#dokydoky

[Heap Exploitation] Smallbin attack 본문

System Hacking

[Heap Exploitation] Smallbin attack

dokydoky 2017.08.09 15:54

Reference

smallbin

About smallbin

  • 총 62개의 small bin
  • free될 때 앞,뒤 chunk가 free되었다면 병합(coalesce)
  • 삽입은 HEAD, 제거는 TAIL (FIFO)

32bit

  • size : 0x10, 0x18, 0x20 ...... , 0x1F8(504)
    (8x+8, 1<=x<=62) 

64bit

  • size : 0x20, 0x30, 0x30 ...... , 0x3F0(1008)
    (16x+16, 1<=x<=62)

 

The code of getting chunk from smallbins in malloc

malloc - smallbin
if (in_smallbin_range (nb))
  {
    idx = smallbin_index (nb);
    bin = bin_at (av, idx);
 
    if ((victim = last (bin)) != bin)
      {
        if (victim == 0/* initialization check */
          malloc_consolidate (av);
        else
          {
            bck = victim->bk;
  if (__glibc_unlikely (bck->fd != victim))
              {
                errstr = "malloc(): smallbin double linked list corrupted";
                goto errout;
              }
            set_inuse_bit_at_offset (victim, nb);
            bin->bk = bck;
            bck->fd = bin;
 
            if (av != &main_arena)
              victim->size |= NON_MAIN_ARENA;
            check_malloced_chunk (av, victim, nb);
            void *p = chunk2mem (victim);
            alloc_perturb (p, bytes);
            return p;
          }
      }
  }

 

Attacks

House of Lore

공격개요

free된 후 smallbin에 들어간 chunk의 bk를 조작하여, 임의의 chunk를 smallbin에 넣는 공격

제약조건

  • smallbin size의 chunk는 free된 후 unsorted bin에 들어가므로, 더 큰 크기를 할당하여 chunk를 unsorted bin→small bin으로 이동시켜야 한다.
  • 아래와 같은 체크로직을 우회하기 위해 아래 조건을 만족해야 한다.
    • real_chunk→bk = fake_chunk
    • fake_chunk→fd = real_chunk
    • fake_chunk→bk = another_chunk
    • another_chunk→fd = fake_chunk

 

malloc - smallbin check
          bck = victim->bk;
if (__glibc_unlikely (bck->fd != victim))
            {
              errstr = "malloc(): smallbin double linked list corrupted";
              goto errout;
            }
          set_inuse_bit_at_offset (victim, nb);
          bin->bk = bck;
          bck->fd = bin;

 

 


0 Comments
댓글쓰기 폼