Understanding Heap Exploitation Techniques in CSE 545 Fall 2020

Slide Note
Embed
Share

This collection of images covers various heap exploitation techniques discussed in CSE 545 Fall 2020, such as fastbin use-after-free vulnerabilities, tcache poisoning, double-free exploits, metadata manipulation, and more. The images depict scenarios involving tcache, fast bins, unsorted bins, and fake chunks to demonstrate how vulnerabilities like use-after-free can be exploited for malicious purposes.


Uploaded on Oct 06, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. CSE 545 F2020, Week 11 Heap: Fastbins& others Tiffany Bao tbao@asu.edu

  2. tcache 2

  3. tcache Use After Free Double Free Overflow 3

  4. tcache Use After Free fastbin unsorted bin Double Free small bin Overflow large bin Arena 4

  5. tcache Off-by-null Use After Free fastbin unsorted bin Double Free small bin Overflow large bin Arena 5

  6. tcache poisoning tcache Off-by-null fastbin reverse Use After Free fastbin house of spirit unsorted bin Double Free small bin house of force Overflow large bin Arena 6

  7. Fastbin use-after-free (UAF) vulnerabilities Fastbin double-free vulnerabilities fastbin reverse Leaking libc address via unsorted bin via program s data segment How to debug 7

  8. FastbinUse After Free 8

  9. Tcache Bin metadata fd pointer metadata fd pointer 00000 data data Fast Bin metadata fd pointer metadata fd pointer metadata 00000 data data data 9

  10. Fast Bin metadata fd pointer metadata fd pointer metadata 000000 data data data 1 metadata fd pointer 2 0000 victim (malloc@got) Fake Chunk 10

  11. metadata 00000000 1 A Fake Chunk Should Satisfy: 1. Include the victim memory 2. The fd pointer (start of data) is 0 or points to another chunk that will ultimately with fd pointer as 0 victim (malloc@got) Fake Chunk metadata fd pointer 0000 victim (malloc@got) Fake Chunk 12

  12. metadata fd pointer 1. Find a use-after-free vulnerability Edit the fd pointer data 2. metadata fd pointer 2 victim (malloc@got) Fake Chunk 13

  13. malloc() x 7 Tcache Bin 3 metadata fd pointer metadata fd pointer 00000 data data Fast Bin metadata fd pointer metadata fd pointer 0000 victim data (malloc@got) 14

  14. Tcache Bin malloc() x 7 3 Fast Bin metadata fd pointer metadata fd pointer 0000 victim data (malloc@got) 15

  15. Tcache Bin malloc() 4 Fast Bin metadata fd pointer metadata fd pointer 0000 victim data (malloc@got) 16

  16. Tcache Bin malloc() 4 Fast Bin metadata fd pointer metadata fd pointer 0000 victim data (malloc@got) 17

  17. Tcache Bin malloc() 4 Fast Bin metadata fd pointer 0000 victim (malloc@got) 18

  18. Tcache Bin malloc() 4 metadata fd pointer victim (malloc@got) Fast Bin 0000 19

  19. Tcache Bin malloc() 4 metadata fd pointer victim (malloc@got) Fast Bin 0000 20

  20. Tcache Bin malloc() 5 metadata fd pointer 0000 victim (malloc@got) Tcache Bin metadata fd pointer victim (malloc@got) 21

  21. The GNU C Library lets you modify the behavior of malloc, realloc, and free by specifying appropriate hook functions. You can use these hooks to help you debug programs that use dynamic memory allocation, __ __malloc_hook malloc_hook : : The value of this variable is a pointer to the function that malloc uses whenever it is called. __free_hook, __realloc_hook https://www.gnu.org/software/libc/manual/html_node/Hooks-for-Malloc.html 22

  22. Service IP: 107.21.135.41 Port: 15555 Service file: https://cse545.tiffanybao.com/labs/week15/use_after_free.c https://cse545.tiffanybao.com/labs/week15/use_after_free https://cse545.tiffanybao.com/labs/week15/libc.so.6 https://cse545.tiffanybao.com/labs/week15/ld-2.27.so ASLR is off, libc s base address: 0x7ffff79e4000 23

  23. How to debug 33

  24. 34

  25. Fastbindouble Free 35

  26. Tcache Bin metadata fd pointer metadata fd pointer data data 36

  27. Tcache Bin metadata fd pointer metadata fd pointer data data Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 37

  28. Tcache Bin metadata fd pointer metadata fd pointer 00000 data data Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 38

  29. Empty tcache bins Tcache Bin 1 metadata fd pointer metadata fd pointer 00000 data data Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 39

  30. Empty tcache bins Tcache Bin 1 Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 40

  31. Tcache Bin malloc() 2 Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 41

  32. Tcache Bin malloc() 2 Fast Bin metadata fd pointer metadata fd pointer metadata fd pointer data data data 42

  33. Tcache Bin malloc() 2 Fast Bin metadata fd pointer metadata fd pointer data data 43

  34. Tcache Bin malloc() 2 metadata 00000000 data Fast Bin metadata fd pointer data 44

  35. Tcache Bin malloc() 2 metadata 00000000 data Fast Bin metadata fd pointer metadata 00000000 data data 45

  36. Tcache Bin malloc() 2 metadata fd pointer metadata 00000000 data data Fast Bin metadata 00000000 data 46

  37. metadata fd pointer Tcache Bin malloc() 2 data metadata fd pointer metadata fd pointer metadata fd pointer data data data Fast Bin 47

  38. metadata fd pointer Edit the chunk from Step 2 Tcache Bin 3 data metadata fd pointer metadata fd pointer metadata fd pointer data data data metadata victim Fake Chunk 48

  39. Tcache Bin malloc() x 3 4 metadata fd pointer metadata fd pointer metadata fd pointer data data data metadata victim Fake Chunk 49

  40. Leak Libc Base Address 50

  41. 51

  42. Find a memory location that satisfy the necessary condition for a fake chunk The libc information is contained in the fake chunk e.g., 0x602248 52

  43. Fast Bin metadata fd pointer metadata fd pointer metadata 000000 data data data 1 0x602248 metadata 2 libc-related address Fake Chunk 53

  44. Tcache Bin malloc() x 7 3 metadata fd pointer metadata fd pointer 00000 data data Fast Bin 0x602248 metadata 00000000 metadata fd pointer metadata fd pointer data victim data 54

  45. Tcache Bin malloc() x 7 3 Fast Bin 0x602248 metadata 00000000 metadata fd pointer metadata fd pointer data victim data 55

  46. Tcache Bin malloc() 4 Fast Bin 0x602248 metadata 00000000 metadata fd pointer metadata fd pointer data victim data 56

  47. Tcache Bin malloc() 4 0x602248 metadata fd pointer metadata 00000000 data victim Fast Bin 57

  48. Finding a fake chunk like such may not be easy The address of fake chunk may also change E.g., PIE and ASLR 58

  49. arena -> bins siz0x20 FD BK -> Forward <- Backward chunk chunk 59

  50. metadata fd pointer bw pointer -> Forward metadata fd pointer bw pointer data main_arena @ glibc 60

More Related Content