34C3 CTF nope writeup - diluted shellcodes
06 Jan 2018A quick writeup for nope from 34C3.
Welcome to the fifth episode of the ptmalloc fanzine, in which we look at thread local caching, a recent addition to glibc malloc.
Welcome to the fourth episode of the ptmalloc fanzine, in which we explore the possibilities arising from corrupting a chunk that is subsequently passed into realloc.
Welcome to the third episode of the ptmalloc fanzine. This will be a shorter one, a collection of notes concerning the exploitation of heap corruptions in a ptmalloc/Linux environment that don’t warrant their own episode.
This post deals with the consolidation of fastbin chunks and is the second episode of the ptmalloc fanzine. Prepare for even more obscure malloc trivia and internal details you never wanted to know, all in the name of modest gains. Glibc source links and statements like “the default stack size is 8MB” that are obviously platform-dependent all pertain to Ubuntu 16.04 on x86-64, unless stated otherwise.
This post explores the possibilities arising from forcing free to unmap arbitrary regions of the address space and is part of the ptmalloc fanzine. While some interesting scenarios present themselves, I view this mostly as a curiosity, an educational foray into ptmalloc and the virtual memory manager subsystem of Linux. Kernel and glibc source links and statements like “the default stack size is 8MB” that are obviously platform-dependent all pertain to Ubuntu 16.04 on x86-64, unless stated otherwise. Ptmalloc and glibc malloc will be used interchangeably to refer to the malloc implementation in current glibc, while malloc in itself will refer to the malloc function.
This post is intended to be the parent-page of the ptmalloc fanzine episodes, as well as a collection of resources related to glibc heap meta-data corruptions.
An exploitation challenge from Hack.lu 2015 that, upon a cursory glance, promised some lighthearted heap-based entertainment. Internals of the glibc malloc implementation won’t be covered in depth, if you find the writeup hard to follow, this link might help.
Sandbox was an exploitation challenge for 300 points from 32C3, that executes our shellcode in something very similar to the old seccomp-legacy sandbox in Chromium. It was mostly me working on it, with some help from @kt. Even though we didn’t manage to solve the challenge during the ctf, it was surprisingly enjoyable. There are two possible solutions, both will be covered.