demonstrate glibc's first fit allocation

manizzle · Feb 10, 2016 · 8810476 · 8810476
1 parent f9b767e
commit 8810476
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-PROGRAMS = fastbin_dup fastbin_dup_into_stack unsafe_unlink house_of_spirit poison_null_byte malloc_playground
+PROGRAMS = fastbin_dup fastbin_dup_into_stack unsafe_unlink house_of_spirit poison_null_byte malloc_playground first_fit
 CFLAGS += -std=c99
 
 # Convenience to auto-call mcheck before the first malloc()

diff --git a/README.md b/README.md
@@ -5,6 +5,7 @@ We came up with the idea during a hack meeting, and have implemented the followi
 
 | File | Technique | Applicable CTF Challenges |
 |------|-----------|---------------------------|
+| [first_fit.c](first_fit.c) | Demonstrating glibc malloc's first-fit behavior. | |
 | [fastbin_dup.c](fastbin_dup.c) | Tricking malloc into returning an already-allocated heap pointer by abusing the fastbin freelist. | |
 | [fastbin_dup_into_stack.c](fastbin_dup_into_stack.c) | Tricking malloc into returning a nearly-arbitrary pointer by abusing the fastbin freelist. | [9447-search-engine](https://github.com/ctfs/write-ups-2015/tree/master/9447-ctf-2015/exploitation/search-engine) |
 | [unsafe_unlink.c](unsafe_unlink.c) | Exploiting free on a corrupted chunk to get arbitrary write. | [HITCON CTF 2014-stkof](http://acez.re/ctf-writeup-hitcon-ctf-2014-stkof-or-modern-heap-overflow/) |

diff --git a/first_fit.c b/first_fit.c
@@ -0,0 +1,37 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int main()
+{
+	printf("This file doesn't demonstrate an attack, but shows the nature of glibc's allocator.\n");
+	printf("glibc uses a first-fit algorithm to select a free chunk.\n");
+	printf("If a chunk is free and large enough, malloc will select this chunk.\n");
+	printf("This can be exploited in a use-after-free situation.\n");
+
+	printf("Allocating 2 buffers. They can be large, don't have to be fastbin.\n");
+	char* a = malloc(512);
+	char* b = malloc(256);
+	char* c;
+
+	printf("1st malloc(512): %p\n", a);
+	printf("2nd malloc(256): %p\n", b);
+	printf("we could continue mallocing here...\n");
+	printf("now let's put a string at a that we can read later \"this is A!\"\n");
+	strcpy(a, "this is A!");
+	printf("first allocation %p points to %s\n", a, a);
+
+	printf("Freeing the first one...\n");
+	free(a);
+
+	printf("We don't need to free anything again. As long as we allocate less than 512, it will end up at %p\n", a);
+
+	printf("So, let's allocate 500 bytes\n");
+	c = malloc(500);
+	printf("3rd malloc(500): %p\n", c);
+	printf("And put a different string here, \"this is C!\"\n");
+	strcpy(c, "this is C!");
+	printf("3rd allocation %p points to %s\n", c, c);
+	printf("first allocation %p points to %s\n", a, a);
+	printf("If we reuse the first allocation, it now holds the data from the third allocation.");
+}