The Heap: How do use-after-free exploits work? - bin 0x16

LiveOverflow · Beginner ·🛡️ AI Safety & Ethics ·9y ago

Key Takeaways

This video teaches how to solve the heap2 challenge from exploit.education to learn about heap use-after-free exploits

Full Transcript

a very common issue that we still constantly encounter is shown in Heap level two of exploit exercise.com this is a classic use after free vulnerability let's try to understand the code first we have here a big while loop inside of Main in each round it prints the variable o which is a pointer to an object uh of this o struct up here and off has the attributes name which is a string up to 32 characters and an integer and the other variable that is printed is a sh pointer service which can point to a string in memory so both of these are addresses pointers then we read a line from standard input maximum 128 bytes so this is a secure fgets read no buffer overflow afterwards we have a couple of ifs that check if the input line is one of the following commands either o reset servers or loog in let's execute the program as well and then let's talk about each command when we first start the program both the O and the service pointer are null now we wait for input let's have a look at the O command when we type or it will allocate the size of or so that should be theoretically 32 by for the name plus 4 by for the integer then the whole allocated memory is overwritten with zeros this makes sense because if on the Heap data is constantly allocated and freed then a newly allocated area can have old data in there a free does not zero out the memory so here it zeros out on allocation afterwards the length of the input line is checked so it doesn't exceed the 32 bytes available in the or struct for the name and if that is safe the characters after the or command are copied the name of the O object let's try that let's authenticate as admin cool as you can see the variable o contains now an address this is where the O object is on the Heap now the last command is Log In which checks if the integer of the O object is not zero and if that's the case we successfully logged in otherwise if it's zero then it tells us to enter a password though in this case there is not much more functionality than that but just imagine that you are trying to log in as admin without knowing the password so somehow our goal is to set the integer to a value and then we are authenticated at the moment it seems impossible because the integer o is never set anywhere but we have learned from the beginning that there are bugs that allow us to modify variables another command here is reset which will free the O object on the Heap and this is actually where the issue is you notice when we reset the login process it frees the AR object but as you can see the O variable is not reset to zero it still contains the pointer into the Heap where the object object was before and when we for example log in now it will check the name attribute of that object well it hasn't changed so we are still un authenticated but the login command will use the variable or after we just freed it use after free get it now the last command here is service which will perform a Str strr dub a string duplication of the characters after the service command so for example we can specify that we want to use the hex service and now we also have an address in the service variable and strangely it's the same one as o that is weird so what does srdb do let's read the man page srdb returns a pointer to a new string which is a duplicate of the string s the memory of the new string is obtained with MOG and can be freed with free ah so it's just a convenient function that allocates the length of the string we passed to it and copies it there so it will also call Melo and does allocate stuff on the Heap and you can already guess why servers got the same address as o because o was freed there was free space and service got the free space there let's look at this in GDB first we set the assembl syntax to Intel and then we disassemble main let's first run it and use o ones so we performed at least one MOG then press contrl C and check the address of the Heap with infoproc mappings now we can print 20 words from the Heap with examine also because this application has still all the symbols and stuff inside of the binary GDB also knows that o is from the type struct O which we can print pretty again and we can see here the string name and the O integer we can do the same for the service string now let's create a breakpoint before the print F and with command we can then type what GDB commands shall be executed when we hit this breakpoint we can use Echo to print some strings to make it look more more pretty but first we want to print the Heap we Echo a line we want to print the off variable another line and the service variable at the end we continue automatically and finish the command sequence with end now let's rerun this binary okay at first we get some memory errors because the Heap doesn't exist yet so let's allocate our first value by authenticating with O as admin Also let's disable gdb's page Nation so we always print everything and don't get the type return to continue dialogue set pagination off now we can see here our Heap like we expected we have a junk with our string name admin but something is weird why is the length of the chunk only hex one Z that is only 8 bytes after you substract the 8 by chunk headers shouldn't it be like 32 byte name plus the integer what's going on well this is not that important for a solution but this is what happens if you write shitty code and name everything off the struct is called o the struct O pointer is called o the integer in here is called o and when the program calculated the size of O it calculat the size of the variable o not the struct O th it's only four byte but melog aligned into 8 bytes gosh people please name your variables better this is how backs and security issues are created anyhow Let's ignore that for now earlier we are wondering how the free works so let's free the O object with reset and pay attention to what changes okay L basically nothing changed except that the first word of the chunk data got replaced with zero that's because the first word in a free chunk is defined as a previous free chunk address because free chunks are in a link list but we don't have another free Chunk in the list does it's null so really not much happened other than the Malo algorithm knows that the free Heap starts again at the beginning and it doesn't care if there are still leftover values on the Heap it's as long as the metadata like the previous address pointer are correct thus it only changed that particular value anyhow we can now see that all objects still exist with the pointer into the Heap here but the name is now empty with nulls and the integer is still null but let's use servers to allocate a string on the Heap let's allocate just some recognizable characters like AAA no it only 3 a because the code is shitty and it also takes a space before the ace here in a heap we can see see that the string got allocated and we see that the name of the O object has now some different values now let's allocate the new string with service bbbb and another one with CCC we see the Heap slowly filling up and huh what's that suddenly the O integer has a huge value that's because it points into the Heap where the CCC is stored and if we now log in then we get the message that we are already logged in awesome I have to say this level is so horribly broken as I mentioned before the code is so shitty that it allocates the wrong size for the Earth object the space is too small I show you let's restart it and Au again as admin now simply enter a long service string and boom we also over rote the integer and we get the loged in message so we didn't have to free the O object with reset to solve it but I wanted to introduce the term use after free and it was also kind of the of challenge [Music] [Applause] [Music]

