Understanding Heap Exploitation Techniques in CSE 545 Fall 2020
This collection of images covers various heap exploitation techniques discussed in CSE 545 Fall 2020, such as fastbin use-after-free vulnerabilities, tcache poisoning, double-free exploits, metadata manipulation, and more. The images depict scenarios involving tcache, fast bins, unsorted bins, and fake chunks to demonstrate how vulnerabilities like use-after-free can be exploited for malicious purposes.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
CSE 545 F2020, Week 11 Heap: Fastbins& others Tiffany Bao tbao@asu.edu
tcache 2
tcache Use After Free Double Free Overflow 3
tcache Use After Free fastbin unsorted bin Double Free small bin Overflow large bin Arena 4
tcache Off-by-null Use After Free fastbin unsorted bin Double Free small bin Overflow large bin Arena 5
tcache poisoning tcache Off-by-null fastbin reverse Use After Free fastbin house of spirit unsorted bin Double Free small bin house of force Overflow large bin Arena 6
Fastbin use-after-free (UAF) vulnerabilities Fastbin double-free vulnerabilities fastbin reverse Leaking libc address via unsorted bin via program s data segment How to debug 7
Tcache Bin metadata fd pointer metadata fd pointer 00000 data data Fast Bin metadata fd pointer metadata fd pointer metadata 00000 data data data 9
Fast Bin metadata fd pointer metadata fd pointer metadata 000000 data data data 1 metadata fd pointer 2 0000 victim (malloc@got) Fake Chunk 10
metadata 00000000 1 A Fake Chunk Should Satisfy: 1. Include the victim memory 2. The fd pointer (start of data) is 0 or points to another chunk that will ultimately with fd pointer as 0 victim (malloc@got) Fake Chunk metadata fd pointer 0000 victim (malloc@got) Fake Chunk 12
metadata fd pointer 1. Find a use-after-free vulnerability Edit the fd pointer data 2. metadata fd pointer 2 victim (malloc@got) Fake Chunk 13
malloc() x 7 Tcache Bin 3 metadata fd pointer metadata fd pointer 00000 data data Fast Bin metadata fd pointer metadata fd pointer 0000 victim data (malloc@got) 14
Tcache Bin malloc() x 7 3 Fast Bin metadata fd pointer metadata fd pointer 0000 victim data (malloc@got) 15
Tcache Bin malloc() 4 Fast Bin metadata fd pointer metadata fd pointer 0000 victim data (malloc@got) 16
Tcache Bin malloc() 4 Fast Bin metadata fd pointer metadata fd pointer 0000 victim data (malloc@got) 17
Tcache Bin malloc() 4 Fast Bin metadata fd pointer 0000 victim (malloc@got) 18
Tcache Bin malloc() 4 metadata fd pointer victim (malloc@got) Fast Bin 0000 19
Tcache Bin malloc() 4 metadata fd pointer victim (malloc@got) Fast Bin 0000 20
Tcache Bin malloc() 5 metadata fd pointer 0000 victim (malloc@got) Tcache Bin metadata fd pointer victim (malloc@got) 21
The GNU C Library lets you modify the behavior of malloc, realloc, and free by specifying appropriate hook functions. You can use these hooks to help you debug programs that use dynamic memory allocation, __ __malloc_hook malloc_hook : : The value of this variable is a pointer to the function that malloc uses whenever it is called. __free_hook, __realloc_hook https://www.gnu.org/software/libc/manual/html_node/Hooks-for-Malloc.html 22
Service IP: 107.21.135.41 Port: 15555 Service file: https://cse545.tiffanybao.com/labs/week15/use_after_free.c https://cse545.tiffanybao.com/labs/week15/use_after_free https://cse545.tiffanybao.com/labs/week15/libc.so.6 https://cse545.tiffanybao.com/labs/week15/ld-2.27.so ASLR is off, libc s base address: 0x7ffff79e4000 23
How to debug 33
Tcache Bin metadata fd pointer metadata fd pointer data data 36
Tcache Bin metadata fd pointer metadata fd pointer data data Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 37
Tcache Bin metadata fd pointer metadata fd pointer 00000 data data Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 38
Empty tcache bins Tcache Bin 1 metadata fd pointer metadata fd pointer 00000 data data Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 39
Empty tcache bins Tcache Bin 1 Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 40
Tcache Bin malloc() 2 Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 41
Tcache Bin malloc() 2 Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 42
Tcache Bin malloc() 2 Fast Bin metadata fd pointer metadata fd pointer data data 43
Tcache Bin malloc() 2 metadata 00000000 data Fast Bin metadata fd pointer data 44
Tcache Bin malloc() 2 metadata 00000000 data Fast Bin metadata fd pointer metadata 00000000 data data 45
Tcache Bin malloc() 2 metadata fd pointer metadata 00000000 data data Fast Bin metadata 00000000 data 46
metadata fd pointer Tcache Bin malloc() 2 data metadata fd pointer metadata fd pointer metadata fd pointer data data data Fast Bin 47
metadata fd pointer Edit the chunk from Step 2 Tcache Bin 3 data metadata fd pointer metadata fd pointer metadata fd pointer data data data metadata victim Fake Chunk 48
Tcache Bin malloc() x 3 4 metadata fd pointer metadata fd pointer metadata fd pointer data data data metadata victim Fake Chunk 49
Leak Libc Base Address 50
Find a memory location that satisfy the necessary condition for a fake chunk The libc information is contained in the fake chunk e.g., 0x602248 52
Fast Bin metadata fd pointer metadata fd pointer metadata 000000 data data data 1 0x602248 metadata 2 libc-related address Fake Chunk 53
Tcache Bin malloc() x 7 3 metadata fd pointer metadata fd pointer 00000 data data Fast Bin 0x602248 metadata 00000000 metadata fd pointer metadata fd pointer data victim data 54
Tcache Bin malloc() x 7 3 Fast Bin 0x602248 metadata 00000000 metadata fd pointer metadata fd pointer data victim data 55
Tcache Bin malloc() 4 Fast Bin 0x602248 metadata 00000000 metadata fd pointer metadata fd pointer data victim data 56
Tcache Bin malloc() 4 0x602248 metadata fd pointer metadata 00000000 data victim Fast Bin 57
Finding a fake chunk like such may not be easy The address of fake chunk may also change E.g., PIE and ASLR 58
arena -> bins siz0x20 FD BK -> Forward <- Backward chunk chunk 59
metadata fd pointer bw pointer -> Forward metadata fd pointer bw pointer data main_arena @ glibc 60