About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

OOB to RCE: Exploitation of the Hobbes Functional Interpreter- 199

Jake MillerPosted 5 Years Ago
  • The Hobbes Functional Interpreter has the ability to use arrays. However, it does NOT support negative indexing and does not protect from going outside of the bounds. See where this is going?
  • Now, we essentially have an arbitrary read and an arbitrary write! Anytime this is achieved, it is essentially game over.
  • The exploitation path was interesting though. First, they use a GOT/PLT overwrite to redirect code execution. The GOT is a list of function pointers to dynamically loaded libraries, such as LibC.
  • Now, he has ability to redirect code execution. But, where to direct to? Apparently (for an unknown reason) the location that input is placed is in a RWX location! So, simply place the shellcode into this region and jump to it via the controlled path.
  • Although, this bug may not be fixed... which seems odd to me. The researcher absolutely went through the proper disclosure process and everything too.
  • The researcher just pokes at open source projects. Could be something interesting to look into! :)

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed