Double Free

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

Ikiwa unachomoa block ya kumbukumbu zaidi ya mara moja, inaweza kuharibu data ya allocator na kufungua mlango wa mashambulizi. Hapa kuna jinsi inavyotokea: unapochomoa block ya kumbukumbu, inarudi kwenye orodha ya vipande vya bure (mfano "fast bin"). Ikiwa unachomoa block ile ile mara mbili mfululizo, allocator inagundua hili na kutupa kosa. Lakini ikiwa unachomoa kipande kingine katikati, ukaguzi wa double-free unakwepwa, na kusababisha uharibifu.

Sasa, unapofanya ombi la kumbukumbu mpya (ukitumia malloc), allocator inaweza kukupa block ambayo imeshachomolewa mara mbili. Hii inaweza kusababisha viashiria viwili tofauti kuashiria eneo moja la kumbukumbu. Ikiwa mshambuliaji anadhibiti mmoja wa viashiria hivyo, wanaweza kubadilisha maudhui ya kumbukumbu hiyo, ambayo inaweza kusababisha matatizo ya usalama au hata kuwapa uwezo wa kutekeleza msimbo.

Example:

#include <stdio.h>
#include <stdlib.h>

int main() {
// Allocate memory for three chunks
char *a = (char *)malloc(10);
char *b = (char *)malloc(10);
char *c = (char *)malloc(10);
char *d = (char *)malloc(10);
char *e = (char *)malloc(10);
char *f = (char *)malloc(10);
char *g = (char *)malloc(10);
char *h = (char *)malloc(10);
char *i = (char *)malloc(10);

// Print initial memory addresses
printf("Initial allocations:\n");
printf("a: %p\n", (void *)a);
printf("b: %p\n", (void *)b);
printf("c: %p\n", (void *)c);
printf("d: %p\n", (void *)d);
printf("e: %p\n", (void *)e);
printf("f: %p\n", (void *)f);
printf("g: %p\n", (void *)g);
printf("h: %p\n", (void *)h);
printf("i: %p\n", (void *)i);

// Fill tcache
free(a);
free(b);
free(c);
free(d);
free(e);
free(f);
free(g);

// Introduce double-free vulnerability in fast bin
free(h);
free(i);
free(h);


// Reallocate memory and print the addresses
char *a1 = (char *)malloc(10);
char *b1 = (char *)malloc(10);
char *c1 = (char *)malloc(10);
char *d1 = (char *)malloc(10);
char *e1 = (char *)malloc(10);
char *f1 = (char *)malloc(10);
char *g1 = (char *)malloc(10);
char *h1 = (char *)malloc(10);
char *i1 = (char *)malloc(10);
char *i2 = (char *)malloc(10);

// Print initial memory addresses
printf("After reallocations:\n");
printf("a1: %p\n", (void *)a1);
printf("b1: %p\n", (void *)b1);
printf("c1: %p\n", (void *)c1);
printf("d1: %p\n", (void *)d1);
printf("e1: %p\n", (void *)e1);
printf("f1: %p\n", (void *)f1);
printf("g1: %p\n", (void *)g1);
printf("h1: %p\n", (void *)h1);
printf("i1: %p\n", (void *)i1);
printf("i2: %p\n", (void *)i2);

return 0;
}

Katika mfano huu, baada ya kujaza tcache na vipande kadhaa vilivyofutwa (7), msimbo unafuta kipande h, kisha kipande i, na kisha h tena, na kusababisha double free (pia inajulikana kama Fast Bin dup). Hii inafungua uwezekano wa kupokea anwani za kumbukumbu zinazovuka wakati wa reallocating, ikimaanisha viashiria viwili au zaidi vinaweza kuelekeza kwenye eneo moja la kumbukumbu. Kupanua data kupitia kiashiria kimoja kunaweza kuathiri kingine, na kuunda hatari kubwa ya usalama na uwezekano wa unyakuzi.

Ukitekeleza, angalia jinsi i1 na i2 zilipata anwani sawa:

Initial allocations:
a: 0xaaab0f0c22a0
b: 0xaaab0f0c22c0
c: 0xaaab0f0c22e0
d: 0xaaab0f0c2300
e: 0xaaab0f0c2320
f: 0xaaab0f0c2340
g: 0xaaab0f0c2360
h: 0xaaab0f0c2380
i: 0xaaab0f0c23a0
After reallocations:
a1: 0xaaab0f0c2360
b1: 0xaaab0f0c2340
c1: 0xaaab0f0c2320
d1: 0xaaab0f0c2300
e1: 0xaaab0f0c22e0
f1: 0xaaab0f0c22c0
g1: 0xaaab0f0c22a0
h1: 0xaaab0f0c2380
i1: 0xaaab0f0c23a0
i2: 0xaaab0f0c23a0

Mifano

Dragon Army. Hack The Box
Tunaweza tu kugawa vipande vya ukubwa wa Fast-Bin isipokuwa kwa ukubwa 0x70, ambayo inazuia kawaida __malloc_hook kuandikwa tena.
Badala yake, tunatumia anwani za PIE ambazo huanza na 0x56 kama lengo la Fast Bin dup (1/2 nafasi).
Mahali moja ambapo anwani za PIE zinahifadhiwa ni katika main_arena, ambayo iko ndani ya Glibc na karibu na __malloc_hook
Tunalenga offset maalum ya main_arena ili kugawa kipande huko na kuendelea kugawa vipande hadi kufikia __malloc_hook ili kupata utekelezaji wa msimbo.
zero_to_hero. PicoCTF
Kwa kutumia Tcache bins na overflow ya null-byte, tunaweza kufikia hali ya double-free:
Tunagawa vipande vitatu vya ukubwa 0x110 (A, B, C)
Tunafuta B
Tunafuta A na kugawa tena ili kutumia overflow ya null-byte
Sasa uwanja wa ukubwa wa B ni 0x100, badala ya 0x111, hivyo tunaweza kuifuta tena
Tuna Tcache-bin moja ya ukubwa 0x110 na moja ya ukubwa 0x100 ambazo zinaelekeza kwenye anwani sawa. Hivyo tuna double free.
Tunatumia double free kwa kutumia Tcache poisoning

Marejeleo

https://heap-exploitation.dhavalkapil.com/attacks/double_free

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za unyakuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.

PreviousFirst Fit NextOverwriting a freed chunk

Last updated 4 days ago

Basic Information

Example:

#include <stdio.h>
#include <stdlib.h>

int main() {
// Allocate memory for three chunks
char *a = (char *)malloc(10);
char *b = (char *)malloc(10);
char *c = (char *)malloc(10);
char *d = (char *)malloc(10);
char *e = (char *)malloc(10);
char *f = (char *)malloc(10);
char *g = (char *)malloc(10);
char *h = (char *)malloc(10);
char *i = (char *)malloc(10);

// Print initial memory addresses
printf("Initial allocations:\n");
printf("a: %p\n", (void *)a);
printf("b: %p\n", (void *)b);
printf("c: %p\n", (void *)c);
printf("d: %p\n", (void *)d);
printf("e: %p\n", (void *)e);
printf("f: %p\n", (void *)f);
printf("g: %p\n", (void *)g);
printf("h: %p\n", (void *)h);
printf("i: %p\n", (void *)i);

// Fill tcache
free(a);
free(b);
free(c);
free(d);
free(e);
free(f);
free(g);

// Introduce double-free vulnerability in fast bin
free(h);
free(i);
free(h);


// Reallocate memory and print the addresses
char *a1 = (char *)malloc(10);
char *b1 = (char *)malloc(10);
char *c1 = (char *)malloc(10);
char *d1 = (char *)malloc(10);
char *e1 = (char *)malloc(10);
char *f1 = (char *)malloc(10);
char *g1 = (char *)malloc(10);
char *h1 = (char *)malloc(10);
char *i1 = (char *)malloc(10);
char *i2 = (char *)malloc(10);

// Print initial memory addresses
printf("After reallocations:\n");
printf("a1: %p\n", (void *)a1);
printf("b1: %p\n", (void *)b1);
printf("c1: %p\n", (void *)c1);
printf("d1: %p\n", (void *)d1);
printf("e1: %p\n", (void *)e1);
printf("f1: %p\n", (void *)f1);
printf("g1: %p\n", (void *)g1);
printf("h1: %p\n", (void *)h1);
printf("i1: %p\n", (void *)i1);
printf("i2: %p\n", (void *)i2);

return 0;
}

Ukitekeleza, angalia jinsi i1 na i2 zilipata anwani sawa:

Initial allocations:
a: 0xaaab0f0c22a0
b: 0xaaab0f0c22c0
c: 0xaaab0f0c22e0
d: 0xaaab0f0c2300
e: 0xaaab0f0c2320
f: 0xaaab0f0c2340
g: 0xaaab0f0c2360
h: 0xaaab0f0c2380
i: 0xaaab0f0c23a0
After reallocations:
a1: 0xaaab0f0c2360
b1: 0xaaab0f0c2340
c1: 0xaaab0f0c2320
d1: 0xaaab0f0c2300
e1: 0xaaab0f0c22e0
f1: 0xaaab0f0c22c0
g1: 0xaaab0f0c22a0
h1: 0xaaab0f0c2380
i1: 0xaaab0f0c23a0
i2: 0xaaab0f0c23a0

Mifano

Dragon Army. Hack The Box

Tunaweza tu kugawa vipande vya ukubwa wa Fast-Bin isipokuwa kwa ukubwa 0x70, ambayo inazuia kawaida __malloc_hook kuandikwa tena.

Badala yake, tunatumia anwani za PIE ambazo huanza na 0x56 kama lengo la Fast Bin dup (1/2 nafasi).

Mahali moja ambapo anwani za PIE zinahifadhiwa ni katika main_arena, ambayo iko ndani ya Glibc na karibu na __malloc_hook

Tunalenga offset maalum ya main_arena ili kugawa kipande huko na kuendelea kugawa vipande hadi kufikia __malloc_hook ili kupata utekelezaji wa msimbo.

zero_to_hero. PicoCTF

Kwa kutumia Tcache bins na overflow ya null-byte, tunaweza kufikia hali ya double-free:

Tunagawa vipande vitatu vya ukubwa 0x110 (A, B, C)

Tunafuta B

Tunafuta A na kugawa tena ili kutumia overflow ya null-byte

Sasa uwanja wa ukubwa wa B ni 0x100, badala ya 0x111, hivyo tunaweza kuifuta tena

Tuna Tcache-bin moja ya ukubwa 0x110 na moja ya ukubwa 0x100 ambazo zinaelekeza kwenye anwani sawa. Hivyo tuna double free.

Tunatumia double free kwa kutumia Tcache poisoning