You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/exercises/unit19-glibc-bypass/glibc-108.ts
+20-16Lines changed: 20 additions & 16 deletions
Original file line number
Diff line number
Diff line change
@@ -42,19 +42,21 @@ const exercise: Exercise = {
42
42
},
43
43
{
44
44
log: ['action','Allocating chunk A (16 bytes) and chunk B (16 bytes).'],
45
-
vizAction: (sim: any)=>{
46
-
consta=sim.malloc(16);
47
-
constb=sim.malloc(16);
48
-
if(a)sim._nameMap={ ...sim._nameMap,A: a.addr};
49
-
if(b)sim._nameMap={ ...sim._nameMap,B: b.addr};
45
+
vizAction: (_sim: any,heap: any)=>{
46
+
if(!heap)return;
47
+
consta=heap.malloc(16);
48
+
constb=heap.malloc(16);
49
+
if(a)heap._nameMap={ ...heap._nameMap,A: a.addr};
50
+
if(b)heap._nameMap={ ...heap._nameMap,B: b.addr};
50
51
},
51
52
srcLine: 5,
52
53
},
53
54
{
54
55
log: ['action','free(a) — A goes to tcache. The <strong>tcache key</strong> is written at A+0x10 (data+8).'],
55
-
vizAction: (sim: any)=>{
56
-
constaddr=sim._nameMap?.A;
57
-
if(addr!==undefined)sim.free(addr);
56
+
vizAction: (_sim: any,heap: any)=>{
57
+
if(!heap)return;
58
+
constaddr=heap._nameMap?.A;
59
+
if(addr!==undefined)heap.free(addr);
58
60
},
59
61
srcLine: 7,
60
62
},
@@ -64,25 +66,27 @@ const exercise: Exercise = {
64
66
},
65
67
{
66
68
log: ['info','But if we have a UAF write primitive, we can <strong>clear the key</strong> at data+8. Setting it to 0 makes glibc think this chunk was never freed into tcache.'],
67
-
vizAction: (sim: any)=>{
68
-
constaddr=sim._nameMap?.A;
69
+
vizAction: (_sim: any,heap: any)=>{
70
+
if(!heap)return;
71
+
constaddr=heap._nameMap?.A;
69
72
if(addr!==undefined){
70
-
constchunk=sim.chunks.get(addr);
73
+
constchunk=heap.chunks.get(addr);
71
74
if(chunk){
72
-
sim._writeLE(chunk.dataStart+4,0,4);
75
+
heap._writeLE(chunk.dataStart+4,0,4);
73
76
}
74
77
}
75
78
},
76
79
srcLine: 12,
77
80
},
78
81
{
79
82
log: ['success','free(a) succeeds! Key was 0, so glibc doesn\'t detect the double-free. A is now in tcache <strong>twice</strong>. From here: malloc returns A → write fd → malloc again → malloc returns arbitrary address. Classic tcache poison, enabled by clearing the key.'],
0 commit comments