SensePost | Linux

Linux Heap Exploitation Intro Series: Riding free on the heap – Double free attacks!

22 December 2017 ~12 min By Javier Jimenez

Heap Heap Linux Double Free Exploit Linux

Intro Hello again and welcome to the third of our series. On today’s blog post we are going to see what is and how can we abuse a double free(). We are also going to take advantage of leaks that happen when doing double free()‘s and see some examples of code execution using said leaks – we are making our execution ride on frees! As a last note, we are going to step things up a notch in this blog post and we are going to be using gdb as it will be crucial from now on. Sadly, ascii art doesn’t cut it anymore.

Painless intro to the Linux userland heap

05 May 2017 ~19 min By Javier Jimenez

Heap Heap Linux Heap Overflow Linux

-1 – Pre-Intro When looking at heap exploit tutorials most of the time I found myself lacking knowledge on the actual implementation and, soon, had the urge of knowing how it’s allocated and freed and why it’s done that way, memory wise. -0.9 – ptmalloc2 The best source of knowledge with regards to the implementation of the heap is itself, the source code. Do not fear it, thankfully it is widely commented!

USaBUSe Linux updates

10 March 2017 ~5 min By Rogan Dawes

Abuse Backdoor Build-It Conferences Empire Exploit Hardware Internals Linux Metasploit Programming Real-World Research Shells Tunnelling

(If you’re new to this project, read the intro first) For the past few months, I’ve been working on porting the USaBUSe stack from the custom hardware (AVR+ESP8266) to the Linux USB gadget stack. I wanted to make the techniques more accessible to people unfamiliar with embedded development, and I also wanted to take advantage of the variety of possibilities inherent in having a fully featured Linux environment to work in. I presented this work at HackCon in Norway.

Something about sudo, Kingcope and re-inventing the wheel

27 May 2013 ~4 min By george

Backdoor Fun Howto Infrastructure Internals Linux Local Post-Exploitation Shells Silly-Yammerings Tricks

Willems and I are currently on an internal assessment and have popped a couple hundred (thousand?) RHEL machines, which was trivial since they are all imaged. Anyhoo – long story short, we have a user which is allowed to make use of sudo for a few commands, such as reboot and service. I immediately thought it would be nice to turn this into a local root somehow. Service seemed promising and I had a looksy how it works. Whilst it does do sanitation of the library path it does not remove LD_PRELOAD. So if we could sneak LD_PRELOAD past sudo then all should be good ?