ํž™ ํ•จ์ˆ˜ ๋ณด์•ˆ ๊ฒ€์‚ฌ

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ

์ž์„ธํ•œ ์ •๋ณด๋Š” ๋‹ค์Œ์„ ํ™•์ธํ•˜์„ธ์š”:

unlink

์ˆ˜ํ–‰๋œ ๊ฒ€์‚ฌ ์š”์•ฝ์ž…๋‹ˆ๋‹ค:

  • ์ฒญํฌ์˜ ์ง€์ •๋œ ํฌ๊ธฐ๊ฐ€ ๋‹ค์Œ ์ฒญํฌ์— ํ‘œ์‹œ๋œ prev_size์™€ ๋™์ผํ•œ์ง€ ํ™•์ธ
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: corrupted size vs. prev_size
  • ๋˜ํ•œ P->fd->bk == P ๋ฐ P->bk->fw == P ํ™•์ธ
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: corrupted double-linked list
  • ์ฒญํฌ๊ฐ€ ์ž‘์ง€ ์•Š์€ ๊ฒฝ์šฐ, P->fd_nextsize->bk_nextsize == P ๋ฐ P->bk_nextsize->fd_nextsize == P ํ™•์ธ
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: corrupted double-linked list (not small)

_int_malloc

์ž์„ธํ•œ ์ •๋ณด๋Š” ๋‹ค์Œ์„ ํ™•์ธํ•˜์„ธ์š”:

malloc & sysmalloc

  • ๋น ๋ฅธ ๋นˆ ๊ฒ€์ƒ‰ ์ค‘ ๊ฒ€์‚ฌ:
  • ์ฒญํฌ๊ฐ€ ์ •๋ ฌ๋˜์ง€ ์•Š์€ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: malloc(): unaligned fastbin chunk detected 2
  • ํฌ์›Œ๋“œ ์ฒญํฌ๊ฐ€ ์ •๋ ฌ๋˜์ง€ ์•Š์€ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: malloc(): unaligned fastbin chunk detected
  • ๋ฐ˜ํ™˜๋œ ์ฒญํฌ์˜ ํฌ๊ธฐ๊ฐ€ ๋น ๋ฅธ ๋นˆ์˜ ์ธ๋ฑ์Šค ๋•Œ๋ฌธ์— ์˜ฌ๋ฐ”๋ฅด์ง€ ์•Š์€ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: malloc(): memory corruption (fast)
  • tcache๋ฅผ ์ฑ„์šฐ๋Š” ๋ฐ ์‚ฌ์šฉ๋œ ์ฒญํฌ๊ฐ€ ์ •๋ ฌ๋˜์ง€ ์•Š์€ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: malloc(): unaligned fastbin chunk detected 3
  • ์ž‘์€ ๋นˆ ๊ฒ€์ƒ‰ ์ค‘ ๊ฒ€์‚ฌ:
  • victim->bk->fd != victim์ธ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: malloc(): smallbin double linked list corrupted
  • ๊ฐ ๋น ๋ฅธ ๋นˆ ์ฒญํฌ์— ๋Œ€ํ•ด ์ˆ˜ํ–‰๋˜๋Š” ํ†ตํ•ฉ ๊ฒ€์‚ฌ:
  • ์ฒญํฌ๊ฐ€ ์ •๋ ฌ๋˜์ง€ ์•Š์€ ๊ฒฝ์šฐ ํŠธ๋ฆฌ๊ฑฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: malloc_consolidate(): unaligned fastbin chunk detected
  • ์ฒญํฌ์˜ ํฌ๊ธฐ๊ฐ€ ์ธ๋ฑ์Šค์— ๋”ฐ๋ผ ๋‹ฌ๋ผ์•ผ ํ•˜๋Š” ํฌ๊ธฐ์™€ ๋‹ค๋ฅธ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: malloc_consolidate(): invalid chunk size
  • ์ด์ „ ์ฒญํฌ๊ฐ€ ์‚ฌ์šฉ ์ค‘์ด ์•„๋‹ˆ๊ณ  ์ด์ „ ์ฒญํฌ์˜ ํฌ๊ธฐ๊ฐ€ prev_chunk์— ์˜ํ•ด ํ‘œ์‹œ๋œ ๊ฒƒ๊ณผ ๋‹ค๋ฅธ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: corrupted size vs. prev_size in fastbins
  • ์ •๋ ฌ๋˜์ง€ ์•Š์€ ๋นˆ ๊ฒ€์ƒ‰ ์ค‘ ๊ฒ€์‚ฌ:
  • ์ฒญํฌ ํฌ๊ธฐ๊ฐ€ ์ด์ƒํ•œ ๊ฒฝ์šฐ(๋„ˆ๋ฌด ์ž‘๊ฑฐ๋‚˜ ๋„ˆ๋ฌด ํผ):
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: malloc(): invalid size (unsorted)
  • ๋‹ค์Œ ์ฒญํฌ ํฌ๊ธฐ๊ฐ€ ์ด์ƒํ•œ ๊ฒฝ์šฐ(๋„ˆ๋ฌด ์ž‘๊ฑฐ๋‚˜ ๋„ˆ๋ฌด ํผ):
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: malloc(): invalid next size (unsorted)
  • ๋‹ค์Œ ์ฒญํฌ์— ์˜ํ•ด ํ‘œ์‹œ๋œ ์ด์ „ ํฌ๊ธฐ๊ฐ€ ์ฒญํฌ์˜ ํฌ๊ธฐ์™€ ๋‹ค๋ฅธ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: malloc(): mismatching next->prev_size (unsorted)
  • victim->bck->fd == victim์ด ์•„๋‹ˆ๊ฑฐ๋‚˜ victim->fd == av (arena)๊ฐ€ ์•„๋‹Œ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: malloc(): unsorted double linked list corrupted
  • ์šฐ๋ฆฌ๋Š” ํ•ญ์ƒ ๋งˆ์ง€๋ง‰ ๊ฒƒ์„ ํ™•์ธํ•˜๊ณ  ์žˆ์œผ๋ฏ€๋กœ, ๊ทธ๊ฒƒ์˜ fd๋Š” ํ•ญ์ƒ arena ๊ตฌ์กฐ์ฒด๋ฅผ ๊ฐ€๋ฆฌ์ผœ์•ผ ํ•ฉ๋‹ˆ๋‹ค.
  • ๋‹ค์Œ ์ฒญํฌ๊ฐ€ ์ด์ „ ์ฒญํฌ๊ฐ€ ์‚ฌ์šฉ ์ค‘์ž„์„ ๋‚˜ํƒ€๋‚ด์ง€ ์•Š๋Š” ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: malloc(): invalid next->prev_inuse (unsorted)
  • fwd->bk_nextsize->fd_nextsize != fwd์ธ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: malloc(): largebin double linked list corrupted (nextsize)
  • fwd->bk->fd != fwd์ธ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: malloc(): largebin double linked list corrupted (bk)
  • ์ธ๋ฑ์Šค์— ๋”ฐ๋ฅธ ํฐ ๋นˆ ๊ฒ€์ƒ‰ ์ค‘ ๊ฒ€์‚ฌ:
  • bck->fd-> bk != bck์ธ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: malloc(): corrupted unsorted chunks
  • ๋‹ค์Œ ๋” ํฐ ํฐ ๋นˆ ๊ฒ€์ƒ‰ ์ค‘ ๊ฒ€์‚ฌ:
  • bck->fd-> bk != bck์ธ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: malloc(): corrupted unsorted chunks2
  • Top ์ฒญํฌ ์‚ฌ์šฉ ์ค‘ ๊ฒ€์‚ฌ:
  • chunksize(av->top) > av->system_mem์ธ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: malloc(): corrupted top size

tcache_get_n

  • tcache_get_n์—์„œ์˜ ๊ฒ€์‚ฌ:
  • ์ฒญํฌ๊ฐ€ ์ •๋ ฌ๋˜์ง€ ์•Š์€ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: malloc(): unaligned tcache chunk detected

tcache_thread_shutdown

  • tcache_thread_shutdown์—์„œ์˜ ๊ฒ€์‚ฌ:
  • ์ฒญํฌ๊ฐ€ ์ •๋ ฌ๋˜์ง€ ์•Š์€ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: tcache_thread_shutdown(): unaligned tcache chunk detected

__libc_realloc

  • __libc_realloc์—์„œ์˜ ๊ฒ€์‚ฌ:
  • ์ด์ „ ํฌ์ธํ„ฐ๊ฐ€ ์ •๋ ฌ๋˜์ง€ ์•Š์•˜๊ฑฐ๋‚˜ ํฌ๊ธฐ๊ฐ€ ์˜ฌ๋ฐ”๋ฅด์ง€ ์•Š์€ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: realloc(): invalid pointer

_int_free

์ž์„ธํ•œ ์ •๋ณด๋Š” ๋‹ค์Œ์„ ํ™•์ธํ•˜์„ธ์š”:

free

  • _int_free ์‹œ์ž‘ ์‹œ ๊ฒ€์‚ฌ:
  • ํฌ์ธํ„ฐ๊ฐ€ ์ •๋ ฌ๋˜์–ด ์žˆ๋Š”์ง€:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: free(): invalid pointer
  • ํฌ๊ธฐ๊ฐ€ MINSIZE๋ณด๋‹ค ํฌ๊ณ  ํฌ๊ธฐ๋„ ์ •๋ ฌ๋˜์–ด ์žˆ๋Š” ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: free(): invalid size
  • _int_free tcache์—์„œ์˜ ๊ฒ€์‚ฌ:
  • mp_.tcache_count๋ณด๋‹ค ๋” ๋งŽ์€ ํ•ญ๋ชฉ์ด ์žˆ๋Š” ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: free(): too many chunks detected in tcache
  • ํ•ญ๋ชฉ์ด ์ •๋ ฌ๋˜์ง€ ์•Š์€ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: free(): unaligned chunk detected in tcache 2
  • ํ•ด์ œ๋œ ์ฒญํฌ๊ฐ€ ์ด๋ฏธ ํ•ด์ œ๋˜์—ˆ๊ณ  tcache์— ์ฒญํฌ๋กœ ์กด์žฌํ•˜๋Š” ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: free(): double free detected in tcache 2
  • _int_free ๋น ๋ฅธ ๋นˆ์—์„œ์˜ ๊ฒ€์‚ฌ:
  • ์ฒญํฌ์˜ ํฌ๊ธฐ๊ฐ€ ์œ ํšจํ•˜์ง€ ์•Š์€ ๊ฒฝ์šฐ(๋„ˆ๋ฌด ํฌ๊ฑฐ๋‚˜ ์ž‘์Œ) ํŠธ๋ฆฌ๊ฑฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: free(): invalid next size (fast)
  • ์ถ”๊ฐ€๋œ ์ฒญํฌ๊ฐ€ ์ด๋ฏธ ๋น ๋ฅธ ๋นˆ์˜ ์ตœ์ƒ์œ„์ธ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: double free or corruption (fasttop)
  • ์ตœ์ƒ์œ„ ์ฒญํฌ์˜ ํฌ๊ธฐ๊ฐ€ ์ถ”๊ฐ€ํ•˜๋ ค๋Š” ์ฒญํฌ์˜ ํฌ๊ธฐ์™€ ๋‹ค๋ฅธ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: invalid fastbin entry (free)

_int_free_merge_chunk

  • _int_free_merge_chunk์—์„œ์˜ ๊ฒ€์‚ฌ:
  • ์ฒญํฌ๊ฐ€ ์ตœ์ƒ์œ„ ์ฒญํฌ์ธ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: double free or corruption (top)
  • ๋‹ค์Œ ์ฒญํฌ๊ฐ€ ์•„๋ ˆ๋‚˜์˜ ๊ฒฝ๊ณ„๋ฅผ ๋ฒ—์–ด๋‚œ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: double free or corruption (out)
  • ์ฒญํฌ๊ฐ€ ์‚ฌ์šฉ ์ค‘์œผ๋กœ ํ‘œ์‹œ๋˜์ง€ ์•Š์€ ๊ฒฝ์šฐ(๋‹ค์Œ ์ฒญํฌ์˜ prev_inuse์—์„œ):
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: double free or corruption (!prev)
  • ๋‹ค์Œ ์ฒญํฌ์˜ ํฌ๊ธฐ๊ฐ€ ๋„ˆ๋ฌด ์ž‘๊ฑฐ๋‚˜ ๋„ˆ๋ฌด ํฐ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: free(): invalid next size (normal)
  • ์ด์ „ ์ฒญํฌ๊ฐ€ ์‚ฌ์šฉ ์ค‘์ด ์•„๋‹Œ ๊ฒฝ์šฐ, ํ†ตํ•ฉ์„ ์‹œ๋„ํ•ฉ๋‹ˆ๋‹ค. ๊ทธ๋Ÿฌ๋‚˜ prev_size๊ฐ€ ์ด์ „ ์ฒญํฌ์— ํ‘œ์‹œ๋œ ํฌ๊ธฐ์™€ ๋‹ค๋ฅธ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: corrupted size vs. prev_size while consolidating

_int_free_create_chunk

  • _int_free_create_chunk์—์„œ์˜ ๊ฒ€์‚ฌ:
  • ์ •๋ ฌ๋˜์ง€ ์•Š์€ ๋นˆ์— ์ฒญํฌ๋ฅผ ์ถ”๊ฐ€ํ•  ๋•Œ, unsorted_chunks(av)->fd->bk == unsorted_chunks(av)์ธ์ง€ ํ™•์ธ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: free(): corrupted unsorted chunks

do_check_malloc_state

  • do_check_malloc_state์—์„œ์˜ ๊ฒ€์‚ฌ:
  • ์ •๋ ฌ๋˜์ง€ ์•Š์€ ๋น ๋ฅธ ๋นˆ ์ฒญํฌ์ธ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: do_check_malloc_state(): unaligned fastbin chunk detected

malloc_consolidate

  • malloc_consolidate์—์„œ์˜ ๊ฒ€์‚ฌ:
  • ์ •๋ ฌ๋˜์ง€ ์•Š์€ ๋น ๋ฅธ ๋นˆ ์ฒญํฌ์ธ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: malloc_consolidate(): unaligned fastbin chunk detected
  • ์ž˜๋ชป๋œ ๋น ๋ฅธ ๋นˆ ์ฒญํฌ ํฌ๊ธฐ์ธ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: malloc_consolidate(): invalid chunk size

_int_realloc

  • _int_realloc์—์„œ์˜ ๊ฒ€์‚ฌ:
  • ํฌ๊ธฐ๊ฐ€ ๋„ˆ๋ฌด ํฌ๊ฑฐ๋‚˜ ๋„ˆ๋ฌด ์ž‘์€ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: realloc(): invalid old size
  • ๋‹ค์Œ ์ฒญํฌ์˜ ํฌ๊ธฐ๊ฐ€ ๋„ˆ๋ฌด ํฌ๊ฑฐ๋‚˜ ๋„ˆ๋ฌด ์ž‘์€ ๊ฒฝ์šฐ:
  • ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€: realloc(): invalid next size

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