Posts

Showing posts from August, 2019

Cryptopals Challenge 23: Clone an MT19937 RNG from its output

I've recently gotten the cryptography bug. I would highly recommend working through the challenges at http://cryptopals.com . The challenges give insight and practice into real attacks on weak cryptosystems. Personally, I'm onto set 4, but I skipped the Mersenne Twister (MT) RNG  to get there. Today I went back to those challenges and in this blog post I present my solution to challenge 23. The Mersenne Twister generates Pseudo Random Numbers. It would be nice as an attacker to be able to predict future numbers by looking only at the earlier output of the MT Random Number Generator.  Firstly, an earlier challenge is to simply get an MT RNG working. I stole the code from https://github.com/james727/MTP . Is it bad that I copied the code? No. You will see there is much work needed to be done to break the MT RNG. The key insight to the MT1997 RNG is that the complete internal state consists of 624 32-bit integers. If you can clone these integers, you can predict any futu

Linux Heap House of Force Exploitation

In this paper, I introduce the reader to a heap metadata corruption against a recent version of the Linux Heap allocator in glibc 2.27. The House of Force attack is a known technique that requires a buffer overflow to overwrite the top chunk size. An attacker must then be able to malloc an arbitrary size of memory. The result is that it is possible to make a later malloc return an arbitrary pointer. With appropriate application logic, this attack can be used in exploitation. This attack has been mitigated in the latest glibc 2.29 but is still exploitable in glibc 2.27 as seen in Ubuntu 18.04 LTS. Linux Heap House of Force Exploitation.PDF

Linux Heap Calloc Exploitation part 2

In this paper, I introduce the reader to a heap metadata corruption against the most current version of the Linux Heap allocator. Normally, calloc will allocate data and zero out the memory before returning a pointer to it. An attacker that can overflow from one chunk into a free chunk in a fast bin can force calloc to return uninitialised data. This information leak could be utilised to defeat ASLR or expose sensitive information. Linux Heap Calloc Exploitation part 2.PDF

Linux Heap Calloc Exploitation

In this paper, I introduce the reader to a heap metadata corruption against a recent version of the Linux Heap allocator before the introduction of the tcache. Normally, calloc will allocate data and zero out the memory before returning a pointer to it. An attacker that can overflow from one chunk into a free chunk can force calloc to return uninitialised data. This information leak could be utilised to defeat ASLR or expose sensitive information. Linux Heap Calloc Exploitation.PDF  

Linux Heap Overlapping Chunks Exploitation

In this paper, I introduce the reader to a heap metadata corruption against the current Linux Heap Allocator, ptmalloc. An attacker that can overflow from one chunk into the next allocated chunk can force ptmalloc to return overlapping allocations. Given the appropriate application logic, this can lead to exploitation. This attack is known and is documented in various outlets. Linux Heap Overlapping Chunks Exploitation.PDF

Linux Heap Fast Bin Double Free Exploitation

In this paper, I introduce the reader to a heap metadata corruption against the current Linux Heap Allocator. An attacker that forces the application to perform a double free can manipulate it to make malloc return an arbitrary pointer in one instance and a duplicate pointer in another instance. Given the appropriate application logic, this can lead to exploitation. Linux Heap Fast Bin Double Free Exploitation.PDF