Hi there! First of all, thank you for sharing these great CTF writeups! They are useful for others to learn more about these cybersecurity topics.
I would like to kindly check about something related to the mooosl challenge writeup.
In the Semi-arbitrary write section, it was mentioned that the dequeue function to unlink a struct meta does not have the "safe unlinking" integrity check (i.e., cur->next->prev == cur and cur->prev->next == cur).
If the integrity check was present, could you kindly elaborate on how it would prevent the exploit from being successfully executed? Couldn't we simply control the values of cur->next->prev and cur->prev->next to point to the same address of the fake struct meta so that it passes such an integrity check? Or is this action being prevented by something that I am not aware of?
Do let me know your thoughts on this. @ndrewh
Thank you!
Best regards,
James Raphael Tiovalen
Hi there! First of all, thank you for sharing these great CTF writeups! They are useful for others to learn more about these cybersecurity topics.
I would like to kindly check about something related to the
moooslchallenge writeup.In the Semi-arbitrary write section, it was mentioned that the
dequeuefunction to unlink astruct metadoes not have the "safe unlinking" integrity check (i.e.,cur->next->prev == curandcur->prev->next == cur).If the integrity check was present, could you kindly elaborate on how it would prevent the exploit from being successfully executed? Couldn't we simply control the values of
cur->next->prevandcur->prev->nextto point to the same address of the fakestruct metaso that it passes such an integrity check? Or is this action being prevented by something that I am not aware of?Do let me know your thoughts on this. @ndrewh
Thank you!
Best regards,
James Raphael Tiovalen