glibc堆利用全指南<\/h1>

1. 堆分配基础<\/h2>

1.1 malloc函数工作原理<\/h3>

fastbin分配<\/strong>:<\/p>

大小范围: 0x20-0x80<\/li>
LIFO(后进先出)策略<\/li>
流程:

根据size计算idx<\/li>
如果fastbin[idx]不为空则取first chunk<\/li>
如果为空则进入unsorted bins大循环<\/li> <\/ul> <\/li> <\/ul> <\/li>

smallbin分配<\/strong>:<\/p>

大小范围: ≤0x3f0<\/li>
FIFO(先进先出)策略<\/li>
流程:

根据size计算idx<\/li>
如果smallbin[idx]不为空则取last chunk<\/li>
如果为空且已初始化则进入unsorted bins大循环<\/li>
如果未初始化则调用malloc_consolidate后再进入unsorted bins大循环<\/li> <\/ul> <\/li> <\/ul> <\/li>

largebin分配<\/strong>:<\/p>

大小范围: ≥0x400<\/li>
如果既不在fastbin也不在smallbin范围内:

无fastchunks则直接进入unsorted bins大循环<\/li>
有fastchunks则调用malloc_consolidate后再进入unsorted bins大循环<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol>
1.2 malloc_consolidate函数<\/h3>

功能:<\/p>

合并fastbin中的chunk并放入unsorted bin<\/li>
与top chunk合并的chunk除外<\/li> <\/ul> <\/li>

流程:<\/p>

遍历fastbinY数组(每个元素是单向链表头部)<\/li>
检查prev inuse:

为0则unlink prev chunk<\/li>
为1则检查next chunk<\/li> <\/ul> <\/li>
检查next chunk:

如果是top chunk则与之合并<\/li>
否则检查next inuse:

为0则unlink next chunk<\/li>
为1则不做操作<\/li> <\/ul> <\/li> <\/ul> <\/li>
将合并后的chunk插入unsorted bins<\/li>
循环直到fastbinY为空<\/li> <\/ul> <\/li> <\/ol>
1.3 unsorted bins大循环<\/h3>

遍历unsorted bin寻找满足条件的chunk:<\/p>

大小刚好合适则返回<\/li>
在small bin范围内则放入small bin<\/li>
large bin为空则放入large bin<\/li>
其他情况从large bin尾部寻找合适位置<\/li> <\/ul> <\/li>

切割机制:<\/p>

如果没有合适大小的free chunk<\/li>
检查是否有大的free chunk可以切割(除fastbins外)<\/li>
切割后的剩余部分成为last remainder并放入unsortedbin<\/li> <\/ul> <\/li> <\/ol>
1.4 free函数<\/h3>

释放流程:<\/p>

检查能否放入fastbin<\/li>
检查能否进行后向合并与unlink prev chunk<\/li>
检查能否和top chunk合并<\/li>
检查能否进行前向合并与unlink next chunk<\/li>
放入unsorted bin头部<\/li>
进行一系列安全检查<\/li> <\/ul> <\/li>

安全检查:<\/p>

检查chunk大小是否小于max fast<\/li>
防止fastbin double free<\/li>
检查chunk是否是mmaped<\/li>
检查当前chunk是否是inuse状态<\/li> <\/ul> <\/li> <\/ol>
2. 关键概念<\/h2>
2.1 基本概念<\/h3>

bins链表<\/strong>:<\/p>

使用头插法<\/li>
fd和bk只在bins中存在<\/li>
指向chunk头部而非mem区域<\/li> <\/ul> <\/li>

chunk关系<\/strong>:<\/p>

prev chunk: 地址较低的chunk<\/li>
next chunk: 地址较高的chunk<\/li> <\/ul> <\/li>

tcache<\/strong>:<\/p>

大小范围: 0x20-0x410<\/li>
高版本glibc中，tcache bin满后再free相同大小的chunk会尝试unlink<\/li> <\/ul> <\/li> <\/ol>
2.2 unlink操作<\/h3>

目的:<\/p>

从双向链表中取出空闲块(如free时合并相邻free chunk)<\/li> <\/ul> <\/li>

检查缺陷:<\/p>

fd\/bk指针通过与chunk头部的相对地址查找<\/li>
可用于绕过安全检查<\/li> <\/ul> <\/li>

特殊情况:<\/p>

chunk大小<0x80时直接进入tcache，不参与unlink<\/li>
unlink后的overlapping chunk都会进入unsorted bin<\/li> <\/ul> <\/li> <\/ol>
2.3 常见漏洞<\/h3>

UAF(Use After Free)<\/strong>:<\/p>

条件: free后未置NULL，紧接着申请相同大小内存<\/li>
利用: 操作系统会重新分配刚free的内存<\/li> <\/ul> <\/li>

chunk extend\/overlapping<\/strong>:<\/p>

条件: 可控制chunk header数据(常结合off-by-one使用)<\/li>
方法: 修改size字段后free，导致next chunk被overlapping<\/li>
作用: 控制chunk内容而非执行流程<\/li> <\/ul> <\/li>

off-by-one\/off-by-null<\/strong>:<\/p>

允许修改相邻chunk的size字段<\/li>
常用于构造chunk overlapping<\/li> <\/ul> <\/li> <\/ol>
3. 利用技巧<\/h2>
3.1 信息泄露<\/h3>

泄露heap base<\/strong>:<\/p>

通常为修改tcache_perthread_struct<\/li>
方法: 让tcache结构变成1->0，通过show函数泄露<\/li> <\/ul> <\/li>

泄露libc base<\/strong>:<\/p>

通过unsortedbin特性泄露<\/li>
方法:

获取unsortedbin chunk<\/li>
show出main_arena附近地址<\/li>
计算偏移得到libc base<\/li> <\/ul> <\/li>
替代方法:

利用largebin同时泄露libc和heap<\/li>
打__IO_2_1_stdout泄露<\/li>
利用fd\/bk写入特性<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol>
3.2 常见攻击目标<\/h3>

__free_hook<\/strong>:<\/p>

通过tcache poison修改<\/li>
常用gadget: system或one_gadget<\/li> <\/ul> <\/li>

tcache_perthread_struct<\/strong>:<\/p>

修改counts数组可控制tcache分配<\/li>
libc2.30以下: counts类型为char<\/li>
libc2.30及以上: counts类型为uint16_t<\/li> <\/ul> <\/li>

mp_结构体<\/strong>:<\/p>

通过large bin attack修改mp_.tcache_bins<\/li>
使large bin chunk进入tcache<\/li> <\/ul> <\/li>

stdout\/IO_2_1_stdout<\/em><\/strong>:<\/p>

用于泄露信息或FSOP<\/li>
可泄露出_environ获取栈地址<\/li> <\/ul> <\/li> <\/ol>
3.3 特殊技巧<\/h3>

scanf触发malloc_consolidate<\/strong>:<\/p>

输入长字符串会调用malloc分配内存<\/li>
可用于合并fastchunks到unsorted bin<\/li> <\/ul> <\/li>

calloc绕过tcache<\/strong>:<\/p>

calloc不从tcache分配<\/li>
可用于绕过tcache相关保护<\/li> <\/ul> <\/li>

environ变量利用<\/strong>:<\/p>

储存系统环境变量地址<\/li>
通过libc找到environ地址后可泄露栈地址<\/li> <\/ul> <\/li>

magic gadget<\/strong>:<\/p>

如setcontext+53等<\/li>
用于控制执行流<\/li> <\/ul> <\/li> <\/ol>
4. 保护机制与绕过<\/h2>
4.1 glibc版本差异<\/h3>

glibc-2.32<\/strong>:<\/p>

tcache\/fastbin堆指针异或加密<\/li>
堆内存对齐检查<\/li> <\/ul> <\/li>

glibc-2.33<\/strong>:<\/p>

tcachebin链数量检查<\/li> <\/ul> <\/li>

glibc-2.34<\/strong>:<\/p>

移除__malloc_hook和__free_hook<\/li>
引入tcache_key检查<\/li> <\/ul> <\/li>

glibc-2.36<\/strong>:<\/p>

移除IO处理函数<\/li> <\/ul> <\/li>

glibc-2.37<\/strong>:<\/p>

移除__malloc_assert函数<\/li>
global_max_fast类型改为uint8_t<\/li> <\/ul> <\/li> <\/ol>
4.2 绕过技巧<\/h3>

异或加密绕过<\/strong>:<\/p>

泄露heap base计算加密key<\/li>
libc2.31: tcache-key为heapbase+0x10<\/li> <\/ul> <\/li>

检查绕过<\/strong>:<\/p>

libc2.31不对tcache 0x10对齐检查<\/li>
利用large bin attack修改检查条件<\/li> <\/ul> <\/li>

hook移除后的利用<\/strong>:<\/p>

转向FSOP或IO_FILE攻击<\/li>
使用house of apple\/cat等新技术<\/li> <\/ul> <\/li> <\/ol>
5. 高级利用技术<\/h2>
5.1 House of系列攻击<\/h3>

