Double Free

Support HackTricks

Basic Information

Ikiwa unachomoa block ya kumbukumbu zaidi ya mara moja, inaweza kuharibu data ya allocator na kufungua mlango wa mashambulizi. Hapa kuna jinsi inavyotokea: unapochomoa block ya kumbukumbu, inarudi kwenye orodha ya vipande vya bure (mfano "fast bin"). Ikiwa unachomoa block ile ile mara mbili mfululizo, allocator inagundua hili na kutupa kosa. Lakini ikiwa unachomoa kipande kingine katikati, ukaguzi wa double-free unakwepwa, na kusababisha uharibifu.

Sasa, unapofanya ombi la kumbukumbu mpya (ukitumia malloc), allocator inaweza kukupa block ambayo imeondolewa mara mbili. Hii inaweza kusababisha viashiria viwili tofauti kuashiria eneo moja la kumbukumbu. Ikiwa mshambuliaji anadhibiti mmoja wa viashiria hivyo, wanaweza kubadilisha maudhui ya kumbukumbu hiyo, ambayo inaweza kusababisha matatizo ya usalama au hata kuwapa uwezo wa kutekeleza msimbo.

Example:

#include <stdio.h>
#include <stdlib.h>

int main() {
// Allocate memory for three chunks
char *a = (char *)malloc(10);
char *b = (char *)malloc(10);
char *c = (char *)malloc(10);
char *d = (char *)malloc(10);
char *e = (char *)malloc(10);
char *f = (char *)malloc(10);
char *g = (char *)malloc(10);
char *h = (char *)malloc(10);
char *i = (char *)malloc(10);

// Print initial memory addresses
printf("Initial allocations:\n");
printf("a: %p\n", (void *)a);
printf("b: %p\n", (void *)b);
printf("c: %p\n", (void *)c);
printf("d: %p\n", (void *)d);
printf("e: %p\n", (void *)e);
printf("f: %p\n", (void *)f);
printf("g: %p\n", (void *)g);
printf("h: %p\n", (void *)h);
printf("i: %p\n", (void *)i);

// Fill tcache
free(a);
free(b);
free(c);
free(d);
free(e);
free(f);
free(g);

// Introduce double-free vulnerability in fast bin
free(h);
free(i);
free(h);


// Reallocate memory and print the addresses
char *a1 = (char *)malloc(10);
char *b1 = (char *)malloc(10);
char *c1 = (char *)malloc(10);
char *d1 = (char *)malloc(10);
char *e1 = (char *)malloc(10);
char *f1 = (char *)malloc(10);
char *g1 = (char *)malloc(10);
char *h1 = (char *)malloc(10);
char *i1 = (char *)malloc(10);
char *i2 = (char *)malloc(10);

// Print initial memory addresses
printf("After reallocations:\n");
printf("a1: %p\n", (void *)a1);
printf("b1: %p\n", (void *)b1);
printf("c1: %p\n", (void *)c1);
printf("d1: %p\n", (void *)d1);
printf("e1: %p\n", (void *)e1);
printf("f1: %p\n", (void *)f1);
printf("g1: %p\n", (void *)g1);
printf("h1: %p\n", (void *)h1);
printf("i1: %p\n", (void *)i1);
printf("i2: %p\n", (void *)i2);

return 0;
}

Katika mfano huu, baada ya kujaza tcache na vipande vingi vilivyofutwa (7), msimbo unafuta kipande h, kisha kipande i, na kisha h tena, na kusababisha double free (pia inajulikana kama Fast Bin dup). Hii inafungua uwezekano wa kupokea anwani za kumbukumbu zinazoviana wakati wa reallocating, ikimaanisha viashiria viwili au zaidi vinaweza kuelekeza kwenye eneo moja la kumbukumbu. Kupanua data kupitia kiashiria kimoja kunaweza kuathiri kingine, na kuunda hatari kubwa ya usalama na uwezekano wa unyakuzi.

Ukitekeleza, angalia jinsi i1 na i2 zilipata anwani sawa:

Initial allocations:
a: 0xaaab0f0c22a0
b: 0xaaab0f0c22c0
c: 0xaaab0f0c22e0
d: 0xaaab0f0c2300
e: 0xaaab0f0c2320
f: 0xaaab0f0c2340
g: 0xaaab0f0c2360
h: 0xaaab0f0c2380
i: 0xaaab0f0c23a0
After reallocations:
a1: 0xaaab0f0c2360
b1: 0xaaab0f0c2340
c1: 0xaaab0f0c2320
d1: 0xaaab0f0c2300
e1: 0xaaab0f0c22e0
f1: 0xaaab0f0c22c0
g1: 0xaaab0f0c22a0
h1: 0xaaab0f0c2380
i1: 0xaaab0f0c23a0
i2: 0xaaab0f0c23a0

Mifano

  • Tunaweza tu kugawa vipande vya Fast-Bin isipokuwa kwa saizi 0x70, ambayo inazuia kawaida __malloc_hook kuandikwa upya.

  • Badala yake, tunatumia anwani za PIE zinazohakikisha kuanzia na 0x56 kama lengo la Fast Bin dup (1/2 nafasi).

  • Mahali moja ambapo anwani za PIE zinahifadhiwa ni katika main_arena, ambayo iko ndani ya Glibc na karibu na __malloc_hook

  • Tunalenga offset maalum ya main_arena ili kugawa kipande huko na kuendelea kugawa vipande hadi kufikia __malloc_hook ili kupata utekelezaji wa msimbo.

  • Kwa kutumia Tcache bins na overflow ya null-byte, tunaweza kufikia hali ya double-free:

  • Tunagawa vipande vitatu vya saizi 0x110 (A, B, C)

  • Tunafuta B

  • Tunafuta A na kugawa tena ili kutumia overflow ya null-byte

  • Sasa uwanja wa saizi wa B ni 0x100, badala ya 0x111, hivyo tunaweza kuifuta tena

  • Tuna Tcache-bin moja ya saizi 0x110 na moja ya saizi 0x100 zinazoelekeza kwenye anwani sawa. Hivyo tuna double free.

  • Tunatumia double free kwa kutumia Tcache poisoning

Marejeleo

Support HackTricks

Last updated