introduction to modern heap exploitation for · introduction to modern heap exploitation for...
TRANSCRIPT
Introduction to Modern Heap Exploitation for Penetration Testers
[f2tc@htejeda ~]$ ❯❯❯ whoami
Huascar Tejeda <[email protected]>
• Co-Founder & CEO - F2TC Cyber Security
• 15+ years of experience in:
• Cyber Security
• Security Research
• Penetration Testing: Binary, IoT, Mobile, Web,
Infrastructure
• Red/Blue/Purple teaming
• Threat Intelligence, Malware Analysis
• Software Development
• Networking
• System Administration / DevOps
• Embedded System Development
• Linux Kernel hacker
• Telecom – Orange, ONEMAX, DIRECTV / AT&T
Introduction to Modern Heap Exploitation for Penetration Testers
@htejeda
https://github.com/htejeda
• Heap implementation high-level overview
• The Heap
• Arenas
• malloc: malloc_chunk, malloc_state
• free: fastbins, normal bins, tcache
• Attacks / Exploitation Techniques
• HeapME (Heap Made Easy) - Heap Analysis and Collaboration Tool
• Examples• glibc <2.26
• glibc 2.29+
• The Future of Heap Exploitation
Agenda
Introduction to Modern Heap Exploitation for Penetration Testers
• malloc(size_t n);
• realloc(void* p, size_t n);
• free(void* p);
• The Wilderness / Top Chunk
• sbrk() to increase contiguous size.
• mmap() to allocate independent regions of memory / not restricted to a single contiguous chunk.
• Memory allocators (all claim to be fast, scalable, memory efficient and… secure?)
• dlmalloc – General purpose allocator
• ptmalloc2 – glibc
• jemalloc – FreeBSD and Firefox
• tcmalloc – Google
• …
The Heap
Introduction to Modern Heap Exploitation for Penetration Testers
Code Segment
Data Segment
BSS Segment
Heap Segment
Stack Segment
Lower Memory Addresses
Higher Memory Addresses
Unallocated Memory
sbrk
Executable Instructions
Initialized global or static variables
Uninitialized global or static variables
mmap
Arenas
Introduction to Modern Heap Exploitation for Penetration Testers
• Efficiently handle multi-threaded applications• Avoid race conditions
• Improve performance by removing global mutex
• Per-thread arena: separate heap segment and freelist
• Maximum number of arenas:• 32-bit systems: 2 * number of cores
• 64-bit systems: 8 * number of cores
• Sub-heaps• Maximum size:
• 32-bit systems: 1MB
• 64-bit systems: 64MB
• Sub-heap grows by calling mprotect instead of sbrk.
• The arena allocates a new sub-heap once the sub-heap is exhausted.
Code Segment
Data Segment
BSS Segment
Heap Segment
Stack Segment
Lower Memory Addresses
Higher Memory Addresses
Unallocated Memory
sbrk
Executable Instructions
Initialized global or static variables
Uninitialized global or static variables
mmap
Main Arena
sub heap
sub heap
sub heap
Arena 0
Arena 1
Arena N
malloc_chunk
Size of previous chunk, if unallocated (P clear)
Size of chunk A M P
User Data
(size of chunk, but used for application data)
PREV_INUSE (0x1)IS_MMAPPED (0x2)
NON_MAIN_ARENA (0x4)
Size of previous chunk, if unallocated (P clear)
Size of chunk A 0 P
Unused Space
Size of chunk
Allocated chunk Free chunk
Size of next chunk A 0 0
Forward pointer to next chunk in list
Back pointer to previous chunk in list
Introduction to Modern Heap Exploitation for Penetration Testers
Size of next chunk A 0 1
- Previous chunk is in use.- Chunk obtained with mmap().- Chunk belongs to a thread arena.
