-
Notifications
You must be signed in to change notification settings - Fork 7
running libc properly #10
Comments
An analysis of libc simulation methodsEvery method here is analysed with #include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(){
int pid = getpid();
char s[512];
sprintf(s, "cat /proc/%d/maps", pid);
system(s);
printf("%p\n", printf);
} And ultimately, a fully correct sample should look like:
|
Test two: easyWrite clone (tcache_perthread_struct writing)Because I have a machine available with Every method here is analysed with #include <stdlib.h>
#define MALLOC_OFF 0x9d260
#define TCACHE_OFF 0x7ffff7fc04f0-0x7ffff7dcd000
#define F_HOOK_OFF 0x1eeb28
#define TCACHE_MAX_BINS 0x40
typedef struct tcache_struct {
short counts[TCACHE_MAX_BINS];
void *entries[TCACHE_MAX_BINS];
} tcache_struct;
void win(){ puts("success"); }
int main(){
malloc(1);
tcache_struct constructed_tcache = (tcache_struct) { .counts = {0, 0, 1}, .entries = {0,0, malloc-MALLOC_OFF+F_HOOK_OFF}};
tcache_struct **tcache = malloc-MALLOC_OFF+TCACHE_OFF;
*tcache = &constructed_tcache;
puts("fake tcache in place");
void *p = malloc(0x30);
puts("overwriting free_hook");
*(long long*)p = win;
free(p);
} And ultimately, a fully correct sample should look like:
|
As I outlined in a writeup:
Additional suggestions from #9 (comment)_
The text was updated successfully, but these errors were encountered: