n132
commented
2 years ago Ways to recover the leaked value
There are at least three known ways to fully recover the leaked value:
I think there are at least three sets of information that can lead to full pointer recovery:
- knowing the address and the stored pointer are on the same page
- knowing the offset between the address and the stored pointer
- knowing the address's and the pointer's offset to the heap base (from one of the pr reviewers)
TL;DR
According to these three ways, I think these three sets have the following relation and the solver of set2 is the strongest cuz it can solve cases for all three sets.
Relation:
- Set1 and set3 have common parts and their own unique parts
- Set2 contains the union of set1 and set3
Explanation:
First, let's define these three Sets:
| Set | Condition 0 | Condition 1 | Condition 2 |
|---|---|---|---|
| Set1 | Encoded Leaked Data | PAGE_OFF == 0 | - |
| Set2 | Encoded Leaked Data | PAGE_OFF | - |
| Set3 | Encoded Leaked Data | Address's OFFSET to HEAPBASE | Value's OFFSET to HEAPBASE |
It's easy to find:
- Set1 is a subset of set2
- All cases in set3 are in set2
- Cases in set1 may not be in set3, and vice versa
Assume there is a function solver(leaked, Pageoff) which could solve cases for set2. It can also solve cases in set1 and set3.
- For set1, solver(leaked,0)
- For set3, solver(leaked,(v1-v2)>>12)
This demo shows solver of set2 exists.
PR
For this pr, I just want to fix this wrong statement "Otherwise, a little bit of brute force is required." cuz
- Your original solution is a very precise solver.
- For most cases, the
addressand thevalueare on the same page. - Also, the decoder is easy to understand.
So I don't want to make it too complex.
Kyle-Kyle
Hi how2heap:
So excited to create my first PR here!
I wrote a decoder for chunks that are not on the same page.
https://github.com/n132/Dec-Safe-Linking
Shortly, with the page offset and in-page offset(last 12bits), We don't need brute force to recover the fd. Btw, these values are easy to get.
Best, n132