I have met some problems when writing the exp, can you help me?

Question

I have met some problems when writing the exp, can you help me?

Opened this issue a year ago · 4 comments

When I first overwrite the SSL structure, I get the above error and can't do the later exploit. My forgitate vm's version is 7.0.10 and 7.2.1

Answer 1 · 2023-10-19T06:18:14.000Z

I don't know what your situation is exactly. It seems that the rax value is broken and it may come from other sprayed objects, not the victim one. You should write something in victim object, leaving other objects clean. After that, you should do something only on the victim connection, remaining other connections.

Answer 2 · 2023-10-19T08:25:36.000Z

But when i debug my exp, i have no idea to avoid this problem. when i alloc ssl
struct and free ssl struct like your code, it doesn't work. Will it be related to my SSL version, as I am using a trial version of my VM, and the SSL version seems to be low.

Answer 3 · 2023-10-20T03:59:56.000Z

I think that the rax value come from broken object. You need to check where the value come from, where the object is broken and recover it. All values must be clean without victim area which function pointer is written in.

Answer 4 · 2023-10-22T13:25:52.000Z

Do you have a talned service in your Fortigate VM, I don't have it in my VM, I used port 443 to attach debugging, I suspect it's for this reason. If so, can you lend me your VM to learn, please. My e-mail address is 1974189628@qq.com.