hacktricks/binary-exploitation/array-indexing.md
2024-12-12 11:39:29 +01:00

3.8 KiB

Array Indexing

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Basic Information

This category includes all vulnerabilities that occur because it is possible to overwrite certain data through errors in the handling of indexes in arrays. It's a very wide category with no specific methodology as the exploitation mechanism relays completely on the conditions of the vulnerability.

However he you can find some nice examples:

  • https://guyinatuxedo.github.io/11-index/swampctf19_dreamheaps/index.html
    • There are 2 colliding arrays, one for addresses where data is stored and one with the sizes of that data. It's possible to overwrite one from the other, enabling to write an arbitrary address indicating it as a size. This allows to write the address of the free function in the GOT table and then overwrite it with the address to system, and call free from a memory with /bin/sh.
  • https://guyinatuxedo.github.io/11-index/csaw18_doubletrouble/index.html
    • 64 bits, no nx. Overwrite a size to get a kind of buffer overflow where every thing is going to be used a double number and sorted from smallest to biggest so it's needed to create a shellcode that fulfil that requirement, taking into account that the canary shouldn't be moved from it's position and finally overwriting the RIP with an address to ret, that fulfil he previous requirements and putting the biggest address a new address pointing to the start of the stack (leaked by the program) so it's possible to use the ret to jump there.
  • https://faraz.faith/2019-10-20-secconctf-2019-sum/
    • 64bits, no relro, canary, nx, no pie. There is an off-by-one in an array in the stack that allows to control a pointer granting WWW (it write the sum of all the numbers of the array in the overwritten address by the of-by-one in the array). The stack is controlled so the GOT exit address is overwritten with pop rdi; ret, and in the stack is added the address to main (looping back to main). The a ROP chain to leak the address of put in the GOT using puts is used (exit will be called so it will call pop rdi; ret therefore executing this chain in the stack). Finally a new ROP chain executing ret2lib is used.
  • https://guyinatuxedo.github.io/14-ret_2_system/tu_guestbook/index.html
    • 32 bit, no relro, no canary, nx, pie. Abuse a bad indexing to leak addresses of libc and heap from the stack. Abuse the buffer overflow o do a ret2lib calling system('/bin/sh') (the heap address is needed to bypass a check).