Don't like this style? Click here to change it! blue.css

Welcome .... Click here to logout

Daily Reminder: Mom's Spaghetti

Our compass through all of this is the desire for the following comfort food:

You've done baseline mom's, level 2 is mom's with 2.32, level 3 is mom's with just double free. LEVEL 4 is double-free mom's but glibc 2.34+ that is the latest glibcs. They no longer have FREE_HOOK

Useful gdb tools:

Useful pwntools things:

Class ???: Latest glibcs have no FREE_HOOK

Let's check our compass:


I want to highlight that BOTCAKE can be used over and over for many WWWs

ASIDE: unstripping glibc

So most of the glibc's we target are the LTS Ubuntu copies, as they are the workhorse for the internet.

Most of the time those glibcs are "stripped" which hides certain symbols making it harder to find things.

We can UNSTRIP a glibc using pwntools and the widely available "debug symbols"

Last night I struggled for a bit to get the LATEST 2.39 LTS 24.04 copy unstripped, JD helped me figure out this:

I re-released LEVEL4.5 which is just LEVEL4 but with glibc 2.39 which will be with us for a long time. Check it out in the PCPs

The __exit_funcs

Alright this story has two parts:

OK this shows how the exit funcs look, where they live (libc.sym.initial), and how union sort of works.

So what are they? These are functions that will get called, with or without an argument based on the "flavor", when the program EXITs.

Sweet so this is a new target in life after FREE_HOOK?

Well... those addresses look funky... introducing:

TCB Pointer Guards

Alright one last security check to get around...

The addresses in the exit_funcs have been encrypted.

The encryption looks like this:

There's a rotate left of 17 bits after an XOR with the pointer guard.

The pointer guard is a random value which LITERALLY LIVES NEXT DOOR to the stack canary!

Here's what that looks like:

The TCB lives JUST BELOW glibc, the offset is 10432 (surprisingly consistent between versions...)

At TCB +0x30 is the pointer guard (+0x28 is the infamous stack canary)

That pointer guard is the XOR key for the exit funcs... SO here's how we handle our exploits:

The TWO WWW targets

One WWW was to disable the key, the other to drop system("/bin/sh") in as an exit_function.

That will make a "flavor 4" (function with argument) function into our list, with the function being system and the argument the location of a "/bin/sh"

Samba Gist



Heap Reference Guides: