Class 22: how2heap and linking an old glibc

Three goals today.

• Using https://github.com/shellphish/how2heap to see various heap exploits and the versions of glibc where they apply. (THIS LETS YOU SELF-PACE THROUGH ANYTHING)
• Grabbing old copies of glibc AND the linker/interpreter that speaks to that particular glibc (https://github.com/AndyNovo/glibcs has most that matter)
• Correctly Linking Your desired glibc to the binary you have in hand, both in the terminal AND in pwntools (it's different).

These skills are way more important now that every version of glibc will have different security measures in place and we slowly join the trenches of the dogfight.

My demo: house_of_force.c

OK so house_of_force.c has source code in the flavor of how2heap.

ALSO there are live demos at: the table below (just click the arrow)

• run the demo (literally with the word run)
• grab the source and compile gcc house_of_force.c
• see it fail with the current glibc
• Grab all the glibcs and copy over the 2.27 and it's linker into your directory
• use patchelf: patchelf --set-interpreter ./ld.so.2 --set-rpath ./libc.so.6 a.out
• use export LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH
• (NOTE: this export method sets it for all runs in your session)
• (If you want a one off you can use: LD_PRELOAD=./libc.so.6 ./a.out which will give preference to the libc you specified when it runs the second command ./a.out)
• Get success number 1
• then undo your LD_LIBRARY_PATH to run python?
• Now set the context inside of pwntools: process("./a.out", env = {'LD_LIBRARY_PATH' : '.'})
• Get Success number 2

Now we can look at the actual theory behind any exploit.