just gonna cap it where it's like if i just never let you have that many it's never that bad you know and so they're like they just did a bunch of practical testing and they're like seven should seems reasonable like most programs don't need seven you know or whatever that's what they picked just set an arbitrary limit and that prevents the the fragmentation from getting too too bad all right i don't think i'm speaking to anybody right now shit all right i've lost you fine i'll i'll i think it's a fascinating question uh tcash solves it by not solving they just cap at seven therefore the fragmentation is never that bad fast bins solve it by occasionally read kind of they wanted to be almost random uh consolidating okay and that is to say there's this one weird little line in the free flow chart that's saying hey did somebody just like free something kind of biggish tell you what just go ahead and consolidate all the fast bins like huh okay wacky and so they'll consolidate all the fast bins they'll find any neighbors that might be free or whatever just merge them all together and throw them in the unsorted bit um and then they'll attempt to trim the heap and this is to say we don't want to crash your plane that's what that's all about okay this shit runs the world right you know and it might help you with all of this to like i i wrote some sort of cosplay stuff about this maybe um put yourself in the shoes of the developer who runs the world and you're writing this thing every server every database every operating system world is going to run on your implementation of malloc you need it we need malloc um how are you going to implement it and all day every day you hear about people complaining about either security issues performance issues or defragmentation issues you know and you just hit all the complaints from everyone in the world because you know what when you do this beautiful thing for the world or whatever ain't nobody's being like i'm so grateful you wrote malloc you know no you're just gonna hear all the complaints you gotta like you gotta be your biggest fan yourself right like my code's used by thousands of people all day every day you don't get a whole bunch of roses or whatever like you know oh thank you for your code you know like that it's fine um you hear about when it breaks all right that's fine um so you're gonna profile like crazy you're gonna like map out you're like okay the number of reads and writes that people use when they're making video games when they're making databases or whatever things like that they're doing a whole bunch of mallocs a a bunch of freeze you do mallocs of this size and that size whatever and things like that blah blah blah you really need to know what the ratios are you need to know what like is it is it like you know because i'm imagining a video game and it's like a sniper game and you're like each one of those little malloc you know like malloc malloc malloc and then it goes off the screen like free free free free you know so it's like clusters of mallocs and clusters of freeze whatever and things like that and you're just trying to like maximize every single clock cycle and the performance and balance and you're just juggling all this crap okay and that's how we got what we've got you know um so uh i think that just realizing that if i just said hey kids your class project for this class is write malloc you know you're just gonna write malloc and write free now all of a sudden all of this is way different you're paying attention to these flow charts or whatever very very differently um because it's not as a hacker or whatever it's like because one of those things that also sucks about teaching cyber security is that like i'm teaching the wrong thing right the right thing to do is make the world you know and here we're like hack the planet you know um which by the way is absolutely one of the gifs that you can just get out of this if i go hack the planet you'll get this this yes anyway all right uh 1990s movie called hackers uh angelina jolie is a very young person all right um so anyway uh uh so you're hacking the planet but you should make the planet instead you know right like the constructivists and all that okay okay so just to say if you think about this from the developer's perspective very different set of stories okay so we know tcash we kind of know fassbens we could maybe get used to how fassbens consolidate it'd be nice to see fassbens consolidate but at the moment you just know that they consolidate we kind of half know the unsorted bin that is to say i know the version of the unsorted bin which is i just throw my shit in the recycle bin i do not know what they do on the other side of that recycle bin i don't know who empties it i don't know what they do with it i don't know where they put the metal and where they put the plastic and where they put the whatever um so uh well these came first the small bins and the large bins are kind of like i don't know the cockroaches and crocodiles of our world they're like you know like sharks like sharks are older than everything you know they're just freaking old uh and they're still here we're still making movies about them and stuff or whatever you know like crocodiles freaking ancient they were there when dinosaurs were there and crap or whatever cockroaches were there when dinosaurs were there you know we're like i wish i could ask them questions like tell me about the dinosaurs or whatever but that's not how ancestral memory works um so anyway so i'm just saying small bins and large bins those are the crocodiles and sharks they were always there everything else has been added and and the newer stuff that's added we care more about but that ancient shit that's the real shit you know all right let's let's get ancient on this thing small bins and large bins how do they work and why they were the original and here's the purpose what happens on the other side of that recycle bin is the unsorted bin gets sorted into the small and large bins okay so what happens unsorted bin gets sorted into the small and large bins let's look at that uh kind of why uh let's take a look at let's take a look at the guides this is the malloc flowchart here's the malloc flowchart you ask for something is it less than 420 is there something in the tcash bin go ahead and take it from tcash row one all right it was basically row one of the free chart ignoring the planet crap and it's row one of the malloc chart all right tcash is just going to hit all your problems if you're 420 or less and you didn't need more than seven how about if it's fold up or whatever or like you're trying to malloc and there's nothing in the tcash bin i'm going to go ahead and check to see if you're in the fast bins, but dig this. Even if you get a success, let's say that I like, we should watch this once. Let's say I malloc 10 things and then I free 10 things. Seven are going in the tcash bin, three are going in the fast bins. I now ask for seven more. I'm going to drain the tcash bin. Bam, bam, bam, bam, bam, bam. Now the tcash bin has zero. The fast bins have three. The moment I ask for an eighth thing it's coming from the fast bin and you know what they do they take the other two things in the fast bin and they just throw them in the tcash bin um so like so like i you know i i can't get more than one thing out of the fast bin until i do eight more mallocs or whatever right so like um getting a thing out of the fast bin is pretty tough actually because the moment i get one it dumps it all to the tcash uh which is pretty wild um fast bins nutty they they're scared of the fast bin honestly they're scared of the fast bins okay small bins guess what i have some stuff in the small bins hey uh are all the small bins like is there a small bin that's in the size of the tcash range that you're asking for all right i'll give it to you but guess what i'm putting the rest of the stuff in the small bin right into tcash that's a pretty cool exploit too by the way um like like there's exploits inside of each of those yellow boxes but you know whatever oh guess what i'm also going to consolidate the fast bins again i do a consolidate the fast bins on the malloc side too so just like popcorning every once in a while i'm just going to consolidate of fast bins okay cool now we get to this if for some reason i'm outside of the small bin range or outside of the fast bin range or outside of the tcash range or they're empty or some other crap like that or whatever i'm going to scan the unsorted bin this box is purple another little uh passover style question why is this box purple and all the rest of the boxes are not purple you know because it's its own flowchart boop this is the unsorted bin flowchart all right unsorted bin empty uh yes was glibc compiled with tcash yep uh can was this moved back into tcash go ahead and take it from tcash wacky I have no idea how to get that to trigger yeah these are like if statements written in C, C is written in C you only bootstrap with assembly once so each of these is going to be like a couple of lines of assembly happening or whatever but they do care about the performance too okay so what happens inside the unsorted bin we are scanning for something that somebody has asked for i'm going to jump to this by the way when you're going through the unsorted bin you're going to look at one chunk at a time the chunk you're looking at is called the victim chunk every time you get to you know we unpacked that recycle bin and it's just like it's like a kid doing some sort of weird horror cosplay with their trash you know or something like that they're like really poor and their toys just trash to like take out this like 20 ounce coke can and they're like you're my next victim how will you die burning you know and you're my next victim decapitation you know whatever anyway so like like this is a fucking sick little kid uh as he takes the thing out of the recycle bin he's like you are my next victim and and it never goes back in the recycle bin it's gonna process this thing and each victim is gonna get thrown somewhere all right sorted but i don't know why they call them victim chunks all right fine if the victim chunk is exactly what the person is asking for go ahead and give it to them uh although first check to see if it's in tcash range all right fine um is the tcash full yes all right go ahead and give them the victim chunk otherwise store the victim in tcash oh great thanks they just want to throw everything in tcash all the time tcash is big bully everyone's doing tcash oh I shouldn't have passed that. All right, fine. Dig this. Is this the last chunk in the unsorted bin? Is this the last remainder? How are those different? I think of those as the same in my head. Is there enough space in this chunk to give them what they want? okay i'm gonna slice off part of this give it back to the person who's asking for the malloc and put the rest back in the unsorted bin so i'm gonna like cut it in two part i'm gonna recycle again and this part's going to the person all right wacky uh and then if it's not in the small range bins and it's not enough to give them what they want i am going to unlink the victim and then i'm going to sort the victim and the sorting is going to put it in a small bin or a large bin based on the size of the chunk i'm holding all right so that is to say i'm going to process the thing and i'm going to sort it while i'm looking i'm like i'm trying i only sort when i'm in a mat in the middle of a malloc so the unsorted bin is only going to happen when you're like hey can you give me some memory like you know what this is probably not as performance necessary as the free so i'm just gonna go ahead and take the time to sort this thing right now oh there's a question in the zoom yeah they have different metadata for remainders and that's why they're separate yeah like like i've got to look up what what the word remainder means in this exact context because like last chunk of it's sort of been is what i would think of as the remainder um but probably the remainder is the part where like I can slice stuff from this because we saw that the other day we had like a big chunk that we put in the unsorted bin and then I mallocked and it just kept slicing from the unsorted bin rather than like you know making anything new um and so I'm going to say that that last thing it must be the remainder it's like whatever's left over that I could slice from that's what they call the remainder I think um but I don't think there's metadata that changes it like I don't think it's metadata identified it's really just like the back of the unsorted bin um okay so this bin map is also interesting or whatever blah blah blah anyway there's infinite details and that's why i didn't want to start the heap with all these infinite details we're just going to like mom spaghetti it or whatever and things like that but you can go and answer all your questions here right you can be like okay i'm kind of curious how this works and like you'll probably have a lot of questions and things like that that pop up but not today and not randomly you know you'll be like oh can i do something wacky like that or whatever and so like becoming a badass at heap exploitation is kind of like learning all the different parts of that flow chart and be like oh there's an exploit that works here and then it works here and works here works here and works here but all i really want to do is mom's spaghetti and so like i only want to not do mom's spaghetti if you're forcing me not to do mom's spaghetti and like how are you forcing me not to do mom's spaghetti what exact way can i not do mom's spaghetti fine all i have is a double free great here's what i gotta do now to get right back to mom's spaghetti you know and And that's like my way to cut through this just wilderness of so many different things. To be like, we just want one thing that we're good at. Everything else will just follow from wanting to get back to that one thing we're good at. Okay. That's why I didn't start with all these details or whatever and things like that. It's like, you know, it's too much. It's too much. It's too much, you know? All right. Cool.
Tape of the 5 bins part 1
From Andrew Novocin April 16, 2025
17 plays
17
0 comments
0
You unliked the media.
Zoom Recording ID: 4159319948
UUID: IKYdYW25SOSmJJPB9cK26Q==
Meeting Time: 2025-04-16 02:25:43pmGMT
- Tags
Looking for more...
Link to Media Page
Loading