The toddler’s introduction to Heap Exploitation, FastBin Dup to Stack (Part 4.1)

While I’ve started these posts with a “stick to the basics” mindset, I always end up with a gap on every post, which is a fact that forces me to write some more. This is actually the 5th post on the same topic, but since it is closely related to my last one I tagged it as 4.1. So, the story so far is as follows:

For the sake of completeness, in this post we are going to refer to the rest of the FastBin attacks, using the https://github.com/shellphish/how2heap as our main reference.

FastBin Double Free to Stack

This attack leverages a double free vulnerability in order to force calloc to return a fake chunk which will point to a controlled location (in this case, the stack). I am going to use a slight modified version of the how2heap’s repo example which can be found here:

https://github.com/shellphish/how2heap/blob/master/glibc_2.23/fastbin_dup_into_stack.c

The c code that I use for this example is depicted below:

…and consists of the following steps:

  • Fill the tcache by allocating seven chunks of the same size. This will force the allocator to use the fastbins list:
  • Create three new allocations and double free-ing one of them:
In the fastbins list the first and last chunk point to the same address.

The next two calloc’s chunks will be assigned from the fastbins list, but due to the double free, there will still be an entry in the fastbins which will point to an allocated chunk:

figure 1: next two callocs

First calloc(1,8)0x0000555555559790

figure 2: chunk address returned to $rax

Second calloc(1,8)0x00005555555597b0

figure 3: chunk address returned to $rax

An entry in the fastbins still points to the allocated chunk (0x0000555555559790):

Since we fully control the d pointer, we can overwrite the metadata of the chunk that it points to in order to create a fake chunk of arbitrary address and size:

d now is pointing to an address that contains the address of the stack_var . This will insert a fake link to the fastbins list which will now contain two chunks (the one that d points to as well as the fake):

As a result the first next allocation will point to 0x555555559790:

And the subsequent to the 0x7fffffffe2f0. Putting it all together, compiling and running the given example will yield the following output:

Final sample has been pushed here: https://github.com/shellphish/how2heap/blob/master/glibc_2.31/fastbin_dup.c

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
+Ch0pin🕷️

+Ch0pin🕷️

https://www.linkedin.com/in/valsamaras/, developer of https://github.com/Ch0pin/medusa. Posts are solely my own and do not express the views of my employer.