Original Description

Solving heap2 from exploit.education to learn about heap use-after-free (UAF) exploits heap2: https://exploit.education/protostar/heap-two/ -=[ 🔴 Stuff I use ]=- → Microphone:* https://geni.us/ntg3b → Graphics tablet:* https://geni.us/wacom-intuos → Camera#1 for streaming:* https://geni.us/sony-camera → Lens for streaming:* https://geni.us/sony-lense → Connect Camera#1 to PC:* https://geni.us/cam-link → Keyboard:* https://geni.us/mech-keyboard → Old Microphone:* https://geni.us/mic-at2020usb US Store Front:* https://www.amazon.com/shop/liveoverflow -=[ ❤️ Support ]=- → per Video: https://www.patreon.com/join/liveoverflow → per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join -=[ 🐕 Social ]=- → Twitter: https://twitter.com/LiveOverflow/ → Website: https://liveoverflow.com/ → Subreddit: https://www.reddit.com/r/LiveOverflow/ → Facebook: https://www.facebook.com/LiveOverflow/ -=[ 📄 P.S. ]=- All links with "*" are affiliate links. LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm. #BinaryExploitation #UseAfterFree
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from LiveOverflow · LiveOverflow · 46 of 60

1 LiveOverflow - Trailer
LiveOverflow - Trailer
LiveOverflow
2 Introduction to Linux - Installation and the Terminal - bin 0x01
Introduction to Linux - Installation and the Terminal - bin 0x01
LiveOverflow
3 Writing a simple Program in C
Writing a simple Program in C
LiveOverflow
4 Writing a simple Program in Python - bin 0x03
Writing a simple Program in Python - bin 0x03
LiveOverflow
5 Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
LiveOverflow
6 Reversing and Cracking first simple Program - bin 0x05
Reversing and Cracking first simple Program - bin 0x05
LiveOverflow
7 Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
LiveOverflow
8 ROP with a very small stack - 32C3CTF teufel (pwnable 200)
ROP with a very small stack - 32C3CTF teufel (pwnable 200)
LiveOverflow
9 Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
LiveOverflow
10 Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
LiveOverflow
11 Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
LiveOverflow
12 Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
LiveOverflow
13 Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
LiveOverflow
14 First Stack Buffer Overflow to modify Variable - bin 0x0C
First Stack Buffer Overflow to modify Variable - bin 0x0C
LiveOverflow
15 First Exploit! Buffer Overflow with Shellcode - bin 0x0E
First Exploit! Buffer Overflow with Shellcode - bin 0x0E
LiveOverflow
16 Buffer Overflows can Redirect Program Execution - bin 0x0D
Buffer Overflows can Redirect Program Execution - bin 0x0D
LiveOverflow
17 Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
LiveOverflow
18 Reverse engineering C programs (64bit vs 32bit) - bin 0x10
Reverse engineering C programs (64bit vs 32bit) - bin 0x10
LiveOverflow
19 pwnable.kr - Levels: fd, collision, bof, flag
pwnable.kr - Levels: fd, collision, bof, flag
LiveOverflow
20 Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
LiveOverflow
21 Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
LiveOverflow
22 Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
LiveOverflow
23 Live Hacking - Internetwache CTF 2016 - web50, web60, web80
Live Hacking - Internetwache CTF 2016 - web50, web60, web80
LiveOverflow
24 Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
LiveOverflow
25 A simple Format String exploit example - bin 0x11
