Closed n132 closed 2 years ago
There are at least three known ways to fully recover the leaked value:
I think there are at least three sets of information that can lead to full pointer recovery:
- knowing the address and the stored pointer are on the same page
- knowing the offset between the address and the stored pointer
- knowing the address's and the pointer's offset to the heap base (from one of the pr reviewers)
According to these three ways, I think these three sets have the following relation and the solver of set2 is the strongest cuz it can solve cases for all three sets.
Relation:
First, let's define these three Sets:
Set | Condition 0 | Condition 1 | Condition 2 |
---|---|---|---|
Set1 | Encoded Leaked Data | PAGE_OFF == 0 | - |
Set2 | Encoded Leaked Data | PAGE_OFF | - |
Set3 | Encoded Leaked Data | Address's OFFSET to HEAPBASE | Value's OFFSET to HEAPBASE |
It's easy to find:
Assume there is a function solver(leaked, Pageoff)
which could solve cases for set2. It can also solve cases in set1 and set3.
This demo shows solver of set2 exists.
For this pr, I just want to fix this wrong statement "Otherwise, a little bit of brute force is required." cuz
address
and the value
are on the same page. So I don't want to make it too complex.
thanks for the contribution! the generic leak technique is pretty nice
Hi how2heap:
So excited to create my first PR here!
I wrote a decoder for chunks that are not on the same page.
https://github.com/n132/Dec-Safe-Linking
Shortly, with the page offset and in-page offset(last 12bits), We don't need brute force to recover the fd. Btw, these values are easy to get.
Best, n132