Simple Use After Free Exploitation [Hackvent 2022 - Day 21]
Day 21 for Hackvent gives a server with a simple text based menu, as well as the binary. Looking at the binary, there's some heap use, and a relatively obvious use after free risk. To exploit that, I'll need a memory leak, which is a bit harder to find. Putting that all together, I'm able to call the present function, which gives a shell.
Hackvent 2022 writeup: https://0xdf.gitlab.io/hackvent2022/hard
☕ Buy Me A Coffee: https://www.buymeacoffee.com/0xdf
#hackvent
[00:00] Introduction / overview
[01:35] Opening in Ghidra
[02:25] Checksec to see protections
[02:55] Looking at binary in Ghidra
[03:14] init in Ghidra
[03:26] menu in Ghidra
[04:08] steal in Ghidra
[04:40] tell_deed in Ghidra
[06:04] naughty in Ghidra
[06:59] present in Ghidra
[07:22] Strategy
[08:00] Memory leak in naughty
[09:19] Using gdb to test use after free
[10:53] Testing memory leak using gdb
[15:52] Input to get to index 4
[17:02] Verifying in gdb
[18:24] Building exploit script
[18:55] Leaking address to defeat PIE
[24:54] Freeing workshop
[25:20] Put malicious payload into heap buffer
[27:07] Trigger payload and get shell
[27:33] Running, get shell
Смотрите видео Simple Use After Free Exploitation [Hackvent 2022 - Day 21] онлайн без регистрации, длительностью часов минут секунд в хорошем качестве. Это видео добавил пользователь 0xdf 03 Январь 2023, не забудьте поделиться им ссылкой с друзьями и знакомыми, на нашем сайте его посмотрели 1,727 раз и оно понравилось 83 людям.