Daily Reminder: Mom's Spaghetti

Our compass through all of this is the desire for the following comfort food:

• CONQUER ADDRESS RANDOMIZATION by a USE-AFTER-FREE vulnerability to leak a glibc address
• WRITE-WHAT-WHERE using TCACHE-POISONING for arbitrary writing to glibc
• CONTROL INSTRUCTION POINTER by overwriting the FREE_HOOK in glibc with system where "/bin/sh" is written in the free'd chunk

Today we're going to ADAPT from 2.31 to 2.32. The big difference is that the linked lists are now ENCRYPTED.

LAB DAY: Leak a glibc, compute FREE_HOOK and system, tcache-poisoning for WWW

(Given a USE-AFTER-FREE)

OK what's the samba?

This was last weeks samba:

• A = malloc(24)
• B = malloc(24)
• C = malloc(0x421)
• D = malloc(24)
• edit(D, "/bin/sh")// (we'll want this later)
• free(C) // (UNSORTEDBIN -> C -> main_arena)
• view(C) // (this is glibc leak)
• free(A) // (tcache:0x20 -> A)
• free(B) // (tcache:0x20 -> B -> A)
• edit(B, p64(__FREE_HOOK)) // (tcache:0x20 -> B -> FREE_HOOK)
• E=malloc(24) // (E = B)
• F=malloc(24) // (F = FREE_HOOK)
• edit(F, p64(system)) // (now FREE_HOOK is system)
• free(D) // system("/bin/sh")

We now need to add two (three) things:

• We need a HEAP LEAK
• Our glibc leak is accidentally thwarted... so we need to move it to the large bins
• We need to decrypt our heap leak and encrypt our tcache poisoning

Practical Stages:

Stage 1: Binary runs with pwntools AND pwndbg

First run tmux then run ipython3 -i exp.py where exp.py is the following script. Confirm you have a two screen setup to interact AND debug

Stage 2: Make sure you are linked to glibc 2.32

Either use that old pwndocker image (https://prof.ninja/pwndocker last three lines) OR

Use patchelf: patchelf --set-interpreter ./ld-linux-x86-64.so.2 --set-rpath . encrypted confirm the linking worked with ldd ./encrypted

Stage 3: Generate and process a LARGEBINS leak

Stage 4: Generate and process a HEAP leak

Stage 5: Finish the Samba get your flag

Helpful Scripts

Heap Reference Guides: