Hi everybody… I’m reading about the exploit method readings similar CTF writeups abusing the malloc/free functions.
If we have to rewrite the GOT entry for a function in the code with the address of system… how do you leak libc address?? I haven’t seen any way to dump the buffers that we create.
You don’t have the address of libc or system, but what things do you have the address of that could be used? If the program is calling a function, the address of that function must be in a known location.
Did you all have to significantly change things for the remote? ive got local working flawlessly, but i can’t seem to get it to work remotely. I’ve updated to handle the extra output. It seems all my steps work until the last, where it just crashes.
Hi guys,
I was wondering if anyone of you would be willing to discuss your approaches and or solutions. This was the first time I performed a heap-based exploit and while I was finally able to solve the challenge, I am sure that I took some unecessary detours. Please feel free to PM me.
Anyone who wants to discuss this challenge? I have found the flaw, thus having an arbitrary write. Most of the time, you would just overwrite a GOT entry with system or similarly, however, I can’t figure out what to overwrite it with in order to exploit it. Couldn’t I just overwrite with it with some shellcode?
I plan to do this one soon. As far as I know, you would overwrite the GOT entry with an address to something, not the thing itself (shellcode). If you can point back to your shellcode somewhere, that ought to work. Otherwise, you’d need some ROP chaining based on code and functions already in the binary, or libc if you leaked the libc version.
I read a quite a bit about heap management/malloc/free/unlink and so on (with a lot of House of xxxxx exploit that I understand partially). I think I am on the right track and I saw how I can fill the heap so that I have a total control on it. Nevertheless I can’t find a way to achieve a write primitive
I managed to get a shell, but i could not make a reliable exploit. Someone who managed to get through that 0x7f restriction, please PM me, I’m curious how could it be done.