Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Information disclosure vulnerabilities are not nearly as sexy as gaining control over the flow of execution. However, with modern binary protections that provide randomness, such as PIE and ASLR, memory leaks are a crucial point in the exploit chain.

PDFs have a section called the trailer. This is used for making application reading the file (Reader) have easy access to objects via cross-references. This is implemented as a key-value pair.

The exploit uses a field called ID and writes an extremely large value in it. The vulnerability occurs when processing this data.

The ID field is stored as a fixed sized value of 0x100. However, clearly the user controls the actual size when this gets operated on. At this point, the actual value is on the stack (truncated to 0x100) and a heap allocation is made of the large size (0x400).

When a memcpy is ran on this to copy the stack buffer to the heap buffer, a 0x300 byte OOB read occurs! 0x300 extra bytes, which can be queried by the application, allows the user to break ASLR and find the locations of Windows libraries.