Double Free
Reading time: 5 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Basic Information
Ikiwa unachilia block ya kumbukumbu zaidi ya mara moja, inaweza kuharibu data ya allocator na kufungua mlango wa mashambulizi. Hapa kuna jinsi inavyotokea: unapochilia block ya kumbukumbu, inarudi kwenye orodha ya vipande vya bure (kwa mfano, "fast bin"). Ikiwa unachilia block ile ile mara mbili mfululizo, allocator inagundua hili na kutupa kosa. Lakini ikiwa unachilia kipande kingine katikati, ukaguzi wa double-free unakwepwa, na kusababisha uharibifu.
Sasa, unapofanya ombi la kumbukumbu mpya (ukitumia malloc
), allocator inaweza kukupa block ambayo imeshachiliwa mara mbili. Hii inaweza kusababisha viashiria viwili tofauti kuashiria eneo moja la kumbukumbu. Ikiwa mshambuliaji anadhibiti mmoja wa viashiria hivyo, wanaweza kubadilisha maudhui ya kumbukumbu hiyo, ambayo inaweza kusababisha masuala ya usalama au hata kuwapa uwezo wa kutekeleza msimbo.
Mfano:
#include <stdio.h>
#include <stdlib.h>
int main() {
// Allocate memory for three chunks
char *a = (char *)malloc(10);
char *b = (char *)malloc(10);
char *c = (char *)malloc(10);
char *d = (char *)malloc(10);
char *e = (char *)malloc(10);
char *f = (char *)malloc(10);
char *g = (char *)malloc(10);
char *h = (char *)malloc(10);
char *i = (char *)malloc(10);
// Print initial memory addresses
printf("Initial allocations:\n");
printf("a: %p\n", (void *)a);
printf("b: %p\n", (void *)b);
printf("c: %p\n", (void *)c);
printf("d: %p\n", (void *)d);
printf("e: %p\n", (void *)e);
printf("f: %p\n", (void *)f);
printf("g: %p\n", (void *)g);
printf("h: %p\n", (void *)h);
printf("i: %p\n", (void *)i);
// Fill tcache
free(a);
free(b);
free(c);
free(d);
free(e);
free(f);
free(g);
// Introduce double-free vulnerability in fast bin
free(h);
free(i);
free(h);
// Reallocate memory and print the addresses
char *a1 = (char *)malloc(10);
char *b1 = (char *)malloc(10);
char *c1 = (char *)malloc(10);
char *d1 = (char *)malloc(10);
char *e1 = (char *)malloc(10);
char *f1 = (char *)malloc(10);
char *g1 = (char *)malloc(10);
char *h1 = (char *)malloc(10);
char *i1 = (char *)malloc(10);
char *i2 = (char *)malloc(10);
// Print initial memory addresses
printf("After reallocations:\n");
printf("a1: %p\n", (void *)a1);
printf("b1: %p\n", (void *)b1);
printf("c1: %p\n", (void *)c1);
printf("d1: %p\n", (void *)d1);
printf("e1: %p\n", (void *)e1);
printf("f1: %p\n", (void *)f1);
printf("g1: %p\n", (void *)g1);
printf("h1: %p\n", (void *)h1);
printf("i1: %p\n", (void *)i1);
printf("i2: %p\n", (void *)i2);
return 0;
}
Katika mfano huu, baada ya kujaza tcache na vipande vingi vilivyofutwa (7), msimbo unafungua kipande h
, kisha kipande i
, na kisha h
tena, na kusababisha double free (pia inajulikana kama Fast Bin dup). Hii inafungua uwezekano wa kupokea anwani za kumbukumbu zinazovuka wakati wa reallocating, ikimaanisha viashiria viwili au zaidi vinaweza kuelekeza kwenye eneo moja la kumbukumbu. Kupanua data kupitia kiashiria kimoja kunaweza kuathiri kingine, na kuunda hatari kubwa ya usalama na uwezekano wa unyakuzi.
Ukitekeleza, angalia jinsi i1
na i2
zilipata anwani sawa:
Allocations za awali:
a: 0xaaab0f0c22a0
b: 0xaaab0f0c22c0
c: 0xaaab0f0c22e0
d: 0xaaab0f0c2300
e: 0xaaab0f0c2320
f: 0xaaab0f0c2340
g: 0xaaab0f0c2360
h: 0xaaab0f0c2380
i: 0xaaab0f0c23a0
Baada ya reallocations:
a1: 0xaaab0f0c2360
b1: 0xaaab0f0c2340
c1: 0xaaab0f0c2320
d1: 0xaaab0f0c2300
e1: 0xaaab0f0c22e0
f1: 0xaaab0f0c22c0
g1: 0xaaab0f0c22a0
h1: 0xaaab0f0c2380
i1: 0xaaab0f0c23a0
i2: 0xaaab0f0c23a0
Mifano
- Dragon Army. Hack The Box
- Tunaweza tu kugawa vipande vya Fast-Bin isipokuwa kwa saizi
0x70
, ambayo inazuia kawaida__malloc_hook
overwrite. - Badala yake, tunatumia anwani za PIE ambazo huanza na
0x56
kama lengo la Fast Bin dup (1/2 nafasi). - Mahali moja ambapo anwani za PIE zinahifadhiwa ni katika
main_arena
, ambayo iko ndani ya Glibc na karibu na__malloc_hook
- Tunalenga offset maalum ya
main_arena
ili kugawa kipande huko na kuendelea kugawa vipande hadi kufikia__malloc_hook
ili kupata utekelezaji wa msimbo. - zero_to_hero. PicoCTF
- Kwa kutumia Tcache bins na overflow ya null-byte, tunaweza kufikia hali ya double-free:
- Tunagawanya vipande vitatu vya saizi
0x110
(A
,B
,C
) - Tunafungua
B
- Tunafungua
A
na kugawa tena ili kutumia overflow ya null-byte - Sasa uwanja wa saizi wa
B
ni0x100
, badala ya0x111
, hivyo tunaweza kuifungua tena - Tuna Tcache-bin moja ya saizi
0x110
na moja ya saizi0x100
ambazo zinaelekeza kwenye anwani sawa. Hivyo tuna double free. - Tunatumia double free kwa kutumia Tcache poisoning
Marejeleo
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.