C/C++ (but also other languages) make a huge use of format functions: let’s think to all the times that we use them to print messages or when we need to write data formatted into a specific way inside a string. I’m talking, of course, about printf, fprintf, sprintf, etc. The principle behind all these functions […]

This article is about a vulnerability that is, at the same time, different and close to the previous ones. In fact, it is triggered whenever the code tries to store into a variable a value greater than the maximum that variable can handle. How can this be useful? How overflowing an integer can execute arbitrary […]

After this deep trip into the heap overflow techniques (although there’s still much to see), it’s time to analyze again a particular stack overflow scenario: the so-called “off-by-one” scenario. What happens if the buffer we’re writing into can be overflowed by only one single byte? One of the first talk (if not the really first […]

The last technique from the “Malloc Maleficarum” is different from all the others because, among the requirements, there’s a stack overflow. THE HOUSE OF SPIRIT Ingredients: The attacker can control a location of memory higher than the one he’s trying to change: the exact location depends on the fake size of the chunk we’re free-ing […]

It’s time now to talk about one of the most obscure (probably) techniques described by Phantasmal Phantasmagoria in his “Malloc Maleficarum“: THE HOUSE OF LORE When the “Malloc Maleficarum” was published, as it was a purely theoretical article, contained no real exploit implementations or practical examples. Things got a little bit better with blackngel’s “Malloc […]

It’s time for us to enter into the third house THE HOUSE OF FORCE Ingredients: The exploiter must be able to overwrite the top chunk (i.e. the overflow must happen in a chunk that allows to overwrite the wilderness There is a malloc() call with an exploiter-controllable size There is another malloc() call where data […]

There I go with the description of the second house… THE HOUSE OF MIND Ingredients: One free() of a chunk under the control of the exploiter A sufficiently large memory space where the exploiter can write This technique was described as the most general and plausible and probably the most similar to the good old […]

So, history goes on with Phantasmal Phantasmagoria publishing a groundbreaking article in 2005 (right after the one-line-of-code unlink fix) called Malloc Maleficarum proposing five new ways of attacking the Linux heap implementation. If it took four years to fix the unlink vulnerability with just one line of code, so things looked pretty interesting in 2005. […]

Well, do the previous techniques apply to the dynamic allocation scenario? What if, instead of a statically allocated array, there’s a malloc-ed space? Would that work? Well, more or less, but things get REALLY more complicated. And I mean it for real. So, instead of stack overflows, there will be heap overflows: problem is that […]

The next step in the exploitation is to spawn a shell by writing a shellcode that does it and using it to exploit a buffer overflow vulnerability. To do this it is necessary to use the execve system call exported by the Linux kernel: the function is listed in the unistd.h file and it is […]