[io64][smashthestack] level6: may the brute force be with you

This one is about messing with ASLR, let’s look at the code:

this code has one little problem, it is not correctly checking the  error code on the second call to mmap. It is actually not checking wether addr have been set to MAP_FAILED (-1) or not,  and this can lead to dereferencing -1 and trigger a segfault. So if we manage to succeed on the first call of mmap but fail on the second we will get the shell !

You may have noticed that the requested addresses are not the same, between the first and the second call, there is a page differenve (4K)

let’s see what we can get/predict from ASLR:

We can see 3 kind of regions:

  • the code, at the lowest region
  • the loader, stack and vdso at the second “non contiguous region”
  • and the vsyscall

the second region is close to 7fffXXXXXXXX and sometimes the stack and vdso are accessible from 7fffXXXXXXXX.

I guess we need to exploit that:

first we need to make sure that we never request a non page aligned mapping as obviously the request will fail with errno EINVAL. Next, nothing.. according to the manpage, EPERM only happens when “The prot argument asks for PROT_EXEC but the mapped area belongs to a file on a file system that was mounted no-exec.”

That’s not the case. So we just need to brute force with an address like 0x7fff0171c8fc + 0x30000704. The 704 msb is for alignment, and the msb in order to be able to reach the stack/vdso area (vdso and stack seem to rarely start at 0x7fff0XXXXXXX addresses)

But remember that the address have been casted to (int*), this means whatever we type will be multiplied by 4. We thus need 0x30000704/4 = 201327041

let’s try to brute force that:

Then just go make a coffee and wait for the $ symbol to appear 🙂

neeeeext !

Leave a Reply

Your email address will not be published. Required fields are marked *