Heap exploitation notes

Others 2020-02-23 03:51:43 views: null

The first implementation of malloc

  • size> = 128k: using mmap function, kernel in sys_mmap
  • size <128k: Use brk function, kernel in sys_brk
  • No matter how much space the beginning malloc <128k, kernel will give 132kb of heap
    segment (rw), this part is called main arena
  • When will the first time malloc heap cut into two chunk, the first is to assign a chunk out of the chunk, the rest of the space as top chunk, then will be cut from the top chunk out when and if insufficient space allocation

Second execution malloc

  • As long as allocated out of the total memory size does not exceed 128KB, then the system call will not be executed with the system to space, will exceed the size of the kernel to use brk come with memory space
  • Even if all the main arena will be allocated out of free memory body finished, it will not immediately returned kernel
  • Then memory space managed by glibc

main arena header

  • malloc_state
  • There bins, fast bin, top chunk information
  • The bss segment is located libc

Heap overflow

  • buffer overflow occurring in the heap segment
  • Eip generally not have direct control, but using a lower cover chunk heaker, the behavior and use unlink indirectly connected to the write-anywhere, then control eip
  • using unlink: overflow overwritten by the freed chunk pointer fd and bk, reuse unlink the FD-> bk = BK and BK-> fd = FD arbitrary memory thereof to change the position

detection in malloc

  • size is the situation fastbin
    • memory corruption
      • Fastbin taken out from the first block of the chunk size of not belonging to the fastbin
      • The main check mode is made after the malloc bytes size index, to find the corresponding fastbin taken out after the first one checks the size of the chunk belongs to the fastbin
      • But when the actual comparison is the first to fastbin first block size index fastbin made of, just go with the count than the index of the index are the same, but this way of taking index is unsigned int.
  • size is the situation smallbin
    • smallbin double linked list corrupted
      • From the corresponding smallbin take the last one, to meet smallbin is double linked list
      • victim == smallbin last piece of chunk
      • bck = victim->bk
      • bck->fd = victim
  • There chunk unsortbin
    • memory corruption
      • Unsortbin take the last piece of chunk as a victim
      • victim-> size to comply with the provisions of
      • size must be greater than 2 x SIZE_SZ, must be less than system_mem
  • size is large bin of the case
    • corrupted unsorted chunks
      • After finding a suitable chunk cut to the user, the remaining space will be placed last remainder, then added in unsortbin
      • Whether the first time will be taken unsortbin fd is equal to the position of unsortbin

detection in free

  • invalid pointer
    • Check the alignment
      • chunk address is a multiple of 8
    • Check the chunk address is less than -size
  • invalid size
    • Check the chunk size is legal
      • size must be a multiple of 8
      • That is, whether the alignment
    • size must be greater than MINSIZE
  • size is the situation fastbin
    • invalid next size(fast)
      • Examining a chunk size is legal
      • size must be greater than MINSIZE
      • size must be less than system_mem
    • double free or corruption(fasttop)
      • Check the fastbin first block chunk with the chunk of going free if different
      • If the same will abort
  • It is the size of the case smallbin & largebin (non the mmap)
    • double free or corruption(top)
      • Check the position was about to free the chunk with the top chunk of whether different
      • If the same will abort
    • double free or corruption(out)
      • The calculated position of a chunk exceeds the boundary of the heap
      • Beyond the boundaries of heap will abort
    • double free or corruption(!prev)
      • To check whether going free under inuse bit under a chunk of the chunk has been free too
    • invalid next size(normal)
      • size must be greater than 2 x SIZE_SZ
      • size must be less than system_mem
    • corrupted unsorted chunks
      • After unlink To put unsortbin, will start unsortbin taken out of a chunk, and then checks the chunk is equal to bk unsortbin
  • In doing unlink
  • courrupted double linked list
    • Check the circular doubly linked list of integrity, pointed the finger back and go must point value, otherwise it will represent corrupted double-linked list interrupt
    • P->bk->fd == p
    • P->fd->bk == p

using unlink(modern)

  • bypass the detection
    • We must forge chunk structure
    • You must find links to fake chunk of the pointer and the pointer's address
    • Thus where a limited change directly, usually indirectly, to read or write to any location
    • It would typically be a data pointer r
    • He can use other pointer to change that exists in the vicinity of & r and then use these pointer to cause the read and write an arbitrary position, if there is a more direct control function pointer eip.

Using malloc maleficarum

  • stack overflow
    • When the stack overflow is not enough to cover ret
    • Use stack overflow cover to free the ptr and fake chunk
    • Processing to be done for prev_size and size, by checking
  • using fastbin
    • When the next malloc, will get fake chunk
  • The House of Spirit
    • You can make information leak
    • You can also increase the stack voerflow distance
    • First calculate the stack to go down a chunk of size is a multiple of 8, size depends on is very important
  • The House of Force
    • heap overflow cover size top chunk, it becomes a great value
    • Next time the malloc, malloc a very large number (nb), then the position will change the top chunk of the arena header
      • new top chunk = old top + nb + 8
      • nb can be negative, because the pass in will automatically be converted into a very large number, as long as fake szie - nb> 0 will let glibc that there is room to top
    • Such a position would be the next malloc new top chunk of position.

Using fastbin

  • Similar House of Spirit
  • If you can change to fastbin of free chunk may be fd fake chunk of change position,
    they meet the size change is part of fastbin like, because the next malloc only check this
  • The next next malloc (size-0x10), will get the position of the fake chunk of
  • fake chunk may be any memory object position

Some useful global variable

  • __free_hook 、 __malloc_hook 、 __realloc_hook
    • free, before malloc, realloc will first check if the top three global variables have value, if it is executed when func ptr
  • __malloc_initialize_hook
    • When ptmalloc_init (first run will use malloc), checks whether the variable has a value, if it is performed when func ptr
  • __after_morecore_hook
    • When told to heap space with brk with the system will check whether the variable has a value, if it is executed when func ptr

Content Sources

Heap exploitation

Guess you like

Origin www.cnblogs.com/luoleqi/p/12348316.html
Recommended
Open Source Daily | Angular v18; Inference optimization under large model price war; Mistral AI targets the US market with open source models; Silicon Valley has its own Lu Xun
Ranking
ACM summary twelve
Understand high performance and high concurrency from the root (2): Deepen the operating system, understand I/O and zero-copy technology
Ali cloud OSS web end of the forward pass is not dependent on official pupload plug
ServiceMesh study notes 20200418
Complete Guide to BERT Model Distillation (Principle & Technique & Code)
With Nginx proxy requests, the front and rear side cross-domain processing
Digital twin museum solution
How to be a good project manager of R&D projects
ssh:ssh-agent、ssh-add
解决mac ida在中文输入状态下crash问题
Daily
More
2024-05-29(1)
2024-05-28(1)
2024-05-27(1)
2024-05-26(0)
2024-05-25(3)
2024-05-24(12)
2024-05-23(35)
2024-05-22(9)
2024-05-21(35)
2024-05-20(5)

Code World

© 2018 codetd.com