Array Indexing
[AD REMOVED]
Basic Information
This category includes all vulnerabilities that occur because it is possible to overwrite certain data through errors in the handling of indexes in arrays. It's a very wide category with no specific methodology as the exploitation mechanism relays completely on the conditions of the vulnerability.
However he you can find some nice examples:
- https://guyinatuxedo.github.io/11-index/swampctf19_dreamheaps/index.html
- There are 2 colliding arrays, one for addresses where data is stored and one with the sizes of that data. It's possible to overwrite one from the other, enabling to write an arbitrary address indicating it as a size. This allows to write the address of the
free
function in the GOT table and then overwrite it with the address tosystem
, and call free from a memory with/bin/sh
. - https://guyinatuxedo.github.io/11-index/csaw18_doubletrouble/index.html
- 64 bits, no nx. Overwrite a size to get a kind of buffer overflow where every thing is going to be used a double number and sorted from smallest to biggest so it's needed to create a shellcode that fulfil that requirement, taking into account that the canary shouldn't be moved from it's position and finally overwriting the RIP with an address to ret, that fulfil he previous requirements and putting the biggest address a new address pointing to the start of the stack (leaked by the program) so it's possible to use the ret to jump there.
- https://faraz.faith/2019-10-20-secconctf-2019-sum/
- 64bits, no relro, canary, nx, no pie. There is an off-by-one in an array in the stack that allows to control a pointer granting WWW (it write the sum of all the numbers of the array in the overwritten address by the of-by-one in the array). The stack is controlled so the GOT
exit
address is overwritten withpop rdi; ret
, and in the stack is added the address tomain
(looping back tomain
). The a ROP chain to leak the address of put in the GOT using puts is used (exit
will be called so it will callpop rdi; ret
therefore executing this chain in the stack). Finally a new ROP chain executing ret2lib is used. - https://guyinatuxedo.github.io/14-ret_2_system/tu_guestbook/index.html
- 32 bit, no relro, no canary, nx, pie. Abuse a bad indexing to leak addresses of libc and heap from the stack. Abuse the buffer overflow o do a ret2lib calling
system('/bin/sh')
(the heap address is needed to bypass a check).