From the byte overflows to arbitrary code execution-Linux stack exploit-vulnerability warning-the black bar safety net

ID MYHACK58:62201680331
Type myhack58
Reporter Ox9A82
Modified 2016-10-19T00:00:00


One byte overflow called off-by-one, once a period of time, the off-by-one is considered to be not utilized, but later research found on the heap even if only one byte overflow can lead to arbitrary code execution. At the same time the heap of the off-by-one using also appear in the domestic and foreign various types of CTF competitions, but on the web also can't find a review of the system description of the heap off-by-one using the tutorial. In this article I have listed 5 common types of on the heap off-by-one attack mode, and shows the test DEMO, the test environment is x86. 0x01 background knowledge On the network on the Linux heap management mechanisms article already has a lot of, here no longer detailed description of heap management mechanisms in detail, only a simple list of some to understand the content of the article must be to master the basic knowledge points. First, the current Linux-based here the heap Manager. In here, the stack block is divided into the following four types 1. fastbin fastbin range in 1 6 to 64byte, the use of one-way linked list to maintain. Each from the fastbin allocation of a heap block, from the tail removed. fastbin blocks of the inuse bit is always set to 1, and the enjoyment of the highest priority, in the allocation and release when total will first consider the fastbin it. 2. unsort bin unsort bin in bins[]only occupy a position, in addition to the fastbin outside of the other block after being released will enter here as a buffer, whenever malloc the heap block from the unsort the bin is removed and placed into the bins []. 3. small bin small bin means more than 16byte and less than 512byte of the heap block, using a two-way linked list does not have two adjacent empty small bin block, because once this occurs, the adjacent blocks will be merged into one block. Usually is in the call to free function to trigger this process. Note that in the adjacent empty blocks when combined will call the unlink()macro to remove the operation, but call malloc()when the following operation did not use the unlink macro. 4. large bin Beyond the large bin range is the large bin, the large bin compared to the other blocks in terms of having an additional by fd_nextsize and bk_nextsize domain consisting of a list structure. ! As shown, in which the size field is the low three bits as flags, we most need to remember is inuse bit, this bit determines the previous block is in use state. Yes, in here, one block is used by the next block for recording. 0x02 off-by-one classification off-by-one in total, can be divided into two kinds of using way chunk overlapping off-by-one overwrite allocated off-by-one overwrite freed off-by-one null byte unlink off-by-one small bin off-by-one large bin This division is based is based on the use of ideas is different. The first use of the core idea is mainly to be chunk overlapping,while the second use of the ideas you want to trigger unlink it. 0x03 reached exploit the conditions off-by-one not all can achieve the use purpose. The first requires that the stack must be in the required size+0x4 bytes x86 the size of the allocation. If you do not satisfy this condition then it can not cover to the inuse bit. This is due to the stack byte alignment mechanism is caused by the simple that the heap block is 8-byte aligned for x64 for 1 to 6 bytes. If malloc(1 0 2 4), then the actual will be allocated 1 0 2 4+8=1 0 3 2 bytes, which is well understood. But if it is malloc(1 0 2 0)? 1 0 2 0+8=1 0 2 of 8 bytes, and 1 0 2 8 does not satisfy the 8-byte alignment, then the actual will only be allocated 1 0 2 0+4=1 0 2 4 bytes the additional 4 bytes by the next piece of the prev_size provide space. And for trigger the unlink operation, it also needs an additional additional conditions. Because now the unlink is a test, so you need a pointer to the stack pointer. 0x04 exploits the effect of off-by-one to achieve what the use effect? This is a very critical issue. According to the classification of view can be achieved in two effects 1. chunk overlapping The so-called chunk overlapping means, for a target heap block. We can go through some operation, so that the target heap block is our re-assigned to a US-controlled new heap block, so that you can on the target stack the blocks any read and write. 2. unlink This off-by-one result of the unlink of the use of effects actually caused by overflow unlink the use of the effect is the same. For the small bin can make the point to the heap pointer to ptr, the value becomes&ptr-0xc, and so combined with the series of operations you can achieve almost unlimited number of write-anything-anywhere. And the large bin of the unlink, you can achieve a arbitrary address write-anything-anywhere to. 0x05 exploit the principles of the chunk overlapping the principle is that here the heap block the authentication mechanism of the imperfect, through some of the here defined macro can be seen to this point. inuse (): only by a piece of the inuse bits to determine whether the current block using the. prev_chunk (): if the previous block is empty, then the empty block the merger, only the use of the present block. prev_size to find the former block of the head. next_chunk (): only by the block header+the size of the block of ways to find the next piece of the head chunksize (): only by the block size determination the block size. unlink the principle is that the unlink macro is in process when the mutual written data caused by arbitrary address write. Improved after the unlink macro adds a check, but can be a pointer to the stack pointer on the leads to bypass the situation. 0x06 reached exploit the specific operation off-by-one overwrite allocated In this case the heap block layout is such ! A is the occurrence of off-by-one heap block, wherein B and C are allocated status of the block. And C is our attack target block. Our goal is to be able to read and write to Block C, then it should be to construct such a memory layout. And then through the off-by-one to rewrite the Block B of the size of the domain that you want to ensure the inuse field is set to 1, otherwise it will trigger the unlink causes the crash to achieve the C block to the entire included. By the B to free fall, and then allocated a is greater than B+C the block can return to B's address, and can read and write to Block C. The specific operation is: 1. Block diagram shows the memory layout of the 2. off-by-one rewrite of the B-block size field(increase size to contain the C, the inuse bit remains 1) 3. free off B block 4. malloc A B+C block size 5. By returning the address of C to any reader Note that you must have to put the C block of the entire included, otherwise the free time will trigger the check, leading to throw an error. Because here when implementing the validation logic is the current block the next block of inuse must be 1, otherwise the free time will trigger an exception, this originally is to prevent the blocks are double free of restrictions, but to our fake stack the blocks to cause the disorder. off-by-one overwrite freed

[1] [2] [3] next