A simple Format String exploit example - bin 0x11
LiveOverflow
26 NEW VIDEOS ARE COMING - loopback 0x00
NEW VIDEOS ARE COMING - loopback 0x00
LiveOverflow
27 HTML + CSS + JavaScript introduction - web 0x00
HTML + CSS + JavaScript introduction - web 0x00
LiveOverflow
28 The HTTP Protocol: GET /test.html - web 0x01
The HTTP Protocol: GET /test.html - web 0x01
LiveOverflow
29 Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
LiveOverflow
30 What is PHP and why is XSS so common there? - web 0x02
What is PHP and why is XSS so common there? - web 0x02
LiveOverflow
31 Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
LiveOverflow
32 Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
LiveOverflow
33 Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
LiveOverflow
34 XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
LiveOverflow
35 Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
LiveOverflow
36 New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
LiveOverflow
37 The Heap: what does malloc() do? - bin 0x14
The Heap: what does malloc() do? - bin 0x14
LiveOverflow
38 The Heap: How to exploit a Heap Overflow - bin 0x15
The Heap: How to exploit a Heap Overflow - bin 0x15
LiveOverflow
39 Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
LiveOverflow
40 Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
LiveOverflow
41 Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
LiveOverflow
42 Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
LiveOverflow
43 Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
LiveOverflow
44 Explaining Dirty COW local root exploit - CVE-2016-5195
Explaining Dirty COW local root exploit - CVE-2016-5195
LiveOverflow
45 What is CTF? An introduction to security Capture The Flag competitions
What is CTF? An introduction to security Capture The Flag competitions
LiveOverflow
The Heap: How do use-after-free exploits work? - bin 0x16
The Heap: How do use-after-free exploits work? - bin 0x16
LiveOverflow
47 The Browser is a very Confused Deputy - web 0x05
The Browser is a very Confused Deputy - web 0x05
LiveOverflow
48 The Heap: Once upon a free() - bin 0x17
The Heap: Once upon a free() - bin 0x17
LiveOverflow
49 Simple reversing challenge and gaming the system - BruCON CTF part 1
Simple reversing challenge and gaming the system - BruCON CTF part 1
LiveOverflow
50 int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
LiveOverflow
51 The Heap: dlmalloc unlink() exploit - bin 0x18
The Heap: dlmalloc unlink() exploit - bin 0x18
LiveOverflow
52 MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
LiveOverflow
53 TCP Protocol introduction - bin 0x1A
TCP Protocol introduction - bin 0x1A
LiveOverflow
54 Socket programming in python and Integer Overflow - bin 0x1B
Socket programming in python and Integer Overflow - bin 0x1B
LiveOverflow
55 Linux signals and core dumps - bin 0x1C
Linux signals and core dumps - bin 0x1C
LiveOverflow
56 [Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
LiveOverflow
57 Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
LiveOverflow
58 Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
LiveOverflow
59 How to learn hacking? ft. Rubber Ducky
How to learn hacking? ft. Rubber Ducky
LiveOverflow
60 Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
LiveOverflow

Related Reads

Up next
VSL International | Build a stronger safety culture through leadership | Bouygues Construction
Bouygues Construction
Watch →