Question

Question 14 8 pts Suppose we are performing a use-after-free attack on Fast bins, and current vulnerable program has the following memory layout: pwndbg> p &malloc_hook $1 = (void *(**)(size_t, const void *)) 0xf7e2db34 <malloc_hook> pwndbg> x/100x 0xf7e2db30 0xf7e2db30 <_realloc_hook>: 0xf7e2db40 <_after_morecore_hook>: 0xf7e2db50 <tcache_key>: 0xf7e2db60 <free_list>: 0xf7e2db70 <_always_fail_morecore>: 0xf7e2db80 <olds.0>: 0xf7e2db90: 0xf7e2dba0 <state.0>: 0xf7e2dbb0 <state.0+16>: 0xf7e2dbc0 <rdata.1>: 0xf7e2dbd0 <rdata.1+16>: 0xf7e2dbe0 <x86_string_control>: 0xf7e2dbf0 <internal+4>: 0xf7e2dc00 <state+4>: 0xf7e2dc10 <state+4>: 0xf7e2dc20 <state+4>: 0xf7e2dc30 <state+4>: 0xf7e2dc40 <state+4>: 0xf7e2dc50: 0xf7e2dc60 <result>: 0xf7e2dc70 <result+16>: 0xf7e2dc80 <result+32>: 0xf7e2dc90 <result+48>: 0xf7e2dca0 <result+64>: 0xf7e2dcb0 <result+80>: (1) The function name we used to overwrite the forward pointer in the first chunk of fast bins in our example attack in the lecture is: malloc (please fill in the exact name of the function, all lower-cases letter without any special characters except underscores) (2) If we use the function address stored at 0xf7e2db34 to overwrite the forward pointer in the first chunk of fast bins, the start address of the victim chunk is: 0xf7e2db34 (Please fill in with a string starting with 0x and then 8 digit-hexadecimal) (3) If we use the address of variable _realloc_hook to overwrite the forward pointer in the first chunk of fast bins, the start address of the victim chunk is: 0xf7e2db30 (Please fill in with a string starting with 0x and then 8 digit-hexadecimal) (4) Suppose we are going to trigger the control flow hijacking with realloc instead of calling malloc in the last step of the attack, the start address of the victim chunk is: 0xf7e2db30 (Please fill in with a string starting with 0x and then 8 digit-hexadecimal)

Name: question 14 8 pts suppose we are performing a use after free attack on fast bins and current vulnerable program has the following memory layout pwndbg p mallochook 1 void sizet const void 04482
Uploaded: 2023-12-12T05:57:29-08:00
Duration: 2 min 3 s
Channel: Akash M
Description: question 14 8 pts suppose we are performing a use after free attack on fast bins and current vulnerable program has the following memory layout pwndbg p mallochook 1 void sizet const void 04482

          Question 14
8 pts
Suppose we are performing a use-after-free attack on Fast bins, and current
vulnerable program has the following memory layout:
pwndbg> p &malloc_hook
$1 = (void *(**)(size_t, const void *)) 0xf7e2db34 <malloc_hook>
pwndbg> x/100x 0xf7e2db30
0xf7e2db30 <_realloc_hook>:
0xf7e2db40 <_after_morecore_hook>:
0xf7e2db50 <tcache_key>:
0xf7e2db60 <free_list>:
0xf7e2db70 <_always_fail_morecore>:
0xf7e2db80 <olds.0>:
0xf7e2db90:
0xf7e2dba0 <state.0>:
0xf7e2dbb0 <state.0+16>:
0xf7e2dbc0 <rdata.1>:
0xf7e2dbd0 <rdata.1+16>:
0xf7e2dbe0 <x86_string_control>:
0xf7e2dbf0 <internal+4>:
0xf7e2dc00 <state+4>:
0xf7e2dc10 <state+4>:
0xf7e2dc20 <state+4>:
0xf7e2dc30 <state+4>:
0xf7e2dc40 <state+4>:
0xf7e2dc50:
0xf7e2dc60 <result>:
0xf7e2dc70 <result+16>:
0xf7e2dc80 <result+32>:
0xf7e2dc90 <result+48>:
0xf7e2dca0 <result+64>:
0xf7e2dcb0 <result+80>:
(1)
The function name we used to overwrite the forward pointer in the first chunk
of fast bins in our example attack in the lecture is:
malloc
(please fill in the exact name of the function, all lower-cases letter without any
special characters except underscores)
(2)
If we use the function address stored at 0xf7e2db34 to overwrite the forward
pointer in the first chunk of fast bins, the start address of the victim chunk is:
0xf7e2db34
(Please fill in with a string starting with 0x and then 8 digit-hexadecimal)
(3)
If we use the address of variable _realloc_hook to overwrite the forward
pointer in the first chunk of fast bins, the start address of the victim chunk is:
0xf7e2db30
(Please fill in with a string starting with 0x and then 8 digit-hexadecimal)
(4)
Suppose we are going to trigger the control flow hijacking with realloc instead
of calling malloc in the last step of the attack, the start address of the victim
chunk is:
0xf7e2db30
(Please fill in with a string starting with 0x and then 8 digit-hexadecimal)

question 14 8 pts suppose we are performing a use after free attack on fast bins and current vulnerable program has the following memory layout pwndbg p mallochook 1 void sizet const void 04482

Added by Derrick A.

Question

Please give Ace some feedback