fimad.dev
This post describes a novel heap exploitation technique for gaining arbitrary
code execution via a 2-byte heap overflow, a perror
call, and a controlled
exit. This technique as presented is known to work with glibc 2.32.
The novelty of this technique lies in using perror
and its interaction with
malloc
to add an attacker crafted FILE
object to glibc’s global linked list
of open FILE
streams.
Arbitrary code execution is obtained by preparing this crafted FILE
to invoke
a shell using the obstack vtable bypass.
...
This post describes a technique for bypassing existing hardening of FILE
vtable values in order to gain arbitrary code execution. This technique is known
to work as of glibc 2.32.
I reported this bypass to the glibc maintainers on December 28, 2020.
...