Don't like this style? Click here to change it! blue.css
LOGIN:
Welcome .... Click here to logout
House of Orange pt. 1
So we're going to learn how to pull off the House of Orange over the next 4 lectures.
I have reasons for it. They're like this:
What I really want is FSOP
House of Orange is an FSOP for older glibcs
There are many good examples of House of Orange write-ups
We need to learn cutting edge FSOP
But it's a lot so we'll start with an older (better documented) version
Then work our way to the new (poorly documented and wild)
OK so this exploit leans on the ability to do an overflow in the heap.
There are three parts to this exploit:
Strategic Goal: Use FSOP and "vtable hijacking" to point the instruction pointer to a one_gadget
Baseline Hack: convert an overflow into a use-after-free by "freeing" the top chunk
Pivot Part: Use the "unsorted bin attack" to make a specific and interesting write-what-where
OK so today we'll do the non-FSOP parts.
The Unsorted Bin Attack
AKA partial unlink attack
This is almost a micro-attack, it's not as powerful as the fastbin dup or tcache poison.
The goal of this attack is to drop a heap address into a target. It isn't something that gives us control over
the target address. It's more like a WRITE-THIS-WHERE rather than write WHAT where.
This micro-attack can be used to gain a glibc leak (the main_arena) or used to put a pointer to your chunk somewhere cool then making your chunk into any kind of FAKE STRUCT.
The concept is simple enough:
make a chunk that is past the tcache range (and one buffer chunk between it and the top chunk)
free it. It will go into the unsorted bin.
Overwrite the backwards pointer (this is the part that requires a vulnerability) to target - 16
malloc another chunk (the same size is most stable)
How does it work? When the unsorted bins are used they get sorted into small or large bins.
In the process they get unlinked from the back of the list. The only pointer that matters is the bk pointer which is followed and the address of the victim chunk is written there.
Now let's pull it off in the targetrange code from Wednesday.
"Free" without "Free"
AKA freeing the top chunk
So this is just a cute add-on inside the house of orange. It's the opposite of the house of force.
You need an overflow near the top chunk
Overwrite the topchunk size field and make it smaller
The new "end" of the fake top chunk needs to be a multiple of 0x1000
Now ask for something larger than the new fake size
Voila you have made a "free" (and a use after free) without using free
How this works:
When you ask for a chunk larger than the top chunk size glibc tries to extend the topchunk.
If there is a gap between the end of the top chunk and the beginning of the extension zone (which happens because we shrank it)
then the top chunk is now an orphan and will get sorted into the unsorted bin.
This is interesting because we can convert mallocs into a free.
Let's try this in the heap vulnerability playground.
House of Orange Concept
OK so in house of orange you only need to malloc and overflow/edit.
Make a chunk near the top chunk, overflow the size and ask for a large chunk, freeing the top chunk.
Now use the overflow to do the unsorted bin attack by overflowing the back pointer in the, now freed, top chunk.
Since we control the size field (yet again) we can control which bin in the main_arena our top chunk will get sorted into.
We can now make a fake _IO_FILE struct in that topchunk which we'll explore next week.
