This post describes a novel heap exploitation technique for gaining arbitrary code execution via a 2-byte heap overflow, a perror call, and a controlled exit. This technique as presented is known to work with glibc 2.32.

The novelty of this technique lies in using perror and its interaction with malloc to add an attacker crafted FILE object to glibc’s global linked list of open FILE streams.

Arbitrary code execution is obtained by preparing this crafted FILE to invoke a shell using the obstack vtable bypass.

...

This post describes a technique for bypassing existing hardening of FILE vtable values in order to gain arbitrary code execution. This technique is known to work as of glibc 2.32.

I reported this bypass to the glibc maintainers on December 28, 2020.

...

© Will Coster