2

Most of my questions were answered in this post ASLR bypass with info leak

However, I just want to know the process of getting the memory address from the information leak to then using it in the final exploit.

It seems to me that there is a two step process involved:

  1. Use the first exploit to target the first vulnerability and get a memory address (printed to screen? What are the other ways?)

  2. "Copy and paste"? the address into the second exploit where it will compute the offsets required and send the second exploit targeting a second vulnerability, all this while the targeted process is still running (from step 1).

So it requires either some manual or automated method to pass the memory address from step 1 to step 2.

The part that I don't quite understand is how does one get from step 1 and pass the information to step 2?

localacct
  • 177
  • 1
  • 1
  • 7

1 Answers1

4

Yes, it is indeed a two step process. That means the target process must indeed provide some means for you to interact with it in multiple steps. Basic exploitation exercises are often limited in that they do not provide much in terms of interaction, but a real target will most often provide some means to establish a session or exchange messages. For example, if your target is a web server, you may send a bogus request to leak a dump of the stack. Then, with another request, you may exploit some write primitives to achieve code execution. Other typical examples include attacking the browser from JavaScript, or attacking the kernel from user space. In these cases, you would code a typical (or not so typical) program that performs service calls to the underlying platform in order to leak information (maybe written to some memory locations that you can read from your program) and eventually exploit some write primitives to gain code execution or whatever you want to achieve.

Information leaks in general could take any form. Any channel through which you can communicate with the server could leak information. Just a random example: imagine a pdf generation service that takes a doc file and creates a pdf. You may provide a bogus doc file that makes the service dump a chunk of heap or stack memory into the generated pdf, which you would then download, and then provide a second doc that completes the exploit.

In general, how you will go from step one to step two is heavily dependent on the target system and the kind of vulnerabilities being exploited. In many cases there will be way more than just two steps, so automation is not a bad idea. If automation is indeed an option, you may want to create a script that performs the steps in sequence. Back to the web server example, you could write some Python or Ruby script that sends the first request, reads the response, extracts relevant information, prepares the second request computing addresses where appropriate, and sends the final request to the server to finish exploitation.

user25972
  • 143
  • 1
  • 7