Skip to content

n132/RetroverFlow

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
Asset
Asset
 
 
Heap
Heap
 
 
Stack
Stack
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

RetroverFlow

Retro Overflow for memcpy when you can control the third parameter of it.

tl;dr

Assume we have control of the third parameter of memcpy(dst,src,len). Then

We can perform at most 0xa0 bytes arbitrary write at any address lower than dst.

Here is a picture that shows how memcpy works if we provide a negative length.

RetroverFlow

Stack-Poc

In the stack demo, the dst is in the main function's stack frame which is higher than the current stack frame so we can overite the return address of the current function.

If this case is too ideal, we can leak libc/heap and then attack libc/heap to exploit.

Heap-Poc

The example shows how we attacked the tcache management struct. We can also attack other chunks. For example, the freed chunk and overwrite its fd to link a fake chunk into the tcache.

Acknowledge

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

21 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages