Comments on: Defeating the Matasano C++ Challenge with ASLR enabled

By: Joe Damato (ice799)

Joe Damato (ice799) — Tue, 24 Nov 2009 04:56:11 +0000

You are correct. o[2] takes up space outside of the allocated range (and is “laying on top” of the imetad). Don't forget to include glibc malloc metadata overhead in your calculations, too :)

By: ice799

ice799 — Mon, 23 Nov 2009 20:56:11 +0000

You are correct. o[2] takes up space outside of the allocated range (and is “laying on top” of the imetad). Don't forget to include glibc malloc metadata overhead in your calculations, too :)

By: Roman

Roman — Sun, 15 Nov 2009 04:53:42 +0000

I think it's because 20 is actually the number of bytes getting allocated, not the number of object instances. So, the first object 'o[0]' takes up bytes 1-12, the second object 'o[1]' takes up bytes 13-24, and the third object 'o[2]' takes up bytes 25-36 which are already outside the allocated range.

But, if the allocation goes that way I described it, wouldn't this produce a 4 byte offset? Wouldn't an 'imetad' structure be constructed at byte 21, and o[3] at byte 25, and then the 'type' and 'callback' which are both offset by 4 bytes wouldn't line up?

I'm think I'm wrong somewhere in my understanding, if anyone could please correct me.

By: Anthony Lineberry

Anthony Lineberry — Wed, 21 Oct 2009 05:00:36 +0000

Agreed, but I know that the C spec for allocating memory states something like “no less than the specified size requested”, or something along those lines. Not sure about C++, though. Either way, I still view this as a compiler bug, as its not quite the same as a explicitly calling malloc(num_of_objs * sizeof(obj)) in C, where the programmer should most definitely know to use a sanity check. Its happening under the hood, and the ” * sizeof(obj)” is sort of internal. But yes, the programmer should use a sanity check. But ultimately I think this should be addressed elsewhere. Could be argued either way though.

By: Harry

Harry — Mon, 19 Oct 2009 15:06:40 +0000

Hi. Really well explained but one thing still not clear. You wrote, when i = 2, o[i] will be pointing at the struct imetad object on the heap. How did you come to the the number 2 ? I thought that if you are passing 20 to the new operator, the first 20 objects (objs) must be valid and their VAs are sequential. “i” should be more than number 20 in my opinion. Could you please explain?

By: ice799

ice799 — Mon, 19 Oct 2009 00:54:16 +0000

http://www.deanlee.cn/wordpress/google-code-pre... is the plugin I use. I hacked up the CSS a bit to get the color scheme you see above. Thanks for reading!

By: Marcos Álvares

Marcos Álvares — Sun, 18 Oct 2009 23:56:17 +0000

Great job Joe ! So … i have one non technical question: what is this wordpress plugin to put a piece of code with syntax highlight?

thank you.

By: h4×0r weekly « Fairweatherhero's Blog

h4×0r weekly « Fairweatherhero's Blog — Sat, 17 Oct 2009 17:05:02 +0000

[...] h4×0r weekly One writeup of the Matasano challenge. http://timetobleed.com/defeating-the-matasano-c-challenge-with-aslr-enabled/ [...]

By: Justin W.

Justin W. — Sat, 17 Oct 2009 08:09:52 +0000

A beautifully disected hack. Keep up the blogging!

Perhaps you might be able to apply this to some reasonably popular open source apps?

By: ice799

ice799 — Sat, 17 Oct 2009 05:50:05 +0000

Nope. The programmer should have used a sane check before calling new. That would have prevented this bug from happening. Thanks for reading.