CSE 545 Heap Challenges Overview

Slide Note
Embed
Share

In CSE 545, students can expect a series of challenges related to heap exploitation techniques. The assignments involve releasing new challenges with specific deadlines and combining the points earned from previous challenges. The grading system is structured to allocate percentages to each assignment, with participation and final assessments factored in. The content includes various images depicting different aspects of tcache bins, fastbins, and metadata pointers. Stay tuned for more challenges and opportunities to test your skills in heap manipulation.

haow785
haow785 Follow

Uploaded on Sep 26, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. CSE 545 Heap: FastbinDouble Free Tiffany Bao tbao@asu.edu

  2. Assignment 3 is released, ddl: 4/30 Final: All previous challenges combined, 28 challenges, 112 points in total Due: 5/7

  3. Assignment 1-3: 85%, every assignment accounts for 85% / 3 = 28.33% e.g., Assignment 1: 11 / 10 * 28.33 Final: 15% Participation: 10% Track: TO BE RELEASED 2

  4. Fastbindouble Free 3

  5. Tcache Bin metadata fd pointer metadata fd pointer data data 4

  6. Tcache Bin metadata fd pointer metadata fd pointer data data Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 5

  7. Tcache Bin metadata fd pointer metadata fd pointer 00000 data data Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 6

  8. Empty tcache bins Tcache Bin 1 metadata fd pointer metadata fd pointer 00000 data data Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 7

  9. Empty tcache bins Tcache Bin 1 Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 8

  10. Tcache Bin malloc() 2 Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 9

  11. Tcache Bin malloc() 2 Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 10

  12. Tcache Bin malloc() 2 Fast Bin metadata fd pointer metadata fd pointer data data 11

  13. Tcache Bin malloc() 2 metadata 00000000 data Fast Bin metadata fd pointer data 12

  14. Tcache Bin malloc() 2 metadata 00000000 data Fast Bin metadata fd pointer metadata 00000000 data data 13

  15. Tcache Bin malloc() 2 metadata fd pointer metadata 00000000 data data Fast Bin metadata 00000000 data 14

  16. metadata fd pointer Tcache Bin malloc() 2 data metadata fd pointer metadata fd pointer metadata fd pointer data data data Fast Bin 15

  17. metadata fd pointer Edit the chunk from Step 2 Tcache Bin 3 data metadata fd pointer metadata fd pointer metadata fd pointer data data data metadata victim Fake Chunk 16

  18. Tcache Bin malloc() x 3 4 metadata fd pointer metadata fd pointer metadata fd pointer data data data metadata victim Fake Chunk 17

  19. Service IP: 107.21.135.41 Port: 16666 Service file: https://cse545.tiffanybao.com/labs/week16/double_free.c https://cse545.tiffanybao.com/labs/week16/double_free https://cse545.tiffanybao.com/labs/week16/libc.so.6 https://cse545.tiffanybao.com/labs/week16/ld-2.27.so 18

  20. How to debug 19

  21. Leak Libc Base Address 20

  22. 21

  23. Find a memory location that satisfy the necessary condition for a fake chunk The libc information is contained in the fake chunk e.g., 0x602248 22

  24. Fast Bin metadata fd pointer metadata fd pointer metadata 000000 data data data 1 0x602248 metadata 2 libc-related address Fake Chunk 23

  25. Tcache Bin malloc() x 7 3 metadata fd pointer metadata fd pointer 00000 data data Fast Bin 0x602248 metadata 00000000 metadata fd pointer metadata fd pointer data victim data 24

  26. Tcache Bin malloc() x 7 3 Fast Bin 0x602248 metadata 00000000 metadata fd pointer metadata fd pointer data victim data 25

  27. Tcache Bin malloc() 4 Fast Bin 0x602248 metadata 00000000 metadata fd pointer metadata fd pointer data victim data 26

  28. Tcache Bin malloc() 4 0x602248 metadata fd pointer metadata 00000000 data victim Fast Bin 27

  29. Finding a fake chunk like such may not be easy The address of fake chunk may also change E.g., PIE and ASLR 28

  30. arena -> bins siz0x20 FD BK -> Forward <- Backward chunk chunk 29

  31. metadata fd pointer bw pointer -> Forward metadata fd pointer bw pointer data main_arena @ glibc 30

  32. 31

Related


Understanding Heap Sort in Data Structures

Understanding Heap Sort in Data Structures

apick
Understanding Heap Overflows: An Introduction to Exploit Development

Understanding Heap Overflows: An Introduction to Exploit Development

snyr
Understanding Heap Exploitation Techniques in CSE 545 Fall 2020

Understanding Heap Exploitation Techniques in CSE 545 Fall 2020

jah_end
Understanding Heap Overflow Attacks

Understanding Heap Overflow Attacks

naya_822
Implementing Heaps: Node Operations and Runtime Analysis

Implementing Heaps: Node Operations and Runtime Analysis

rnye
Soft Heap and Soft Sequence Heaps: Properties and Applications

Soft Heap and Soft Sequence Heaps: Properties and Applications

jule_147
Binary Trees and Heap Implementation in Java

Binary Trees and Heap Implementation in Java

reessa
Understanding Priority Queues and Heaps in CSE 373 Lecture

Understanding Priority Queues and Heaps in CSE 373 Lecture

sdey
A Comparative Analysis of Heap Specification Approaches

A Comparative Analysis of Heap Specification Approaches

kas_she
Data Structures and Heaps in Computer Science - Lecture 10 Overview

Data Structures and Heaps in Computer Science - Lecture 10 Overview

townsendw
Understanding Heaps in Binary Trees

Understanding Heaps in Binary Trees

emme
Understanding Priority Queues and Heap Data Structures

Understanding Priority Queues and Heap Data Structures

timlye
Understanding Heap Data Structure Implementation

Understanding Heap Data Structure Implementation

kend_560
Overview of SB 850 Homeless Emergency Aid Program (HEAP)

Overview of SB 850 Homeless Emergency Aid Program (HEAP)

binney_d
Overview of Soft Sequence Heaps in Algorithms

Overview of Soft Sequence Heaps in Algorithms

marialen
Abstract Domains for Lists and Heap Structures: A Comprehensive Overview

Abstract Domains for Lists and Heap Structures: A Comprehensive Overview

winkfield_g
Dynamic Memory Management Overview

Dynamic Memory Management Overview

wkam
CSE Connect January 2024 Poster Submission Information

CSE Connect January 2024 Poster Submission Information

miller
Understanding Child Sexual Exploitation (CSE) in School Communities

Understanding Child Sexual Exploitation (CSE) in School Communities

lemon
Understanding Memory Management in Computer Systems

Understanding Memory Management in Computer Systems

iga
Runtime Checking of Expressive Heap Assertions

Runtime Checking of Expressive Heap Assertions

ibrahim
Heapsort and Heaps: A Generic Algorithm for Sorting

Heapsort and Heaps: A Generic Algorithm for Sorting

chines
Understanding Heap Sort and Binary Search Tree Concepts

Understanding Heap Sort and Binary Search Tree Concepts

hamy
Understanding Memory Management Tradeoffs in Web Browsers

Understanding Memory Management Tradeoffs in Web Browsers

ldmy

More Related Content