Don't like this style? Click here to change it! blue.css

Welcome .... Click here to logout

Daily Reminder: Mom's Spaghetti

Our compass through all of this is the desire for the following comfort food:

You're babies today and we're going to learn the warmth and love of the dining room table. So that as you venture into the wilderness you'll do your best to recreate this ritual in ever harsher environments.

Targeting the FREE_HOOK

So the last stage of a successful attack is to control the instruction pointer.

The FREE_HOOK is a symbol in glibc (< 2.34) that allows people to implement a custom free function for debugging.

The address at FREE_HOOK is typically 0 but it's a RW- segment so you can edit it to put in a custom version of free.

Our job in the Mom's Spaghetti is to replace the address at FREE_HOOK with the address of system.

THEN we call FREE on a chunk where "/bin/sh" is written.

Class ???: Leak a glibc, compute FREE_HOOK and system, tcache-poisoning for WWW


OK what's the samba?

Something like this:

What can go wrong?

Problem 1: patchelf

So our mom's spaghetti runs on glibc 2.31, so you'll want to patch the binary to use glibc 2.31:

SOLUTION patchelf --set-interpreter ./ --set-rpath . binaryname

Problem 2: leaks are hard

Learn how u64 works in pwntools, it consumes the weird unprintable strings and produces the integer leak. Needs 8 bytes though. So something like u64(raw.ljust(8, b"\x00")) maybe.

So we have 3-4 addresses we need to deal with:

SOLUTION 2: info address *

There are other ways to deal with this kind of thing including:




Heap Reference Guides: