| description |
|---|
10-16-2023 |
The write-what-where vulnerability is the ability to perform arbitrary writes to an attacker-controlled destination.
Write whatever data you want, whenever you want, wherever you want.
This occurs when programs fail to utilize the heap correctly or make use of free() properly.
Info that is overwritten in the heap-portion of memory can allow an attacker to be able to overwrite a pointer and write/place whatever you want on the heap.
It is possible to overwrite a pointer in the Global Offset Table (GOT).
This is done by calling malloc() on your data and having it called by taking advantage of a dangling pointer that has not been freed with free().
i1 = malloc(sizeof(struct internet));
i1->priority = 1;
i1->name = malloc(8);
i2 = malloc(sizeof(struct internet));
i2->priority = 2;
i2->name = malloc(8);
strcpy(i1->name, argv[1]);
strcpy(i2->name, argv[2]);So, how exactly does it happen in this example?
Notice how the i1 and i2 structures are exactly the same. With this knowledge, they end up being allocated directly next to each other in memory.
Furthermore, there are no bounds checking being done on the input meaning that we can overflow the copy instruction (i1->name) buffer into the i2 structure which controls the pointers in i2.
Since the i2->name address is used in the second strcpy() call, this gives us the ability to write to whatever location in memory we choose as long as we don't use null bytes (since we are using strcpy().
This is an example of a "rogue strcpy()".
We can attack this a few different ways, but we can overwrite a saved base pointer on the stack and point the stack to an attacker-controlled data point where we have our ROP chain.