Binary
17 Oct 2019

hook

hook

glibc-2.27

/* Forward declarations.  */
static void *malloc_hook_ini (size_t sz,
                              const void *caller) __THROW;
static void *realloc_hook_ini (void *ptr, size_t sz,
                               const void *caller) __THROW;
static void *memalign_hook_ini (size_t alignment, size_t sz,
                                const void *caller) __THROW;

#if HAVE_MALLOC_INIT_HOOK
void weak_variable (*__malloc_initialize_hook) (void) = NULL;
compat_symbol (libc, __malloc_initialize_hook,
	       __malloc_initialize_hook, GLIBC_2_0);
#endif

void weak_variable (*__free_hook) (void *__ptr,
                                   const void *) = NULL;
void *weak_variable (*__malloc_hook)
  (size_t __size, const void *) = malloc_hook_ini;
void *weak_variable (*__realloc_hook)
  (void *__ptr, size_t __size, const void *)
  = realloc_hook_ini;
void *weak_variable (*__memalign_hook)
  (size_t __alignment, size_t __size, const void *)
  = memalign_hook_ini;
void weak_variable (*__after_morecore_hook) (void) = NULL;

malloc_hook

malloc执行时先检查malloc_hook,若不为NULL,调用它

free异常时会调用malloc_hook

malloc_hook初始为malloc_hook_ini

如果能控制malloc_hook,就可以任意地址执行

malloc_hook在main_arena上方

pwndbg> x/64gx  0x7fffff3ebc00
0x7fffff3ebc00 <_IO_wide_data_0+288>:   0x0000000000000000      0x0000000000000000
0x7fffff3ebc10 <_IO_wide_data_0+304>:   0x00007fffff3e7d60      0x0000000000000000
0x7fffff3ebc20 <__memalign_hook>:       0x00007fffff097410      0x00007fffff098790
0x7fffff3ebc30 <__malloc_hook>: 0x00007fffff096a40      0x0000000000000000
0x7fffff3ebc40 <main_arena>:    0x0000000000000000      0x0000000000000000

tcache attack可以直接打过来

fastbin attack需要满足size验证,可以利用上方的数据,字节错位造一个7f当size,把堆分配到malloc_hook上方

realloc_hook

realloc执行时先检查realloc_hook,若不为NULL,调用它

realloc_hook初始为realloc_hook_ini realloc_hook与malloc相邻

pwndbg> x/64gx  0x7fffff3ebc08
0x7fffff3ebc08 <_IO_wide_data_0+296>:   0x0000000000000000      0x00007fffff3e7d60
0x7fffff3ebc18: 0x0000000000000000      0x00007fffff097410
0x7fffff3ebc28 <__realloc_hook>:        0x00007fffff098790      0x00007fffff096a40
0x7fffff3ebc38: 0x0000000000000000      0x0000000000000000
0x7fffff3ebc48 <main_arena+8>:  0x0000000000000000      0x0000000000000000

one_gadget条件不满足全不可用时,可以通过利用realloc_hook调整栈状态使one_gadge可用

根据需求,把realloc+x的地址写入malloc_hook,把one_gadget写入realloc_hook

这样在malloc时,跳malloc_hook也就是执行realloc+x,通过realloc中的push和pop调整栈,然后跳realloc_hook使one_gadget可用

free_hook

free执行时先检查free_hook,若不为NULL,调用它

free_hook初始为NULL

pwndbg> x/64gx 0x7fffff3ed8a8
0x7fffff3ed8a8 <list_all_lock+8>:       0x0000000000000000      0x0000000000000000
0x7fffff3ed8b8 <_IO_stdfile_2_lock+8>:  0x0000000000000000      0x0000000000000000
0x7fffff3ed8c8 <_IO_stdfile_1_lock+8>:  0x0000000000000000      0x0000000000000000
0x7fffff3ed8d8 <_IO_stdfile_0_lock+8>:  0x0000000000000000      0x0000000000000000
0x7fffff3ed8e8 <__free_hook>:   0x0000000000000000      0x0000000000000000
0x7fffff3ed8f8 <next_to_use.11802>:     0x0000000000000000      0x0000000000000000
0x7fffff3ed908 <disallow_malloc_check>: 0x0000000000000000      0x0000000000000000

tcache attack可以直接打过来

fastbin attack打不过来,因为free_hook上方都是0,无法伪造size

修改top,把top修改到free_hook上方,然后可以申请到free_hook

Tags:
0 comments



本作品采用知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议CC BY-NC-ND 4.0)进行许可。

This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY-NC-ND 4.0).