House of Orange<\/strong>:<\/p>

修改top chunk size<\/li>
分配大chunk使top进入unsorted bin<\/li>
unsorted bin attack修改_IO_list_all<\/li>
布置FAKE FILE进行FSOP<\/li> <\/ul> <\/li>

House of Pig<\/strong>:<\/p>

利用_IO_str_overflow的malloc\/memcpy\/free三连<\/li>
设置参数使free_hook被覆盖为system<\/li>
需要exit函数触发_IO_flush_all_lockp<\/li> <\/ul> <\/li>

House of Kiwi<\/strong>:<\/p>

触发__malloc_assert<\/li>
修改_IO_file_jumps和IO_helper_jumps<\/li>
无需exit函数<\/li> <\/ul> <\/li>

House of Emma<\/strong>:<\/p>

伪造_IO_cookie_file<\/li>
劫持pointer guard<\/li>
libc2.34及以下可用<\/li> <\/ul> <\/li>

House of Cat<\/strong>:<\/p>

在_IO_switch_to_wget_mode设置rdx<\/li>
调用setcontext+61进行ORW<\/li>
需要控制rcx不为0<\/li> <\/ul> <\/li>

House of Apple2<\/strong>:<\/p>

覆盖vtable为_IO_wxxx_jumps<\/li>
执行_IO_wfile_overflow<\/li>
利用magic gadget<\/li> <\/ul> <\/li> <\/ol>
5.2 IO_FILE利用<\/h3>

FSOP(File Stream Oriented Programming)<\/strong>:<\/p>

劫持_IO_list_all伪造链表<\/li>
触发_IO_flush_all_lockp<\/li>
调用vtable中的_IO_overflow<\/li> <\/ul> <\/li>

关键结构<\/strong>:<\/p>

_IO_FILE: 文件流基础结构<\/li>
_IO_FILE_plus: 包含vtable<\/li>
_IO_jump_t: 虚函数表<\/li>
_IO_wide_data: 宽字符数据<\/li> <\/ul> <\/li>

利用条件<\/strong>:<\/p>

控制_IO_list_all<\/li>
_lock设置为可写地址<\/li>
_mode=0<\/li>
_IO_write_ptr > _IO_write_base<\/li> <\/ul> <\/li>

常用目标<\/strong>:<\/p>

_IO_list_all<\/li>
IO_2_1_stderr<\/em><\/li>
stderr<\/li> <\/ul> <\/li> <\/ol>
6. 实战技巧<\/h2>
6.1 调试技巧<\/h3>

