Dangling pointers or Use after free | Exploit excercises

This level is heap2, and looks into use after free vulnerabilities, which are quite prominent among CVEs

Honestly, I'm quite proud at the way I approached this level, mostly because I didn't need to get lucky or write any type of exploit.
It is because I was able to solve it by just reading the theory and understanding what was happening in the script. So after understanding everything, I could deduce how to solve it. It felt like I leveled up after all this time :D

~~ The excercise ~~

First of all, this is what I found to be useful for the theory of exploitation, so I would suggest going over it whenever you can if you want to get more detail about what I consider is useful to know in order to complete this one.


From the article:

"(...)there was a logic flaw that caused a free() on a chunk, but despite being free()’d, its memory position is still referenced, effectively making use of the free’d chunk’s data after it has been set free." In this part of the article it's quite evident that we have to make use of the free() function from reset.  Or at least for me.




As we can see, there are two structs named "auth", and for us to get logged in, auth->auth has to happen. Now let's try some commands with "auth " and "service" to see what happens.



So auth is on one address and service is in another, why? Well, because of strdup(), as you can see in the program, it will perform strdup(line + 7).
But wait, what if we hit reset? Reset has the free() function, so it should free auth. However, only works if you hit reset() twice, since first you're freeing the one auth and then the other.


 (I have no clue what's up with this big space, sorry)





And now, if we call service() again for it to duplicate, the value is the same as auth.



What does this mean? Well, for us, it means that auth->service is true, and because the values of service and auth are now the same, auth->auth is true also.





I just wanted also to point out how "service" was incrementing the address.

~~ A second method ~~

After solving it I went to look what others did, and the first blog I found was the Sh3llc0d3r's blog.

http://sh3llc0d3r.com/protostar-exploit-exercises-heap2/

His technique consisted on overflowing the buffer of the heap, fewer commands and quicker than my technique. Instead of letting the code flow overwrite the auth by itself, he actively crafted a small "exploit" to overwrite auth with service.

I am not going over what he did, but it is pretty neat ( and logical, once you understand it, it's a very good opportunity to learn something ), so check it out.

Comments

Popular Posts