alphanumeric shellcoding
.
- PIE on, and full relro.
- Use input end without NULL byte weakness in printf to leak
PIE base
, stack address, and libc. - Use vulnerability to do stack overflow.
- It could only overflow to return address for one gadget, you can use magic gadget in libc or do
stack migration
forret2libc
.
- Advanced format string attack.
- All protection are enabled.
fmt
buf is at global.- Because of full
relro
, you can't dogothijacking
. - First time
fmt
Leak stack address and libc base. - Second time
fmt
to forge last two byte ofrbp
. - Overwrite return address of
_IO_vfprintf_internal
with one gadget.
_dl_make_stack_executable
.- Socket shellcodeing.
- Reverse shell.
- Double free
- fastbin attack
- gothijacking
add_name
overflow overwrite top chunk size.- House of force to overwrite data pointer.
- Leak libc and overwrite
__malloc_hook
. - Leave messege trigger shell.
- realloc() trick.
- fastbin attack increase size.
- heap overflow.
- sysmalloc trick.
- unsorted bin attack to data pointer.
- forge top chunk pointer.
- __malloc_hook -> one.