CSE 545 Heap Challenges Overview
In CSE 545, students can expect a series of challenges related to heap exploitation techniques. The assignments involve releasing new challenges with specific deadlines and combining the points earned from previous challenges. The grading system is structured to allocate percentages to each assignment, with participation and final assessments factored in. The content includes various images depicting different aspects of tcache bins, fastbins, and metadata pointers. Stay tuned for more challenges and opportunities to test your skills in heap manipulation.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
CSE 545 Heap: FastbinDouble Free Tiffany Bao tbao@asu.edu
Assignment 3 is released, ddl: 4/30 Final: All previous challenges combined, 28 challenges, 112 points in total Due: 5/7
Assignment 1-3: 85%, every assignment accounts for 85% / 3 = 28.33% e.g., Assignment 1: 11 / 10 * 28.33 Final: 15% Participation: 10% Track: TO BE RELEASED 2
Tcache Bin metadata fd pointer metadata fd pointer data data 4
Tcache Bin metadata fd pointer metadata fd pointer data data Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 5
Tcache Bin metadata fd pointer metadata fd pointer 00000 data data Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 6
Empty tcache bins Tcache Bin 1 metadata fd pointer metadata fd pointer 00000 data data Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 7
Empty tcache bins Tcache Bin 1 Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 8
Tcache Bin malloc() 2 Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 9
Tcache Bin malloc() 2 Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 10
Tcache Bin malloc() 2 Fast Bin metadata fd pointer metadata fd pointer data data 11
Tcache Bin malloc() 2 metadata 00000000 data Fast Bin metadata fd pointer data 12
Tcache Bin malloc() 2 metadata 00000000 data Fast Bin metadata fd pointer metadata 00000000 data data 13
Tcache Bin malloc() 2 metadata fd pointer metadata 00000000 data data Fast Bin metadata 00000000 data 14
metadata fd pointer Tcache Bin malloc() 2 data metadata fd pointer metadata fd pointer metadata fd pointer data data data Fast Bin 15
metadata fd pointer Edit the chunk from Step 2 Tcache Bin 3 data metadata fd pointer metadata fd pointer metadata fd pointer data data data metadata victim Fake Chunk 16
Tcache Bin malloc() x 3 4 metadata fd pointer metadata fd pointer metadata fd pointer data data data metadata victim Fake Chunk 17
Service IP: 107.21.135.41 Port: 16666 Service file: https://cse545.tiffanybao.com/labs/week16/double_free.c https://cse545.tiffanybao.com/labs/week16/double_free https://cse545.tiffanybao.com/labs/week16/libc.so.6 https://cse545.tiffanybao.com/labs/week16/ld-2.27.so 18
How to debug 19
Leak Libc Base Address 20
Find a memory location that satisfy the necessary condition for a fake chunk The libc information is contained in the fake chunk e.g., 0x602248 22
Fast Bin metadata fd pointer metadata fd pointer metadata 000000 data data data 1 0x602248 metadata 2 libc-related address Fake Chunk 23
Tcache Bin malloc() x 7 3 metadata fd pointer metadata fd pointer 00000 data data Fast Bin 0x602248 metadata 00000000 metadata fd pointer metadata fd pointer data victim data 24
Tcache Bin malloc() x 7 3 Fast Bin 0x602248 metadata 00000000 metadata fd pointer metadata fd pointer data victim data 25
Tcache Bin malloc() 4 Fast Bin 0x602248 metadata 00000000 metadata fd pointer metadata fd pointer data victim data 26
Tcache Bin malloc() 4 0x602248 metadata fd pointer metadata 00000000 data victim Fast Bin 27
Finding a fake chunk like such may not be easy The address of fake chunk may also change E.g., PIE and ASLR 28
arena -> bins siz0x20 FD BK -> Forward <- Backward chunk chunk 29
metadata fd pointer bw pointer -> Forward metadata fd pointer bw pointer data main_arena @ glibc 30