Don't like this style? Click here to change it! blue.css

Welcome .... Click here to logout

Daily Reminder: Mom's Spaghetti

Our compass through all of this is the desire for the following comfort food:

You're babies today and we're going to learn the warmth and love of the dining room table. So that as you venture into the wilderness you'll do your best to recreate this ritual in ever harsher environments.

General Write-What-Where in the HEAP

Our WWW goal is to do a MALLOC and get the address they return to us to be a TARGET ADDRESS.

So how is any address malloc returns predictable?

So a general plan looks vaguely like:

The specifics will vary by which specific bin (linked-list) we're targeting, our version of glibc, and constraints of the binary.

Class 23: WWW via tcache-poisoning


Our "easy" to "real" narrative structure:

The "easy" essence is to EDIT a linked list:

Let's see the whole linked list at each stage of this SIMPLE plan.

The simple trick breaks in three ways:

For now we can downgrade our glibc version to avoid problem 3. So let's work in glibc 2.31

Today's PCP gives you a target address and a desired value (0xdecafbad), it has a win function that will trigger if you have changed the target address to have the desired value.

Problem 1: TOP CHUNK

OK this is just the wall again so easy peasy:

No problem just one extra note in our two note samba

Problem 2: the tcache bin count

So we should be able to SEE OUR TARGET address in the appropriate tcache bin.

Use bins to SEE A TARGET ADDRESS in the appropriate tcache bin.

But the next malloc just returns another boring new chunk from the heap. Why?

BECAUSE the TCACHE COUNT was 0 not 1, so it didn't even look in the tcache bin for a chunk.

So easy enough, we just need another dummy chunk.

Problem 3: need unprintable TARGETS

Adapt this starter script to our world, maybe add a check_target handler.

Our stuff will now look like:

PROBLEM 4: encrypted pointers?

We're just going to solve this by ignoring it for now, use GLIBC 2.31

In the future we'll solve this by first making a HEAP LEAK then encrypting our target address with:

      TARGET ^ (HEAP >> 12)



Heap Reference Guides:

Secret Tale of the 5 bins: fastbins

fastbins are a lot like tcache bins. They are designed for quick reuse more than recycling.