- Disclamair
- House Of Roman
------> 2.1 Assumptions
------> 2.2 Protections
------> 2.3 Quick Walkthrough
------> 2.4 Setting the FD to malloc_hook
------> 2.5 Fixing the 0x71 freelist
------> 2.6 Unsorted Bin attack on malloc_hook
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <windows.h> | |
#include "peconv.h" | |
const size_t g_flagLen = 26; | |
char g_flag[g_flagLen + 1] = { 0 }; | |
int my_index() | |
{ | |
static int index = 0; |
By using the so called universal gadget from __libc_csu_init
we can read shellcode into the rwx memory segment and return into it.
By executing read function we can overwrite only last two bytes of read to find something useful and defeat ASLR. Fortunately there is one-gadget RCE located at 0xf0567
in this version of libc, right near the read
function (0xf6670). We overflow only last two bytes to defeat ASLR, so that only around 16 attemps needed, because of 4 bit entropy of ASLR.
EDIT: checkout another great solution proposed by agadeint in the comment section below, which is cleaner and does not require bruteforcing and one gadget.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
import re | |
import os | |
import sys | |
import socket | |
import threading | |
from time import sleep | |
from pwn import * |
- CGI.pm is shit
- CGI is shit
<"ARGV">
shouldn't work underuse strict
because thats a string dereferencing a symbolic ref.- Hash Keys can't retain tainting and so can be used to propagate un-vetted data into safe spaces:
my $hash = unsafe_thing_that_returns_a_hash();
$dbh->query(join keys %{$hash}); # data will be untained regardless of what it is.
- CGI.pm should probably do something smarter than simply returning the first
param
when >1 params