Heap Vulnerability--combat double free and unlink vulnerability

0CTF freenote: Write from reverse analysis to exploit !

My last article, but also a more detailed explanation of the principle of unlink loopholes, before reading this article suggested that first study on a blog

Now we start to learn, this CTF topic is now hanging on the Jarvis OJ, below gives the NC URL and program download link:

NC pwn2.jarvisoj.com 9886

Https://files.cnblogs.com/files/Magpie/level6_x64.rar

First analyze the program function:

Program is a typical Notepad program, the basic function is to add records, print lists all records, edit records, delete records.

Since you have started to contact the heap overflow class, I believe into the pit binary system should already have a period of time, the basic reverse analysis capacity should be some, so do not explain the analysis process in Ida, in this I simply say the functions of the functions and the program's data structure:

First, function function Description:

The main function as above, the major function of the function we say (not in the order of the diagram, in logical order):

0x01.sub_400a49: Create the Record index table, the specific is to allocate a large heap, the heap stored in the memory of each record of the pointer (see the following analysis to know that each record is malloc a heap to save), as if the property has stored the keys of each room, each key corresponds to a specific room, The board that hangs the key is this big pile, the room that the key corresponds is the heap memory that stores each record.

0x02.sub_400998: Just let you enter an operation option, there is nothing to say, there is no loophole can be exploited.

0X03.SUB_400BC2: Create a new record, in the future after the specific implementation is to let you enter the length of the record content and record content, and then check the length of the maximum limit, normal to malloc a storage of this record heap block, Then read the contents of the record into the heap with the length of your input as a standard. Note the malloc heap block has an operation that indicates that the size of the allocated heap block is an integer multiple of 0x80. Finally, the information of this record is written into the index table, of course, the beginning of time also checked the index table there is no space, this should be understood, we will look at the data structure analysis will understand a little better.

0X04.SUB_400B14: Output function, traverse the index table, print all records of the label and record content, the label starting from 0.

0x05.sub_400d87: Edit function, find the corresponding record according to the above record label, then edit.

0x06.sub_400f7d: delete function, still find the corresponding record according to the above label, then reset its index table as unused state, and free off the corresponding record heap block.

Second, the data structure analysis:

Data structure of the index table:

Head without tube, is the index table large block of block head, does not belong to the user area;

Max_size indicates the maximum number of records that can be stored, and Exist_num indicates the number of records already in place.

And then again, every three pieces of data constitute an index entry, and three data for the structure of the index item represent: 0/1 refers to whether the item has a record reference, 0 is not, 1 is a record, size_user is the length of the record, and Ptr_heap is the user-area pointer that stores the heap block of the record.

Attention:

One thing we have to be clear here is that the record number we're talking about is not numbering all the records that already exist, which means that each index item in the Index table, whether or not it exists, has a linear, fixed number, which is there after the index table is established, and is irrelevant to the record. It is the number of the index entry.

It is like high school can not be their own keys, the key board of the house tube whether or not hang the key, the corresponding location will be affixed to a room number label, even if not hang the key also has, but did not hang the key to indicate that someone took away, indicating that there is someone in this bedroom, corresponding to the first structure member value is 1 , the corresponding record heap blocks already exist!

But there is a little different, we do not over two examples, key room one by one corresponding, the key back (free) when from where to put, next to take or from the same place, but if you start to record 1234, you put 2 deleted, the next new time, The code logic lets you know that the location of the original index entry 2 in the Index table is taken to new, so the index table is allowed to be fragmented.

Third, vulnerability mining:

In this way, the combination of function and Index table mechanism of the principle, the process of data processing ideas are clear, the following we look for procedural vulnerabilities:

0x01, even if the heap is not exposed to a lot of loopholes, careful readers may also easily find the first vulnerability, the vulnerability appears in the new record of the function inside,:

This is the new record function in the implementation of the reading record content of the sub-function, A2 is the length of the user input record, through the loop read into A2 characters

Note that read into A2 characters!! Not a string of length A2!!!

Normally, a string of length n is a n+1 ascii that contains the ' \x00 ' Terminator, but it does not read the Terminator, The Terminator is missing, and when the record is printed it does not stop properly, and memory leaks can be realized!

0x02, core vulnerability of this program, double Free Vulnerability:

The vulnerability appears in the record deletion function, and we will examine the logical implementation of this function to find an astonishing fact: after you enter a label, the program does not check that the first member variable of the index entry in the index table is 0, Nor does it check that the heap pointer member variable that corresponds to the index entry is pointing to the heap memory has been free, that is, even if the index entry has been deleted, you can also delete it once again, like nothing else to ptr_heap again free, and in the program code, Free does not empty the corresponding heap pointer (name criticism!) ), which is free for the same heap block two times, resulting in a double free vulnerability!

(I know you're not interested, but you're going to have to spit it out.) Remedial measures: Even if you do not have to empty, check the flag, check ptr, or delete the index item in the PTR to clear any point in the case of this vulnerability ... ）

0x03, unlink--"in-Block cutting" DAFA:

This method is also called "Heap block Refactoring" technology.

Anyway is a way to operate, illegal alteration of housing structure, is to break the law ... (Draw the wind the second turn skin)

OK, let's take a serious look:

(Why not?) Bo Master write tired, once write not finish Ah .... Soon more! Don't worry! .... Not to be continued)

Heap Vulnerability--combat double free and unlink vulnerability