/how2heap

A repository for learning various heap exploitation techniques.

Primary LanguageC

汉化了shellphish的how2heap项目 最下方是原文

先已汉化:first-fit,fastbin dup,fastbin dup consolidate,fastbin dup into stack

堆利用教程

这个项目用于学习各种堆利用技术 我们在一次hack会议上提出了这个想法,如下是我们已经写了demo的利用技术:

文件 技术 Glibc版本 对应的ctf题目
first_fit.c 演示了glibc的first fit原则.
calc_tcache_idx.c 演示如何计算tcache索引的方法.
fastbin_dup.c 通过控制fast bin free list 来欺骗malloc,从而获得一个已经分配过的堆指针
fastbin_dup_into_stack.c 通过构造fast bin free list来欺骗malloc,从而获得一个指向任意地址的堆指针 latest 9447-search-engine, 0ctf 2017-babyheap
fastbin_dup_consolidate.c 通过把一个指针既放到fastbin freelist中又放到unsorted bin中来欺骗malloc,从而获得一个已经分配了的堆指针 latest Hitcon 2016 SleepyHolder
unsafe_unlink.c 利用free在一个corrupted chunk上获得任意写的能力. < 2.26 HITCON CTF 2014-stkof, Insomni'hack 2017-Wheel of Robots
house_of_spirit.c 通过释放一个伪造的fastbin来获得一个指向任意地址的指针. latest hack.lu CTF 2014-OREO
poison_null_byte.c 利用单个空字节溢出 < 2.26 PlaidCTF 2015-plaiddb
house_of_lore.c 通过伪造smallbin freelist来欺骗malloc,从而获得一个指向任意地址的指针 < 2.26
overlapping_chunks.c 通过溢出修改一个free 掉的 unsorted bin的size来使得新分配的chunk与已经存在的chunk产生重叠 < 2.26 hack.lu CTF 2015-bookstore, Nuit du Hack 2016-night-deamonic-heap
overlapping_chunks_2.c 利用溢出漏洞修改一个正在使用的chunk的size来使得我们新分配的chunk和已经存在的chunk产生重叠 latest
house_of_force.c 利用top chunk的hearder来让malloc返回一个几乎指向任意地址的内存 < 2.29 Boston Key Party 2016-cookbook, BCTF 2016-bcloud
unsorted_bin_into_stack.c 利用溢出漏洞修改一个在unsorted bin freelist的被free掉的chunk来获得一个指向几乎任意地址的指针 < 2.26
unsorted_bin_attack.c 利用溢出一个在unsorted bin freelist的被free掉的chunk来将一个超大的值写到任意地址 < 2.28 0ctf 2016-zerostorage
large_bin_attack.c 利用溢出一个在large bin freelist上的被Free掉的chunk来向任意地址写一个超大的值 < 2.26 0ctf 2018-heapstorm2
house_of_einherjar.c 利用一个空字节溢出来欺骗malloc,从而获得一个被我们控制的指针 < 2.26 Seccon 2016-tinypad
house_of_orange.c 利用top chunk来获得任意代码执行的方法 < 2.26 Hitcon 2016 houseoforange
tcache_dup.c 通过控制tcache freelist来欺骗malloc,从而获得一个已经分配的堆指针 2.26 - 2.28
tcache_poisoning.c 通过控制tcache freelist来欺骗malloc从而获得一个机会指向任意地址的指针 > 2.25
tcache_house_of_spirit.c free一个Fake chunk来让malloc返回一个指向几乎任意地址的指针 > 2.25

GnuLibc正在不断的开发中,上面的一些利用方法已经让malloc和free的代码逻辑中引入了一致性检测 因此,这些常规检测让我们不能使用一些利用方法或者在有可能的情况下需要我们做一些调整来bypss这些检测 我们通过为每个需要调整的Glibc版本保留相同技术的多个版本来解决此问题。

结构如下: glibc_<version>/technique.c.

有一个很好的例子吗? 添加到这里! 尝试将整个技术内联到单个.c中-这样学习起来容易得多。

堆利用工具

有一些堆利用的工具

shadow

jemalloc 开发框架: https://github.com/CENSUS/shadow

libheap

在gdb中查看glibc heap: https://github.com/cloudburst/libheap

heap-viewer

在IDA PRO中查看glibc heap: https://github.com/danigargu/heap-viewer

heapinspect

一个基于python的可视化heap playground: https://github.com/matrix1001/heapinspect

Malloc Playground

给定的malloc_playground.c文件是程序源代码,该程序提示用户一些分配和释放内存的命令。

Other resources

一些好的堆利用的学习资源, 大致按其发布顺序如下:

Hardening

glibc中嵌入了一些“hardening”措施, 像 export MALLOC_CHECK_=1 (启用了一些检查), export MALLOC_PERTURB_=1 (数据被覆盖), export MALLOC_MMAP_THRESHOLD_=1 (始终使用mmap()), ...

