Code execution via corrupting mmap malloc chunks with ASLR bypass
Are you tired of ASLR getting in your way? Annoyed by how unexploitable mmap chunks feel in GLibC malloc?
Well, today is your lucky day! This is a full explanation on how a leakless heap exploitation technique that gives you code execution, that is 100% deterministic
What is this, the year 2000!?
This technique IN FULL is described at https://maxwelldulin.com/BlogPost?post=6967456768.
This technique and was first used in a Qualys exploit for a 15 year old QMail vulnerability. Another example of this being used is in cpio by fangqyi.
At a high level, this technique rewrites the lazy dynamic symbol resolution process of a library. You are probably thinking: this is black magic.
And that's because this is, but I hope that this repository (and blog post alongside this) can help out with that.
.gnu.hash, .dynsym
).gnu.hash
and .dynsym
sections of LibC ELFOf course, there are a few drawbacks. But, most of these are just knowledge about how the program exactly works, rather than a complete destroyer of the technique (besides the first one).
Upon some further expection, it was noticed that the repo did not work AS is in all envs. For whatever reason
some offsets would change, resulting in a broken exploit. So, here are some steps for running the repo locally and in Docker.
So, it only seemed logical to create a quick & easy dockerfile for this. Here are the instructions for using Docker with this:
sudo docker build --tag muney .
sudo docker run -it muney /bin/bash
house-of-muney
. So, move to this directy.python launch.py
Getting the technique running on your own machine is absolutely possible but may become tedious or annoying to do.
Regardless, here are some steps for that:
git clone https://github.com/mdulin2/house-of-muney/
./compile.sh
that changes the loader for you.python launch.py
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。