While I’ve started these posts with a “stick to the basics” mindset, I always end up with a gap on every post, which is a fact that forces me to write some more. This is actually the 5th post on the same topic, but since it is closely related to my last one I tagged it as 4.1. So, the story so far is as follows:
For the sake of completeness, in this post we are going to refer to the rest of the FastBin attacks, using the https://github.com/shellphish/how2heap as our main reference.
This attack leverages a double free vulnerability in order to force calloc to return a fake chunk which will point to a controlled location (in this case, the stack). I am going to use a slight modified version of the how2heap’s repo example which can be found here:
The c code that I use for this example is depicted below:
…and consists of the following steps:
tcache by allocating seven chunks of the same size. This will force the allocator to use the fastbins list:The next two calloc’s chunks will be assigned from the fastbins list, but due to the double free, there will still be an entry in the fastbins which will point to an allocated chunk:
First calloc(1,8) →0x0000555555559790
Second calloc(1,8) →0x00005555555597b0
An entry in the fastbins still points to the allocated chunk (0x0000555555559790):
Since we fully control the d pointer, we can overwrite the metadata of the chunk that it points to in order to create a fake chunk of arbitrary address and size:
d now is pointing to an address that contains the address of the stack_var . This will insert a fake link to the fastbins list which will now contain two chunks (the one that d points to as well as the fake):
As a result the first next allocation will point to 0x555555559790:
And the subsequent to the 0x7fffffffe2f0. Putting it all together, compiling and running the given example will yield the following output:
Final sample has been pushed here: https://github.com/shellphish/how2heap/blob/master/glibc_2.31/fastbin_dup.c
