House of Roman: Using Unsorted Bin Attack to achieve a leakless RCE on PIE Binaries

Cite

DEF CON

Sharma, Sanat

Formal Metadata

Title

House of Roman: Using Unsorted Bin Attack to achieve a leakless RCE on PIE Binaries

Alternative Title

House of Roman: a Leakless Heap Fengshui to Achieve RCE on PIE Binaries

Title of Series

DEF CON 26

Number of Parts

322

Author

Sharma, Sanat

License

CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/39734 (DOI)

Publisher

DEF CON

Release Date

2018

Language

English

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

Regarding ptmalloc2, many heap exploitation techniques have been invented in the recent years, well documented on the famous how2heap repository, or as writeups of famous CTF challenges (like House of Orange). However, most of them require atleast a libc/heap leak , or fail in non-PIE binaries. My new technique titled House of Roman leverages a single bug to gain shell leaklessly on a PIE enabled Binary. I shall showcase the ease of aligning the heap to perform this attack, thus demonstrating its versatility. Since this a 20 mins talk, attendees should be aware of basic heap exploitation techniques, like fastbin attacks and unsorted bin attacks, and have a general idea of how the ptmalloc2 algorithm works. As a bonus, I also discuss how to land a fastbin chunk in memory regions with no size alignment (like __free_hook ).