Don't like this style? Click here to change it! blue.css
LOGIN:
Welcome .... Click here to logout
Fastbin Dup Pt 2: Finding a target
Alright so we ended the last lecture by using the fastbin dup to load
a fake address into the head of the main_arena singly linked list for any fastbin size.
To do that we had to get past the only double-free check by doing free(A), free(B), free(A)
Of course a natural question is, what should we target? Typically this is easy, GOT, malloc_hook, fini_array,
something like that. BUT the purpose of today's lecture is to show you that we are a little more constrained in
using this write-what-where.
Security check number 2 is: the must be a valid size field where we target.
The Mechanics
Your payload begins at 16 bytes after your the address you seed into main_arena.
That is, if what goes in the main_arena is seed what you get back from malloc will be at seed+16.
If address X has a valid size field (i.e. 0x71 as a value or 2f00000000000000 in little Endian) then your seed needs to be X-8
The size field size needs to match your chunk size (i.e. 0x20 for malloc(24))
Sometimes the second nibble matters but I'm not exactly sure which ones cause a problem
TLDR: If your fake chunk size is at address X and true target is at address Y then you'll seed X-8 into main_arena and your eventual payload starts at X+8.
You'll pad your payload with (Y - X - 8) bytes. NOTE: (Y-X + 8) should be <= the fake chunk size.
The essential example: malloc_hook-35
OK so we're looking for a set of 8 bytes in the form of A*00000000000000 where A is a value in the range 0x2 - 0xb (the fastbin sizes)
within 0xA0 bytes of a method to control the instruction pointer.
gdb has a cool tool called: find_fake_fast that will check for decent candidates near a provided target.
There is one target that stands out as very reliable in glibc < 2.34: the malloc_hook.
Let's take a look to see why:
In essence it's this: whenever there is a glibc address it will start with 0x7f*****, but it's little endian, so it tends to end in 0x7f00 regardless of ASLR.
Thus if there is a reliable glibc address within 0x68 bytes of an address of interest we can use the 0x7f as our valid fake size field.
NOTE: the fake chunk is NOT nicely aligned but later than normal in order to isolate the top byte of the address isolate the top byte of the address.
The default strategy:
If you have a fastbin dup the default strategy to try is this:
seed the address libc.sym.__malloc_hook-35 into the 0x70 main_arena fastbin (via the dup)
Get malloc to return that fake chunk (the returned address will actually be libc.sym.__malloc_hook - 19)
Make your payload b"A"*19 + p64(some_one_gadget)
Let's Try That Standard Plan
dupme.zip has everything for the binary running at: nc 165.22.46.243 8230 (glibc 2.30 with glibc leak)
Backup Plans
If you are restricted from using mallocs in the 0x70 bins or there is no malloc_hook (2.34) then you'll need other viable targets.
An alternative strategy is this:
If you seed an address into the main_arena that address itself can be your valid size field
So do a fastbin dup at one size, like malloc(0x48) and drop a size field for the next size up into the main_arena itself: i.e. seed 0x61 into the head of the 0x50 fastbin
Now you can target the main_arena itself and go in and muck around with the top chunk, essentially creating a house_of_force style exploit.
