+jacckiechan60 it's because the implementation of free will take the address and add +12 to it, because that's the location of the pointers. So in order to end up with the correct value we first need to subtract 12.

Don't we need a pointer into the Global Offset Table?

on a system without ASLR, yes it stays the same. On a system with ASLR, you need another bug to leak a heap address first.

After looking through the malloc.c again, i realised that this is undone later in the code. Still, i'm wondering why they did it that way, but okay im fine for now :D

Because the current chunk is being freed just now, therefore it doesn't belong to any lists yet. And previous chunk is already freed, therefore it belong to a list. So it should be first unlinked from that list before consolidating into the current chunk. Previous chunk can not be in the same list because it's not a chunk anymore but instead a part of a bigger chunk. Hope this clarifies.

and why we insert -4(fffffffc) instead of something else?

I got the malloc version.

Well then if strcpy stops at every null byte, if there are null bytes at the middle of your payload (the data you exploit with), let's say you have something like : "AAAAABBB(NULL BYTE)CCCCDDDD", strcpy will only copy AAAAABBB and everything after it will be ignored, now imagine there was something essential for the exploit after the (NULL BYTE), the exploit wouldn't work as it should do

thank you

haha I'm a bit unsure if O get what you try to ask. But I understand your confusion - it's confusing to me too. So I think you understood that we can write an address from the heap into GOT, thanks to this unlink. So we overwrite a very specific GOT entry, such that next time we call puts, it will find the heap address in the GOT instead. And thus jump into the heap - as if there were our puts function. So then we execute shellcode on the heap - so we control execution flow. Did that answer it?

Ahahah.. Sorry for my bad english.. I will try to explain me better splitting it in two questions: 1) Are free(b) and free(a) relevant for the success of the exploit?? 2) What I can't understand is what happen when the the fake chunk is unlinked. I explain me better trying to figure out what the computer/processor does to execute our code step by step(Of course correct me if I m wrong I m here to learn ;) ): 1. It allocates chunk A (32 bytes) 2. It allocates chunk B (32 bytes) 3. It allocates chunk C (32 bytes) 4. Put the shellcode on first chunk data 5. Now it puts shitty stuff inside the second chunk data until we reach the third chunk size and overwrites it with 65 (that is 100 in decimal plus the prev-in-use bit set) 6. Now put other shitty stuff ( 100 "C" in order to fill the memory allocated) and then overflow again in the "eventual 4th chunk. 7. The first magic is here: you overwrite the fake 4th chunk's size with a negative value in order to have a fake 4th chunk that has the prev-in-use bit set to 0, followed by fd pointer and bk pointer(like it was freed). Now the heap looks like: Chunk A ---- Chunk B with prev-in-use bit set to 1 ------ Chunk C with PIU bit set to 1--------- Fake Chunk D with PIU bit set to 0, fd pointer, bk pointer. 8. The computer now calls free(c): it sees a chunk that we want to free (C) followed by a chunk already freed (D) so it triggers the Unlink() function. 9. Let's unlink it: this fake Chunk D has two pointers, one that points at the forward chunk and the other that points backward chunk. The processor now needs to link the Backward chunk with the Forward chunk and merge the Chunk C with the FAKE Chunk D. The forward chunk in question is the GOT and the Backward chunk is the chunk A (where we have the shellCode) 10. free(b) 11.free(a) 12.call puts What is not clear for me are steps 9, 10(if necessary), 11(if necessary) and 12. I don't undestand how we execute the shellcode located in chunk A.. I m pretty sure that the problem is that I have misunderstood the step 9. Thanks A LOT for your time anyway. ( I hope now I ve written in a more comprehensible way)

yeah the magic is all in 9. So 10 and 11 don't do much other than free those blocks, but we don't need them. luckily they don't screw up our exploit either. We execute shellcode in chunk A, because we have written this address to the GOT entry of puts. So when we call puts in 12. instead we call the address from the first block. We have written this address of the chunk A into GOT, because our fake chunk said that the next block is GOT, and the previous block is chunk A. So it unlinked our fake block and wrote the NEXT address (GOT) into chunk A. And wrote the BACK address (chunk A) into GOT.

Ohooooh now my brain is running better eheh.. And If I mak bk pointer = GOT and fd pointer = HEAP (in few word the reverse of what you did).. it would work the same?? Because in this way I would have the Got pointing at chunk A and the ChunkA pointing at the GOT as well right?

yep pretty much. But as mentioned in the video the pointes will be written at different offsets +4 or +8, depending on bk or fd. So basically the same, just at slightly different offsets.

maybe, but why bother?

@@meithecatte8492 avoid segfault ?

Since null byte indicates the end of the string to be copied, the data wouldn't be fully copied

oh, i'm stuck in this place, could you explain how it works? i just think next chunk + chunk_size(-4) -> size (+4) equal fffffffc. thanks! by the way your English is better than mine :)

before" chunk "is freed ,it would check whether "next_chunk"(ffffffc,ffffffc,fd,bk) is freed .how to check it? dlmalloc use function inuse_bit_at_offset(nextchunk,nextsize). Here ,nextchunk is （fffffffc,ffffffc,fd,bk）,nextsize is second fffffffc(-4), so that "next_next_chunk" is (fffffffc,ffffffc,ffffffc,fd),check flag pre_inuse is 0. so we think "next_chunk" is freed and we can unlink "next chunk" (ffffffc,fffffffc,fd,bk) to attack. hope that it`s useful to you.

thanks! i understand!

Hi, as your explaination that the value "fffffffc " was used to bypass nullbytes? I think it's used to calculate something as well, however I can not catch what is it? and what is it for?

both of them, to calculate where is it` next chunk and make sure dlmalloc think it freed

Every program that runs on your computer, phone, etc has a heap. What's different is how the program is going to manage it. That's one for the reason there's so many programing language. Every language has its own way to deal with memory (or to let the programmer deals with it). In this case the code is written in C and not C++ but there are very close concerning memory: the developer has full control on it. It's one of the point that make C and C++ difficult but very efficient language. The issues here comes from the fact that the programmer lets the user uses the strcpy function. As you can see, that function has a lot of power in C/C++! One of the most important rule in IT security is: NETHER TRUST THE USER. Nether let him take control of a critical function and always check his input. In other language, like C# or javascript, you don't have to manage the memory yourself (or at least care about the heap). But that doesn't mean that you can't exploit the memory. Writing code that works is easy. Writing code that works in a efficient way is hard. Writing code that works in a secure and efficient way is a pain in the... In a few words: Every language deals with the heap, no one is perfectly secure, mainly because of the humans creating and using them.