search

shellphish / how2heap

A repository for learning various heap exploitation techniques.
MIT License
7.25k stars 1.15k forks source link

Add techniques found by ArcHeap #102

Open insuyun opened 5 years ago

insuyun commented 5 years ago

Hi, all.

I would like to introduce my recent work, ArcHeap: https://arxiv.org/pdf/1903.00503.pdf and also found techniques by this one.

I already reported unsorted_bin_into_stack, and this repo contains other techniques (all tested in libc 2.23 from Ubuntu 16.04, but I think it will work until 2.25 before tcache).

We determine the uniqueness of the techniques in two aspects: a root cause and a capability.

New Old Root causes New capability
House of unsorted bin House of Einherjar Unsorted vs. Free Does not require a heap address
Unaligned Double Free Fast bin dup Small vs. Fast Can abuse a small bin
Overlapping chunk with small bin Overlapping chunk Small vs. Unsorted Does not need a controllable size allocation
Fast bin into other bin Fast bin dup into stack Consolidation vs. Fast Can allocate a non-fast chunk

Let me know if you have a technique to add to this repo. Then I will make a pull request. Thank you.

k4lizen commented 4 days ago

I think the house of unsorted einherjar doesn't work conceptually anymore because of this check: https://elixir.bootlin.com/glibc/glibc-2.40.9000/source/malloc/malloc.c#L4694

  /* Consolidate backward.  */
  if (!prev_inuse(p))
    {
      INTERNAL_SIZE_T prevsize = prev_size (p);
      size += prevsize;
      p = chunk_at_offset(p, -((long) prevsize));
      if (__glibc_unlikely (chunksize(p) != prevsize)) // <- kills it
        malloc_printerr ("corrupted size vs. prev_size while consolidating");
      unlink_chunk (av, p);
    }

regardless of the tcache. From what I can see the check was added in commit d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f so glibc version 2.28 ~ 2.29 .