Finishing old FSOP, restarting House of Orange

Last time I had an issue in my playground attempt that cost too much live time (I malloc'd too few bytes, just asking for 300 was enough).

So I'd like to start with the following:

• Look at our fake chunk and fake vtable inside of the _IO_list_all
• See the exact logic check in _IO_flush_all_lockp from genops.c that we have to work around
• Trigger the __overflow vtable function via any abort

Get shell on the playground

ASIDE: angstrom heap

With the VIP team Wednesday we spent a couple hours tackling PWN problems, I made a very in-depth write-up with this class in mind.

The github repo has the files for the binary and a blow-by-blow report of the process:

https://github.com/AndyNovo/dreams_angstrom_22

If you'd like I can talk about that before the HoO or show you next week.

House of Orange beginning of the end

OK so I've put in a difficult binary in our PCPs

It is full green but glibc 2.23.

You get:

• 2 small mallocs
• 1 large malloc
• the ability to edit the first of the 2 small mallocs

Note the absence of frees.

Recall the House of Orange strategy parts

• Overwrite the top_chunk size to make it smaller
• malloc something larger than the (faked) top_chunk size to trigger a "free" of the top_chunk
• Do an unsorted_bin attack to drop a main_arena address at a location you choose (in this case _IO_list_all)
• Synthesize an _IO_file and vtable in the heap and link it into the _IO_list_all linked list
• Put your win (in this case a system call or a one_gadget) into the __overflow spot

The hardest part here will be that the main_arena will have to be your first fake _IO_file, so you'll have to find a clever way to make the _IO_list_all.file._chain point to a heap address you control.

Alright the files you need are in hoo.zip and once we're ready the problem is hosted at nc 165.22.46.243 9009

To make it faster here is a starter template script: