A New HOPE (2022): "Novel Exploitation Tactics in Linux Userspace: One Byte OOB Write to ROP Chain" (Download)
Friday, July 22, 2022: 8:00 pm (DAC 206): Many of the complex surfaces in the GNU C library, such as malloc or IO, have been thoroughly deconstructed and analyzed to be utilized in exploit chains in Linux userspace. However, one surface, the runtime loader, is yet to be brought to its full potential. In this talk, Sammy will discuss going from one byte out-of-bounds write to a complete ROP chain without IO access and no brute force under extremely restrictive seccomp, without ever needing memory information leaks.
The talk will showcase cutting-edge exploitation tactics in Linux userspace, with a primary focus on utilizing rtdl, to pull off exploits that previously - without rtld - were completely inaccessible.