Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Centos 6.10 version is not adapted #15

Open
cxy-uestc opened this issue Feb 9, 2021 · 5 comments
Open

Centos 6.10 version is not adapted #15

cxy-uestc opened this issue Feb 9, 2021 · 5 comments

Comments

@cxy-uestc
Copy link

Hi
Could you give the method for the Centos 6.10 target? The latest sudo version is 1.8.6p3-29.el6 on Centos6
Hope for you reply! Thank you very much!
@alfax1
Copy link

alfax1 commented Feb 9, 2021

@cxy-uestc what is the glibc version?

you can find it by typing:
ldd --version

@faik-sevim
Copy link

faik-sevim commented Feb 14, 2021
edited
Loading

same issue my libc version is 2.17 can you suggest something ? I will be appreciated for your help.

@alfax1
Copy link

alfax1 commented Feb 16, 2021

@abrekcoin any thing of glibc < 2.26 cannot work with these current pocs of blasty and lockedbyte and stong.....
they need some tweaking and there is an implementation thats missing in these versions which is tcache, meaning it needs a new approach to exploit under those versions and distros.
Simply saying changing offsets is not going to work alone.

@an0n5urf
Copy link

@abrekcoin any thing of glibc < 2.26 cannot work with these current pocs of blasty and lockedbyte and stong.....
they need some tweaking and there is an implementation thats missing in these versions which is tcache, meaning it needs a new approach to exploit under those versions and distros.
Simply saying changing offsets is not going to work alone.

I was trying to exploit Centos 7. After the call to setlocale(), I found that there were very few "holes" being created in the heap. I was able to create a fastbin of any desirable size, but this fastbin got allocated before the call to (e)malloc in set_cmnd() so that the heap overflow could occur. Any ideas how to create more holes?

@alfax1
Copy link

alfax1 commented Feb 19, 2021
edited
Loading

@an0n5urf well that is the question i said to blasty but he still didn't reply,

Maybe it's the fact most issues requested custom version support so it got ignored i don't know.

But, like I said, I filled all fast bins but couldn't allocate more than a bin of a custom size
Example:
pwndbg> fastbins
0x20: 0x0
....
0x80: But couldn't create more than 1 free address of the same 0x80 fastbin type, and eventually it got taken even before reaching set_cmnd()'s malloc

if you manage to create more than 1 chunk per bin type, please let me know here. Maybe it's the last key needed for a complete exploit in older glibc versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cxy-uestc @an0n5urf @faik-sevim @alfax1