romanking98

Table of Contents

1. Disclamair
2. House Of Roman
   ------> 2.1 Assumptions
   ------> 2.2 Protections
   ------> 2.3 Quick Walkthrough
   ------> 2.4 Setting the FD to malloc_hook
   ------> 2.5 Fixing the 0x71 freelist
   ------> 2.6 Unsorted Bin attack on malloc_hook

hasherezade

#include <stdio.h>
#include <windows.h>
#include "peconv.h"

const size_t g_flagLen = 26;
char g_flag[g_flagLen + 1] = { 0 };

int my_index()
{
    static int index = 0;

PaulCher

start

By using the so called universal gadget from __libc_csu_init we can read shellcode into the rwx memory segment and return into it.

start hard

By executing read function we can overwrite only last two bytes of read to find something useful and defeat ASLR. Fortunately there is one-gadget RCE located at 0xf0567 in this version of libc, right near the read function (0xf6670). We overflow only last two bytes to defeat ASLR, so that only around 16 attemps needed, because of 4 bit entropy of ASLR.

EDIT: checkout another great solution proposed by agadeint in the comment section below, which is cleaner and does not require bruteforcing and one gadget.

PaulCher

#!/usr/bin/python

import re
import os
import sys
import socket
import threading
from time import sleep

from pwn import *

kentfredric

1. CGI.pm is shit
2. CGI is shit
3. <"ARGV"> shouldn't work under use strict because thats a string dereferencing a symbolic ref.
4. Hash Keys can't retain tainting and so can be used to propagate un-vetted data into safe spaces:

  my $hash = unsafe_thing_that_returns_a_hash();
  $dbh->query(join keys %{$hash}); # data will be untained regardless of what it is.

5. CGI.pm should probably do something smarter than simply returning the first param when >1 params