Dream Diary - Chapter 1

Hi everybody… I’m reading about the exploit method readings similar CTF writeups abusing the malloc/free functions.
If we have to rewrite the GOT entry for a function in the code with the address of system… how do you leak libc address?? I haven’t seen any way to dump the buffers that we create.

Any tip on where to start?

You don’t have the address of libc or system, but what things do you have the address of that could be used? If the program is calling a function, the address of that function must be in a known location.

Finally got this one, I experienced the same issue with the remote exploit working about 10% of the time. Anybody figure out the cause of this?

Hi guys, could you give me some hint? I can’t find the way to corrupt the chunk :'(.

Did you all have to significantly change things for the remote? ive got local working flawlessly, but i can’t seem to get it to work remotely. I’ve updated to handle the extra output. It seems all my steps work until the last, where it just crashes.

Anyone around that can answer some questions for me bit confused

Hi guys,
I was wondering if anyone of you would be willing to discuss your approaches and or solutions. This was the first time I performed a heap-based exploit and while I was finally able to solve the challenge, I am sure that I took some unecessary detours. Please feel free to PM me.

Anyone who wants to discuss this challenge? I have found the flaw, thus having an arbitrary write. Most of the time, you would just overwrite a GOT entry with system or similarly, however, I can’t figure out what to overwrite it with in order to exploit it. Couldn’t I just overwrite with it with some shellcode?

I plan to do this one soon. As far as I know, you would overwrite the GOT entry with an address to something, not the thing itself (shellcode). If you can point back to your shellcode somewhere, that ought to work. Otherwise, you’d need some ROP chaining based on code and functions already in the binary, or libc if you leaked the libc version.

Hi… I have a working LOCAL exploit but can’t get it to work on remote. Everything works except the system() call :anguished:

Anyone that can give me a little tip?

Thanks

Hello guys !

I read a quite a bit about heap management/malloc/free/unlink and so on (with a lot of House of xxxxx exploit that I understand partially). I think I am on the right track and I saw how I can fill the heap so that I have a total control on it. Nevertheless I can’t find a way to achieve a write primitive :frowning:

Can someone help me :smiley: ?

Thanks

do someone can help me? I got shell locally, but I am with trouble remotely.

how can I write the 0x7f ?

can someone write hear enviroments from remote host?

Type your comment> @reisraff said:

how can I write the 0x7f ?

I couldn’t… but if you launch the exploit 50 times, you sometimes get the libc in 0x7d or 0x7e, and the the exploit works.

I’m kind of stuck on this one, can someone PM me for some hints please? I will explain my state of the challenge in private.

Type your comment> @julianjm said:

Type your comment> @reisraff said:

how can I write the 0x7f ?

I couldn’t… but if you launch the exploit 50 times, you sometimes get the libc in 0x7d or 0x7e, and the the exploit works.

libcbase=0x7efff7a0d000 ???

Type your comment> @Skajd said:

can someone write hear enviroments from remote host?

you could use this snippet to fake the production environment:

#!/bin/sh
socat TCP4-LISTEN:9000,reuseaddr,fork EXEC:/root/chapter1,pty,stderr

@reisraff said:

Type your comment> @Skajd said:

can someone write hear enviroments from remote host?

you could use this snippet to fake the production environment:

#!/bin/sh
socat TCP4-LISTEN:9000,reuseaddr,fork EXEC:/root/chapter1,pty,stderr

thanks i have perfect exploit :slight_smile: works all the time :slight_smile:

Spoil!!! 0x7F = Delete …
atoi?

I managed to get a shell, but i could not make a reliable exploit. Someone who managed to get through that 0x7f restriction, please PM me, I’m curious how could it be done.