malloc_state
Introduction to Modern Heap Exploitation for Penetration Testers
typedef struct malloc_chunk *mfastbinptr;
typedef struct malloc_chunk *mchunkptr;
Fastbins
Introduction to Modern Heap Exploitation for Penetration Testers
• Recently freed small chunks
• Singly linked list
• LIFO
• Total 10 Fastbins
• Sizes:• 32bit: 16 to 64
• 64bit: 32 to 128
• No Coalescing
0x10
0x20
0x30
0x40
0x50
0x60
0x70
Chunk
FD
Chunk
FD
Chunk
FD
Chunk
FD
Normal Bins
Introduction to Modern Heap Exploitation for Penetration Testers
• Unsorted Bin• The first of the regular bins. bins[1]
• One chance to be quickly re-used before sorting
• Small Bins• bins[2 to 63]
• FIFO
• Chunks of the same size
• Size range:• 32-bit: 16 to 512 bytes
• 64-bit: 32 to 1024 bytes
• Each bin maintains a doubly-linked list
• Large Bins• bins[64 to 126]
• Doubly-linked list sorted by size
• Find the best chunk and if needed split in two chunks• One for the requested size and one for the reminder
bins[126]FIFO
Unsorted BinSmall Bins
[2~63]Large Bins[64~126]
Chunk
FD
BK
Chunk
FD
BK
Size=132
FD
BK
fd_nextsize
bk_nextsize
Size=132
FD
BK
Size=120
FD
BK
fd_nextsize
bk_nextsize
Per-thread Cache (tcache) Bins
Introduction to Modern Heap Exploitation for Penetration Testers
• Introduced in glibc 2.26 to improve performance
• tcache_entry *entries chunks of similar size linked in singly-linked list, similar to fastbins
• counts: number of free chunks in tcache_entry:
• Up to 7 maximum chunks per chain
• Most security checks are bypassed
Heap Attacks / Exploitation Techniques
Introduction to Modern Heap Exploitation for Penetration Testers
• Heap Overflow• Use After Free• Double Free• Invalid Free
https://github.com/shellphish/how2heap
Introduction to Modern Heap Exploitation for Penetration Testers
Is there an easier way to study heap exploitation?
Introduction to Modern Heap Exploitation for Penetration Testers
Heap Made Easy (HeapME)
https://heapme.f2tc.com/
• Open Source
• Intuitive User Interface
• Timeless Heap Debugging
• Tracks and records all chunks/free bins states
• Seamless Analysis Collaboration
• Shared link for read-only visualization
• Great for CTFs 😎
• Current version supports ptmalloc2
• Integrated with GEF and Pwntools
Please contribute!
Heap Exploitation: Example 1
Introduction to Modern Heap Exploitation for Penetration Testers
Strategy1. Heap overflow (off-by-one / one byte overflow)
2. Overlap fastbins B and C: Free chunk D to consolidate with chunk A3. Overwrite FD of first two chunks: target puts@got and fake chunk (house of spirit)
printf@plt4. Leak __libc_start_main+2405. Calculate libc_base: leaked address – libc.symbols['__libc_start_main']-2406. One-gadget = libc_base + onegadget_offset7. Overwrite read with the one-gadget
size_t length = strlen(arr[selected_index]);read(0, arr[selected_index], length);
allocate(0x28, 'A'* 0x27)
allocate(0x28, ‘B'* 0x27)
edit(0, 'D' * 0x28 + '\x01')
Heap Exploitation: Example 1
Introduction to Modern Heap Exploitation for Penetration Testers
https://heapme.f2tc.com/QrBY09ldku0iPNP4bM0a
HeapME Address
Heap Exploitation: Example 2
Introduction to Modern Heap Exploitation for Penetration Testers
• Glibc 2.29• Checksec: Canary, NX, PIE, Fortify, RelRO• Off by one / one byte overflow
for (int i=0; i <= size; i++) { … }
• Tcache Poisoning• House of Spirit
https://heapme.f2tc.com/GbPUIfcm2eehIpDVlLtq
HeapME Address
Strategy1. Fill up tcache bin2. Leak libc from unsorted bin3. One byte overflow4. Tcache poisoning: arbitrary malloc overwrite
1. Overwrite __free_hook with one-gadget
Automation and Artificial Intelligence
• Cyber Grand Challenge
• Shellphish published their set of tools: http://shellphish.net/cgc/
• Driller: crash discovery tool
• REX: automated exploitation tool
• Patcherex: automated patcher
• Angrop: automated ROP chain builder
• ArcHeap - Automatic Techniques to Systematically Discover New Heap Exploitation Primitives
• https://github.com/sslab-gatech/ArcHeap/
• Fastbin to other bin
• House of Unsorted Einherjar
• Overlapping Chunks Small bin
• Unaligned Double Free
The Future of Heap Exploitation
Introduction to Modern Heap Exploitation for Penetration Testers
Huascar Tejeda <[email protected]>
@htejeda
https://github.com/htejeda
Interesting Links
• Glibc’s Source Code
• MallocInternals
https://sourceware.org/glibc/wiki/MallocInternals
• Shellphish how2heap
https://github.com/shellphish/how2heap
• Understanding glibc malloc
https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/
• The Malloc Maleficarum
https://dl.packetstormsecurity.net/papers/attack/MallocMaleficarum.tx
• Malloc des-maleficarum
http://phrack.org/issues/66/10.html#article