Open bl4ckh0l3z opened 3 years ago
bl4ckh0l3z
commented
3 years ago Regarding the heap grooming, is there any chance to move from tcache to fastbins abuse?
Unfortunately too many OS are equipped with glibc < 2.26...so we won't able to leverage this exploit on them.
Thanks in advance and congrats for this amazing exploit!
Someone did it, then fingers crossed... Just food for thought
blasty
commented
3 years ago Hey guys, I've not had much time to look at any of this. It seems the majority of issues being created are in the form of "HALP PLZ SUPPORT DISTRO I NEED 2 HAX!1!!!". I'm not sure what I expected when I uploaded exploit source code to Github. ;-)
That said, the writeup in the comment above (by @sleepya on Twitter) is pretty interesting. I briefly played with his CentOS 7 approach last night and did notice I was able to get userspec objects that were after the userargs buffer that is being overflowed. Unfortunately I would always trigger some heap metadata corruption checks before the overwritten userspec object data was being used. I tried applying the varying grooming primitives (TZ=: and ; in LC*) he talks about in his writeup in a bruteforce fashion, but it didn't seem to make much of a difference. If anyone makes any progress on this let us know!
faik-sevim
commented
3 years ago Hi guys, thanks for your attention I will write up here if i can find anything benefical.
Regarding the heap grooming, is there any chance to move from tcache to fastbins abuse?
Unfortunately too many OS are equipped with glibc < 2.26...so we won't able to leverage this exploit on them.
Thanks in advance and congrats for this amazing exploit!