关键断点<\/strong>:<\/p>
b *&_IO_cleanup b *&_IO_flush_all b *&_IO_flush_all_lockp b *&_IO_flush_all_lockp+223 b *&_IO_wfile_seekoff b *&_IO_switch_to_wget_mode <\/code><\/pre> <\/li> 符号表问题<\/strong>:<\/p> 从glibc-all-in-one获取有符号表的同版本libc<\/li> 便于pwndbg调试<\/li> <\/ul> <\/li> <\/ol> 6.2 利用模板<\/h3> House of Apple2利用<\/strong>:<\/li> <\/ol> fake_IO_addr =<\/span> magic_gadget =<\/span> libc_base +<\/span> libc.<\/span>sym["svcudp_reply"<\/span>] +<\/span> 0x1a<\/span> <\/span><\/span>leave_ret =<\/span> libc_base +<\/span> 0x0000000000052d72<\/span> <\/span><\/span>pop_rdi_ret =<\/span> libc_base +<\/span> 0x000000000002daa2<\/span> <\/span><\/span>pop_rsi_ret =<\/span> libc_base +<\/span> 0x0000000000037c0a<\/span> <\/span><\/span>pop_rdx_r12_ret =<\/span> libc_base +<\/span> 0x00000000001066e1<\/span> <\/span><\/span> <\/span><\/span>rop_address =<\/span> fake_IO_addr +<\/span> 0xe0<\/span> +<\/span> 0xe8<\/span> +<\/span> 0x70<\/span> <\/span><\/span>orw_rop =<\/span> b<\/span>'.\/flag<\/span>\x00\x00<\/span>'<\/span> <\/span><\/span>orw_rop +=<\/span> p64(pop_rdx_r12_ret) +<\/span> p64(0<\/span>) +<\/span> p64(fake_IO_addr -<\/span> 0x10<\/span>) <\/span><\/span>orw_rop +=<\/span> p64(pop_rdi_ret) +<\/span> p64(rop_address) <\/span><\/span>orw_rop +=<\/span> p64(pop_rsi_ret) +<\/span> p64(0<\/span>) <\/span><\/span>orw_rop +=<\/span> p64(libc_base +<\/span> libc.<\/span>sym['open'<\/span>]) <\/span><\/span>orw_rop +=<\/span> p64(pop_rdi_ret) +<\/span> p64(3<\/span>) <\/span><\/span>orw_rop +=<\/span> p64(pop_rsi_ret) +<\/span> p64(rop_address +<\/span> 0x100<\/span>) <\/span><\/span>orw_rop +=<\/span> p64(pop_rdx_r12_ret) +<\/span> p64(0x50<\/span>) +<\/span> p64(0<\/span>) <\/span><\/span>orw_rop +=<\/span> p64(libc_base +<\/span> libc.<\/span>sym['read'<\/span>]) <\/span><\/span>orw_rop +=<\/span> p64(pop_rdi_ret) +<\/span> p64(1<\/span>) <\/span><\/span>orw_rop +=<\/span> p64(pop_rsi_ret) +<\/span> p64(rop_address +<\/span> 0x100<\/span>) <\/span><\/span>orw_rop +=<\/span> p64(pop_rdx_r12_ret) +<\/span> p64(0x50<\/span>) +<\/span> p64(0<\/span>) <\/span><\/span>orw_rop +=<\/span> p64(libc_base +<\/span> libc.<\/span>sym['write'<\/span>]) <\/span><\/span> <\/span><\/span>payload =<\/span> p64(0<\/span>) +<\/span> p64(leave_ret) +<\/span> p64(1<\/span>) +<\/span> p64(2<\/span>) <\/span><\/span>payload =<\/span> payload.<\/span>ljust(0x38<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>) +<\/span> p64(rop_address) <\/span><\/span>payload =<\/span> payload.<\/span>ljust(0x90<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>) +<\/span> p64(fake_IO_addr +<\/span> 0xe0<\/span>) <\/span><\/span>payload =<\/span> payload.<\/span>ljust(0xc8<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>) +<\/span> p64(libc_base +<\/span> libc.<\/span>sym['_IO_wfile_jumps'<\/span>]) <\/span><\/span>payload =<\/span> payload.<\/span>ljust(0xd0<\/span> +<\/span> 0xe0<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>) +<\/span> p64(fake_IO_addr +<\/span> 0xe0<\/span> +<\/span> 0xe8<\/span>) <\/span><\/span>payload =<\/span> payload.<\/span>ljust(0xd0<\/span> +<\/span> 0xe8<\/span> +<\/span> 0x68<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>) +<\/span> p64(magic_gadget) <\/span><\/span>payload =<\/span> payload +<\/span> orw_rop <\/span><\/span><\/code><\/pre> 爆破模板<\/strong>:<\/li> <\/ol> while<\/span> True<\/span>: <\/span><\/span> try<\/span>: <\/span><\/span> p=<\/span>process(file) <\/span><\/span> exp() <\/span><\/span> break<\/span> <\/span><\/span> except<\/span>: <\/span><\/span> p.<\/span>close() <\/span><\/span> continue<\/span> <\/span><\/span><\/code><\/pre> 一字节覆盖泄露libc<\/strong>:<\/li> <\/ol> add(0x40<\/span>, p64(0xfbad1887<\/span>)+<\/span>p64(0<\/span>)*<\/span>3<\/span>+<\/span>b<\/span>'<\/span>\x00<\/span>'<\/span>) <\/span><\/span><\/code><\/pre>7. 总结<\/h2> 利用选择<\/strong>:<\/p> libc2.31以下: 优先打tcache和hook<\/li> libc2.34以下: 可用house of kiwi\/emma<\/li> libc2.35+: 用house of apple2\/cat<\/li> <\/ul> <\/li> 关键思路<\/strong>:<\/p> 无UAF时考虑off-by-one构造overlapping<\/li> 无edit功能时通过overlapping实现等效功能<\/li> 限制多时考虑tcache_perthread_struct攻击<\/li> 根据保护机制选择合适利用技术<\/li> <\/ul> <\/li> 发展趋势<\/strong>:<\/p> 从hook转向IO_FILE利用<\/li> 从直接控制执行流转向SROP\/ORW<\/li> 适应glibc新增保护机制<\/li> <\/ul> <\/li> <\/ol>