Large Bin Attack

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

For more information about what is a large bin check this page:

Bins & Memory Allocations

It's possible to find a great example in how2heap - large bin attack.

Basically here you can see how, in the latest "current" version of glibc (2.35), it's not checked: P->bk_nextsize allowing to modify an arbitrary address with the value of a large bin chunk if certain conditions are met.

In that example you can find the following conditions:

A large chunk is allocated
A large chunk smaller than the first one but in the same index is allocated
- Must be smalled so in the bin it must go first
(A chunk to prevent merging with the top chunk is created)
Then, the first large chunk is freed and a new chunk bigger than it is allocated -> Chunk1 goes to the large bin
Then, the second large chunk is freed
Now, the vulnerability: The attacker can modify chunk1->bk_nextsize to [target-0x20]
Then, a larger chunk than chunk 2 is allocated, so chunk2 is inserted in the large bin overwriting the address chunk1->bk_nextsize->fd_nextsize with the address of chunk2

There are other potential scenarios, the thing is to add to the large bin a chunk that is smaller than a current X chunk in the bin, so it need to be inserted just before it in the bin, and we need to be able to modify X's bk_nextsize as thats where the address of the smaller chunk will be written to.

This is the relevant code from malloc. Comments have been added to understand better how the address was overwritten:

/* if smaller than smallest, bypass loop below */
assert (chunk_main_arena (bck->bk));
if ((unsigned long) (size) < (unsigned long) chunksize_nomask (bck->bk))
  {
    fwd = bck; // fwd = p1
    bck = bck->bk; // bck = p1->bk 

    victim->fd_nextsize = fwd->fd; // p2->fd_nextsize = p1->fd (Note that p1->fd is p1 as it's the only chunk)
    victim->bk_nextsize = fwd->fd->bk_nextsize; // p2->bk_nextsize = p1->fd->bk_nextsize
    fwd->fd->bk_nextsize = victim->bk_nextsize->fd_nextsize = victim; // p1->fd->bk_nextsize->fd_nextsize = p2
  }

This could be used to overwrite the global_max_fast global variable of libc to then exploit a fast bin attack with larger chunks.

You can find another great explanation of this attack in guyinatuxedo.

Other examples

La casa de papel. HackOn CTF 2024
- Large bin attack in the same situation as it appears in how2heap.
- The write primitive is more complex, because global_max_fast is useless here.
- FSOP is needed to finish the exploit.

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousUnsorted Bin Attack NextTcache Bin Attack

Last updated 4 months ago

Basic Information

For more information about what is a large bin check this page:

Bins & Memory Allocations

In that example you can find the following conditions:

A large chunk is allocated

A large chunk smaller than the first one but in the same index is allocated

Must be smalled so in the bin it must go first

(A chunk to prevent merging with the top chunk is created)

Then, the first large chunk is freed and a new chunk bigger than it is allocated -> Chunk1 goes to the large bin

Then, the second large chunk is freed

Now, the vulnerability: The attacker can modify chunk1->bk_nextsize to [target-0x20]

Then, a larger chunk than chunk 2 is allocated, so chunk2 is inserted in the large bin overwriting the address chunk1->bk_nextsize->fd_nextsize with the address of chunk2

This is the relevant code from malloc. Comments have been added to understand better how the address was overwritten:

/* if smaller than smallest, bypass loop below */
assert (chunk_main_arena (bck->bk));
if ((unsigned long) (size) < (unsigned long) chunksize_nomask (bck->bk))
  {
    fwd = bck; // fwd = p1
    bck = bck->bk; // bck = p1->bk 

    victim->fd_nextsize = fwd->fd; // p2->fd_nextsize = p1->fd (Note that p1->fd is p1 as it's the only chunk)
    victim->bk_nextsize = fwd->fd->bk_nextsize; // p2->bk_nextsize = p1->fd->bk_nextsize
    fwd->fd->bk_nextsize = victim->bk_nextsize->fd_nextsize = victim; // p1->fd->bk_nextsize->fd_nextsize = p2
  }

This could be used to overwrite the global_max_fast global variable of libc to then exploit a fast bin attack with larger chunks.

You can find another great explanation of this attack in guyinatuxedo.

Other examples

La casa de papel. HackOn CTF 2024

Large bin attack in the same situation as it appears in how2heap.
The write primitive is more complex, because global_max_fast is useless here.
FSOP is needed to finish the exploit.