| description | cover | coverY |
|---|---|---|
10/12/2023 |
222 |
This is an area of memory that is used for dynamic allocation.
- This is allocated space that is unknown at compile time
(e.g.): malloc() -- Consists of a lot of functionality behind how it operates in order to do its job of space and runtime complexity.
- As a result, this gives us a large attack surface
- We could achieve a null-byte overflow that can lead to RCE
"In order to attack the heap, you must understand how certain parts of the heap works."
.png)
- The text section consists of machine instructions
- The heap is dynamic data
- The stack consists of static data
The Stack is handled/managed by the compiler.
The Heap is handled/managed by the programmer.
{% embed url="https://github.com/shellphish/how2heap" %}
Both located within the libc library.
This is a Linux feature within the Dynamic Linker that allows users to preload shared object files into the address space of a process prior to execution.
Different versions of libc will mean different versions of standard functions. Ultimately, leading to different behaviors in the heap.
During exploitation, be sure you are using the right libc version.
We can use LD_PRELOAD for this.
This will first load shared libraries that are in LD_PRELOAD.
However, in secure-execution mode, entries in LD_PRELOAD can be ignored.
{% embed url="https://stackoverflow.com/questions/426230/what-is-the-ld-preload-trick" %}
{% embed url="https://www.baeldung.com/linux/ld_preload-trick-what-is" %}
"The
LD_PRELOADtrick is a useful technique to influence the linkage of shared libraries and the resolution of symbols (functions) at runtime. To explain****LD_PRELOAD, let’s first discuss a bit about libraries in the Linux system.In brief, a library is a collection of compiled functions. We can make use of these functions in our programs without rewriting the same functionality. This can be achieved by either including the library code in our program (static library) or by linking dynamically at runtime (shared library).
Using static libraries, we can build standalone programs. On the other hand, programs built with a shared library require runtime** linker/loader ****support. For this reason, before executing a program, all required symbols are loaded and the program is prepared for execution."**
Libraries can be overwritten.
We can see LD_PRELOAD in action using the ldd command. This command is helpful for listing runtime dependencies of a binary program or shared library.
Using ldd, we can a specified program's depended libraries.
Keep in mind that LD_PRELOAD is an environment variable and it only affects the current process.
Therefore, we will only use absolute paths.
More coming soon.