更多的信息: mcheck(), mallopt().

There's also some tracing support as mtrace(), malloc_stats(), malloc_info(), memusage, and in other functions in this family.

Educational Heap Exploitation

This repo is for learning various heap exploitation techniques. We came up with the idea during a hack meeting, and have implemented the following techniques:

File Technique Glibc-Version Applicable CTF Challenges
first_fit.c Demonstrating glibc malloc's first-fit behavior.
calc_tcache_idx.c Demonstrating glibc's tcache index calculation.
fastbin_dup.c Tricking malloc into returning an already-allocated heap pointer by abusing the fastbin freelist.
fastbin_dup_into_stack.c Tricking malloc into returning a nearly-arbitrary pointer by abusing the fastbin freelist. latest 9447-search-engine, 0ctf 2017-babyheap
fastbin_dup_consolidate.c Tricking malloc into returning an already-allocated heap pointer by putting a pointer on both fastbin freelist and unsorted bin freelist. latest Hitcon 2016 SleepyHolder
unsafe_unlink.c Exploiting free on a corrupted chunk to get arbitrary write. < 2.26 HITCON CTF 2014-stkof, Insomni'hack 2017-Wheel of Robots
house_of_spirit.c Frees a fake fastbin chunk to get malloc to return a nearly-arbitrary pointer. latest hack.lu CTF 2014-OREO
poison_null_byte.c Exploiting a single null byte overflow. < 2.26 PlaidCTF 2015-plaiddb
house_of_lore.c Tricking malloc into returning a nearly-arbitrary pointer by abusing the smallbin freelist. < 2.26
overlapping_chunks.c Exploit the overwrite of a freed chunk size in the unsorted bin in order to make a new allocation overlap with an existing chunk < 2.26 hack.lu CTF 2015-bookstore, Nuit du Hack 2016-night-deamonic-heap
overlapping_chunks_2.c Exploit the overwrite of an in use chunk size in order to make a new allocation overlap with an existing chunk latest
house_of_force.c Exploiting the Top Chunk (Wilderness) header in order to get malloc to return a nearly-arbitrary pointer < 2.29 Boston Key Party 2016-cookbook, BCTF 2016-bcloud
unsorted_bin_into_stack.c Exploiting the overwrite of a freed chunk on unsorted bin freelist to return a nearly-arbitrary pointer. < 2.26
unsorted_bin_attack.c Exploiting the overwrite of a freed chunk on unsorted bin freelist to write a large value into arbitrary address < 2.28 0ctf 2016-zerostorage
large_bin_attack.c Exploiting the overwrite of a freed chunk on large bin freelist to write a large value into arbitrary address < 2.26 0ctf 2018-heapstorm2
house_of_einherjar.c Exploiting a single null byte overflow to trick malloc into returning a controlled pointer < 2.26 Seccon 2016-tinypad
house_of_orange.c Exploiting the Top Chunk (Wilderness) in order to gain arbitrary code execution < 2.26 Hitcon 2016 houseoforange
tcache_dup.c Tricking malloc into returning an already-allocated heap pointer by abusing the tcache freelist. 2.26 - 2.28
tcache_poisoning.c Tricking malloc into returning a completely arbitrary pointer by abusing the tcache freelist. > 2.25
tcache_house_of_spirit.c Frees a fake chunk to get malloc to return a nearly-arbitrary pointer. > 2.25

The GnuLibc is under constant development and several of the techniques above have let to consistency checks introduced in the malloc/free logic. Consequently, these checks regularly break some of the techniques and require adjustments to bypass them (if possible). We address this issue by keeping multiple versions of the same technique for each Glibc-release that required an adjustment. The structure is glibc_<version>/technique.c.

Have a good example? Add it here! Try to inline the whole technique in a single .c -- it's a lot easier to learn that way.

Heap Exploitation Tools

There are some heap exploitation tools floating around.

shadow

jemalloc exploitation framework: https://github.com/CENSUS/shadow

libheap

Examine the glibc heap in gdb: https://github.com/cloudburst/libheap

heap-viewer

Examine the glibc heap in IDA Pro: https://github.com/danigargu/heap-viewer

heapinspect

A Python based heap playground with good visualization for educational purposes: https://github.com/matrix1001/heapinspect

Malloc Playground

The malloc_playground.c file given is the source for a program that prompts the user for commands to allocate and free memory interactively.

Other resources

Some good heap exploitation resources, roughly in order of their publication, are:

Hardening

There are a couple of "hardening" measures embedded in glibc, like export MALLOC_CHECK_=1 (enables some checks), export MALLOC_PERTURB_=1 (data is overwritten), export MALLOC_MMAP_THRESHOLD_=1 (always use mmap()), ...

More info: mcheck(), mallopt().

There's also some tracing support as mtrace(), malloc_stats(), malloc_info(), memusage, and in other functions in this family.