Daily Reminder: Mom's Spaghetti

Our compass through all of this is the desire for the following comfort food:

• CONQUER ADDRESS RANDOMIZATION by a USE-AFTER-FREE vulnerability to leak a glibc address
• WRITE-WHAT-WHERE using TCACHE-POISONING for arbitrary writing to glibc
• CONTROL INSTRUCTION POINTER by overwriting the FREE_HOOK in glibc with system where "/bin/sh" is written in the free'd chunk

You're babies today and we're going to learn the warmth and love of the dining room table. So that as you venture into the wilderness you'll do your best to recreate this ritual in ever harsher environments.

Class 21: How to generate leaks

(Given a USE-AFTER-FREE)

It's "easy" just:

• Free a chunk
• View that chunk after freeing it

Of course, then you need to know a few lower level things.

Questions this raises:

• How do we do that, exactly? Just what are the mechanics?
• I did the simplest thing, it didn't work. Why?
• What exact address is put into a free'd chunk?
• Which segments of memory can this possibly leak from?
• How well do I need to know everything to just do this one thing?

Typical PWN Heap mechanics:

Our HEAP PLAYGROUND:

This is a typical CTF style setup. Where we have this sort of smallest possible CRUD (Create, Read, Update, Destroy) setup.

Here is a sort of starter pwntools script for this kind of problem:

Just Do It?

So let's try to get a leak on this program. The plan is to ask for space, free that space, view that space (this is the coder's vulnerability BTW).

Some stuff could go wrong.

Let's run this in gdb/pwndbg and look at the heap after the various mallocs and frees.

• The chunk might literally disappear.
• The address might be mangled.
• The address would be a heap address (we want glibc).

Mental models to explain those 3:

• The last chunk, when freed, gets absorbed into the top chunk
• If your version of glibc is 2.32+ then addresses are "encrypted"
• Free'd chunks go into different "bins" and the most common bin (the tcache bin) is entirely in the heap

OK, but how would you check any of that on your own?

Well below are some useful guides.

ALSO it is nice to know the:

Tale of the 5 bins

We should probably make a bookmark to learn how each of these 5 are used and why and various subtleties.

But let's just learn their names and fill in details as we go.

• tcache - super quick, one per thread, starts in the heap
• fastbins - performance based singly linked quick list (glibc)
• unsorted bin - the staging bin for later sorting (glibc)
• small bins - slightly more common oldest form (glibc)
• large bins - the oldest form (glibc)

Heap Reference Guides:

I'm gonna drop these here for reference in the notes later: