Nytro Posted March 5, 2016 Report Share Posted March 5, 2016 Understanding the Heap & Exploiting Heap Overflows This post will begin with a high level description of the heap and slowly builds up untill you able to write your own heap-based exploits. We assume we have non-root access to a computer but are able to run the following program as root (meaning it's a suid binary): #include <string.h> #include <stdlib.h> #include <stdio.h> int main(int argc, char *argv[]) { char *buf1 = malloc(128); char *buf2 = malloc(256); read(fileno(stdin), buf1, 200); free(buf2); free(buf1); } view rawheapsploit1.c hosted with ❤ by GitHub There's a blatant buffer overflow in line 10 which we will be exploiting. First we need to know how the heap is managed (we focus on Linux). Basic Heap and Chunk Layout Every memory allocation a program makes (say by calling malloc) is internally represented by a so called "chunk". A chunk consists of metadata and the memory returned to the program (i.e., the memory actually returned by malloc). All these chunks are saved on the heap, which is a memory region capable of expanding when new memory is requested. Similarly, the heap can shrink once a certain amount of memory has been freed. A chunk is defined in the glibc source as follows: struct malloc_chunk { INTERNAL_SIZE_T prev_size; /* Size of previous chunk (if free). */ INTERNAL_SIZE_T size; /* Size in bytes, including overhead. */ struct malloc_chunk* fd; /* double links -- used only if free. */ struct malloc_chunk* bk; /* Only used for large blocks: pointer to next larger size. */ struct malloc_chunk* fd_nextsize; /* double links -- used only if free. */ struct malloc_chunk* bk_nextsize; }; view rawmalloc\malloc.c hosted with ❤ by GitHub Assuming no memory chunks have been freed yet, new memory allocations are always stored right after the last allocated chunk. So if a program were to call malloc(256), malloc(512), and finally malloc(1024), the memory layout of the heap is as follows: Meta-data of chunk created by malloc(256) The 256 bytes of memory return by malloc ----------------------------------------- Meta-data of chunk created by malloc(512) The 512 bytes of memory return by malloc ----------------------------------------- Meta-data of chunk created by malloc(1024) The 1024 bytes of memory return by malloc ----------------------------------------- Meta-data of the top chunk The dash line "---" is an imaginary boundary between the chunks, in reality they are placed right next to each other (example program illustrating the layout). Anyway, you're probably wondering why I included the meta data of the "top chunk" in the layout. Well, the top chunk represents the remaining available memory on the heap, and it is the only chunk that can grow in size. When a new memory request is made, the top chunk is split into two: the first part becomes the requested chunk, and the second part is the new the top chunk (so the "top chunk" shrunk in size). If the top chunk is not large enough to fulfill the memory allocation, the program asks the operating system to expand the top chunk (making the heap grow in size). Articol complet: http://www.mathyvanhoef.com/2013/02/understanding-heap-exploiting-heap.html 1 Quote Link to comment Share on other sites More sharing options...
