Understanding Heap Exploitation Techniques in CSE 545 Fall 2020

This collection of images covers various heap exploitation techniques discussed in CSE 545 Fall 2020, such as fastbin use-after-free vulnerabilities, tcache poisoning, double-free exploits, metadata manipulation, and more. The images depict scenarios involving tcache, fast bins, unsorted bins, and fake chunks to demonstrate how vulnerabilities like use-after-free can be exploited for malicious purposes.

• Heap Exploitation
• Vulnerabilities
• CSE 545
• Fall 2020
• Memory Corruption

jah_end Follow

Uploaded on Oct 06, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. CSE 545 F2020, Week 11 Heap: Fastbins& others Tiffany Bao tbao@asu.edu

2. tcache 2

3. tcache Use After Free Double Free Overflow 3

4. tcache Use After Free fastbin unsorted bin Double Free small bin Overflow large bin Arena 4

5. tcache Off-by-null Use After Free fastbin unsorted bin Double Free small bin Overflow large bin Arena 5

6. tcache poisoning tcache Off-by-null fastbin reverse Use After Free fastbin house of spirit unsorted bin Double Free small bin house of force Overflow large bin Arena 6

7. Fastbin use-after-free (UAF) vulnerabilities Fastbin double-free vulnerabilities fastbin reverse Leaking libc address via unsorted bin via program s data segment How to debug 7

8. FastbinUse After Free 8

9. Tcache Bin metadata fd pointer metadata fd pointer 00000 data data Fast Bin metadata fd pointer metadata fd pointer metadata 00000 data data data 9

10. Fast Bin metadata fd pointer metadata fd pointer metadata 000000 data data data 1 metadata fd pointer 2 0000 victim (malloc@got) Fake Chunk 10

11. metadata 00000000 1 A Fake Chunk Should Satisfy: 1. Include the victim memory 2. The fd pointer (start of data) is 0 or points to another chunk that will ultimately with fd pointer as 0 victim (malloc@got) Fake Chunk metadata fd pointer 0000 victim (malloc@got) Fake Chunk 12

12. metadata fd pointer 1. Find a use-after-free vulnerability Edit the fd pointer data 2. metadata fd pointer 2 victim (malloc@got) Fake Chunk 13

13. malloc() x 7 Tcache Bin 3 metadata fd pointer metadata fd pointer 00000 data data Fast Bin metadata fd pointer metadata fd pointer 0000 victim data (malloc@got) 14

14. Tcache Bin malloc() x 7 3 Fast Bin metadata fd pointer metadata fd pointer 0000 victim data (malloc@got) 15

15. Tcache Bin malloc() 4 Fast Bin metadata fd pointer metadata fd pointer 0000 victim data (malloc@got) 16

16. Tcache Bin malloc() 4 Fast Bin metadata fd pointer metadata fd pointer 0000 victim data (malloc@got) 17

17. Tcache Bin malloc() 4 Fast Bin metadata fd pointer 0000 victim (malloc@got) 18

18. Tcache Bin malloc() 4 metadata fd pointer victim (malloc@got) Fast Bin 0000 19

19. Tcache Bin malloc() 4 metadata fd pointer victim (malloc@got) Fast Bin 0000 20

20. Tcache Bin malloc() 5 metadata fd pointer 0000 victim (malloc@got) Tcache Bin metadata fd pointer victim (malloc@got) 21

21. The GNU C Library lets you modify the behavior of malloc, realloc, and free by specifying appropriate hook functions. You can use these hooks to help you debug programs that use dynamic memory allocation, __ __malloc_hook malloc_hook : : The value of this variable is a pointer to the function that malloc uses whenever it is called. __free_hook, __realloc_hook https://www.gnu.org/software/libc/manual/html_node/Hooks-for-Malloc.html 22

22. Service IP: 107.21.135.41 Port: 15555 Service file: https://cse545.tiffanybao.com/labs/week15/use_after_free.c https://cse545.tiffanybao.com/labs/week15/use_after_free https://cse545.tiffanybao.com/labs/week15/libc.so.6 https://cse545.tiffanybao.com/labs/week15/ld-2.27.so ASLR is off, libc s base address: 0x7ffff79e4000 23

23. How to debug 33

24. 34

25. Fastbindouble Free 35

26. Tcache Bin metadata fd pointer metadata fd pointer data data 36

27. Tcache Bin metadata fd pointer metadata fd pointer data data Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 37

28. Tcache Bin metadata fd pointer metadata fd pointer 00000 data data Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 38

29. Empty tcache bins Tcache Bin 1 metadata fd pointer metadata fd pointer 00000 data data Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 39

30. Empty tcache bins Tcache Bin 1 Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 40

31. Tcache Bin malloc() 2 Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 41

32. Tcache Bin malloc() 2 Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 42

33. Tcache Bin malloc() 2 Fast Bin metadata fd pointer metadata fd pointer data data 43

34. Tcache Bin malloc() 2 metadata 00000000 data Fast Bin metadata fd pointer data 44

35. Tcache Bin malloc() 2 metadata 00000000 data Fast Bin metadata fd pointer metadata 00000000 data data 45

36. Tcache Bin malloc() 2 metadata fd pointer metadata 00000000 data data Fast Bin metadata 00000000 data 46

37. metadata fd pointer Tcache Bin malloc() 2 data metadata fd pointer metadata fd pointer metadata fd pointer data data data Fast Bin 47

38. metadata fd pointer Edit the chunk from Step 2 Tcache Bin 3 data metadata fd pointer metadata fd pointer metadata fd pointer data data data metadata victim Fake Chunk 48

39. Tcache Bin malloc() x 3 4 metadata fd pointer metadata fd pointer metadata fd pointer data data data metadata victim Fake Chunk 49

40. Leak Libc Base Address 50

41. 51

42. Find a memory location that satisfy the necessary condition for a fake chunk The libc information is contained in the fake chunk e.g., 0x602248 52

43. Fast Bin metadata fd pointer metadata fd pointer metadata 000000 data data data 1 0x602248 metadata 2 libc-related address Fake Chunk 53

44. Tcache Bin malloc() x 7 3 metadata fd pointer metadata fd pointer 00000 data data Fast Bin 0x602248 metadata 00000000 metadata fd pointer metadata fd pointer data victim data 54

45. Tcache Bin malloc() x 7 3 Fast Bin 0x602248 metadata 00000000 metadata fd pointer metadata fd pointer data victim data 55

46. Tcache Bin malloc() 4 Fast Bin 0x602248 metadata 00000000 metadata fd pointer metadata fd pointer data victim data 56

47. Tcache Bin malloc() 4 0x602248 metadata fd pointer metadata 00000000 data victim Fast Bin 57

48. Finding a fake chunk like such may not be easy The address of fake chunk may also change E.g., PIE and ASLR 58

49. arena -> bins siz0x20 FD BK -> Forward <- Backward chunk chunk 59

50. metadata fd pointer bw pointer -> Forward metadata fd pointer bw pointer data main_arena @ glibc 60

Load More ...