Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

There are several integer under/overflows that can be triggered while sending mail to Qmail. These were discovered in 2005; but, because they were thought to be unexploitable, they were never fixed.

Qualys decided to go back and exploit this mail client. The main thought process behind their integer overflow was to corrupt a chunk that was close to LibC. Because large allocations are mmapped directly below LibC, ASLR has already been defeated by relative offsets.

They use the overwrite of the large mmaped chunk to munmap to include a portion of libc!. Now, this section of memory is back at the system, not being used. Later on (prior to this section of LibC being used) they mmap another large chunk, which takes the place of the section removed from LibC.

The important section that they removed from LibC was .dynsym, which associates a symbol relative to the random position of the binary. By overwriting symbol locations (that had not been resolved yet) from the PLT/GOT table, they could control the location in which the pointer gets resolved to. The obvious choice here is to set the pointer to system.

I had came across the mmap allocations myself (prior to reading munmap madness) and had come up with some similar techniques as to the chunk overlapping. However, I never did get the munmap to do anything interesting with other system libraries. So, this was really interesting to see in action!