Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

In glibc 2.34, the hooks used for debugging malloc were completely removed from the run time configurations. Since these were commonly used for getting code execution, the author of the post wanted to find a new way to hijack the control flow. The man also runs the how2heap repo as well.

The FILE data structure is used by programmers. Within glibc, there is a vtable added to the structure _IO_FILE_plus. In glibc 2.24, a restriction was added to the vtable pointers by ensuring that the pointers were within a very special section of libc called __libc_IO_vtables. Additionally, some pointers are encrypted (key stored in thread local storage) to prevent modification.

A bypass for this was found though. First, the _IO_str_overflow pointers use tables outside of the vtable. So, the same attack could be used from before. Additionally, the vtable could be misaligned to invoke the wrong functions. Again, this was patched in 2.28 by removing the function pointers. So, where are we now?

While manually auditing, the author found 81 unique function pointers within the special section. They checked all of them and their corresponding to calls to try to find any missing checks. Sadly, all of them are either validated via special vtables or encrypted.

The encryption aspect is interesting - modifications can still be made IF we know the key. So, can we overwrite the key or leak the key stored in thread local storage? The goal is to use the misalignments to eventually do this.

The file structure is very complicated. Instead of manually auditing, the author decided to use the symbolic execution tool angr. Since this is a bounded model checking problem, angr is the perfect tool for this. They configured Angr to run and let it go to town!

The script found 10+ techniques - one of them which is known as the House of Emma. The tool had found a list of calls to the function tables, all which were validated, that would give control over RIP eventually.

It turns out that a list of function pointers in _wide_vtable was not being validated by the vtable checker. Three of these techniques were known as the House of Apple. However, the others discovered were brand new. Overall, a good article with fun memes in it!