CSE 545 Heap Challenges Overview

Slide Note
Embed
Share

In CSE 545, students can expect a series of challenges related to heap exploitation techniques. The assignments involve releasing new challenges with specific deadlines and combining the points earned from previous challenges. The grading system is structured to allocate percentages to each assignment, with participation and final assessments factored in. The content includes various images depicting different aspects of tcache bins, fastbins, and metadata pointers. Stay tuned for more challenges and opportunities to test your skills in heap manipulation.


Uploaded on Sep 26, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. CSE 545 Heap: FastbinDouble Free Tiffany Bao tbao@asu.edu

  2. Assignment 3 is released, ddl: 4/30 Final: All previous challenges combined, 28 challenges, 112 points in total Due: 5/7

  3. Assignment 1-3: 85%, every assignment accounts for 85% / 3 = 28.33% e.g., Assignment 1: 11 / 10 * 28.33 Final: 15% Participation: 10% Track: TO BE RELEASED 2

  4. Fastbindouble Free 3

  5. Tcache Bin metadata fd pointer metadata fd pointer data data 4

  6. Tcache Bin metadata fd pointer metadata fd pointer data data Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 5

  7. Tcache Bin metadata fd pointer metadata fd pointer 00000 data data Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 6

  8. Empty tcache bins Tcache Bin 1 metadata fd pointer metadata fd pointer 00000 data data Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 7

  9. Empty tcache bins Tcache Bin 1 Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 8

  10. Tcache Bin malloc() 2 Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 9

  11. Tcache Bin malloc() 2 Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 10

  12. Tcache Bin malloc() 2 Fast Bin metadata fd pointer metadata fd pointer data data 11

  13. Tcache Bin malloc() 2 metadata 00000000 data Fast Bin metadata fd pointer data 12

  14. Tcache Bin malloc() 2 metadata 00000000 data Fast Bin metadata fd pointer metadata 00000000 data data 13

  15. Tcache Bin malloc() 2 metadata fd pointer metadata 00000000 data data Fast Bin metadata 00000000 data 14

  16. metadata fd pointer Tcache Bin malloc() 2 data metadata fd pointer metadata fd pointer metadata fd pointer data data data Fast Bin 15

  17. metadata fd pointer Edit the chunk from Step 2 Tcache Bin 3 data metadata fd pointer metadata fd pointer metadata fd pointer data data data metadata victim Fake Chunk 16

  18. Tcache Bin malloc() x 3 4 metadata fd pointer metadata fd pointer metadata fd pointer data data data metadata victim Fake Chunk 17

  19. Service IP: 107.21.135.41 Port: 16666 Service file: https://cse545.tiffanybao.com/labs/week16/double_free.c https://cse545.tiffanybao.com/labs/week16/double_free https://cse545.tiffanybao.com/labs/week16/libc.so.6 https://cse545.tiffanybao.com/labs/week16/ld-2.27.so 18

  20. How to debug 19

  21. Leak Libc Base Address 20

  22. 21

  23. Find a memory location that satisfy the necessary condition for a fake chunk The libc information is contained in the fake chunk e.g., 0x602248 22

  24. Fast Bin metadata fd pointer metadata fd pointer metadata 000000 data data data 1 0x602248 metadata 2 libc-related address Fake Chunk 23

  25. Tcache Bin malloc() x 7 3 metadata fd pointer metadata fd pointer 00000 data data Fast Bin 0x602248 metadata 00000000 metadata fd pointer metadata fd pointer data victim data 24

  26. Tcache Bin malloc() x 7 3 Fast Bin 0x602248 metadata 00000000 metadata fd pointer metadata fd pointer data victim data 25

  27. Tcache Bin malloc() 4 Fast Bin 0x602248 metadata 00000000 metadata fd pointer metadata fd pointer data victim data 26

  28. Tcache Bin malloc() 4 0x602248 metadata fd pointer metadata 00000000 data victim Fast Bin 27

  29. Finding a fake chunk like such may not be easy The address of fake chunk may also change E.g., PIE and ASLR 28

  30. arena -> bins siz0x20 FD BK -> Forward <- Backward chunk chunk 29

  31. metadata fd pointer bw pointer -> Forward metadata fd pointer bw pointer data main_arena @ glibc 30

  32. 31

More Related Content