Introduction to Modern Heap Exploitation for · Introduction to Modern Heap Exploitation for Penetration Testers •Efficiently handle multi-threaded applications • Avoid race conditions

Introduction to Modern Heap Exploitation for Penetration Testers

[f2tc@htejeda ~]$ ❯❯❯ whoami

Huascar Tejeda <[email protected]>

• Co-Founder & CEO - F2TC Cyber Security

• 15+ years of experience in:

• Cyber Security

• Security Research

• Penetration Testing: Binary, IoT, Mobile, Web,

Infrastructure

• Red/Blue/Purple teaming

• Threat Intelligence, Malware Analysis

• Software Development

• Networking

• System Administration / DevOps

• Embedded System Development

• Linux Kernel hacker

• Telecom – Orange, ONEMAX, DIRECTV / AT&T


@htejeda

https://github.com/htejeda


• Heap implementation high-level overview

• The Heap

• Arenas

• malloc: malloc_chunk, malloc_state

• free: fastbins, normal bins, tcache

• Attacks / Exploitation Techniques

• HeapME (Heap Made Easy) - Heap Analysis and Collaboration Tool

• Examples• glibc <2.26

• glibc 2.29+

• The Future of Heap Exploitation

Agenda


• malloc(size_t n);

• realloc(void* p, size_t n);

• free(void* p);

• The Wilderness / Top Chunk

• sbrk() to increase contiguous size.

• mmap() to allocate independent regions of memory / not restricted to a single contiguous chunk.

• Memory allocators (all claim to be fast, scalable, memory efficient and… secure?)

• dlmalloc – General purpose allocator

• ptmalloc2 – glibc

• jemalloc – FreeBSD and Firefox

• tcmalloc – Google

• …

The Heap


Code Segment

Data Segment

BSS Segment

Heap Segment

Stack Segment

Lower Memory Addresses

Higher Memory Addresses

Unallocated Memory

sbrk

Executable Instructions

Initialized global or static variables

Uninitialized global or static variables

mmap

Arenas


• Efficiently handle multi-threaded applications• Avoid race conditions

• Improve performance by removing global mutex

• Per-thread arena: separate heap segment and freelist

• Maximum number of arenas:• 32-bit systems: 2 * number of cores

• 64-bit systems: 8 * number of cores

• Sub-heaps• Maximum size:

• 32-bit systems: 1MB

• 64-bit systems: 64MB

• Sub-heap grows by calling mprotect instead of sbrk.

• The arena allocates a new sub-heap once the sub-heap is exhausted.

Code Segment

Data Segment

BSS Segment

Heap Segment

Stack Segment

Lower Memory Addresses

Higher Memory Addresses

Unallocated Memory

sbrk

Executable Instructions

Initialized global or static variables

Uninitialized global or static variables

mmap

Main Arena

sub heap

sub heap

sub heap

Arena 0

Arena 1

Arena N

malloc_chunk

Size of previous chunk, if unallocated (P clear)

Size of chunk A M P

User Data

(size of chunk, but used for application data)

PREV_INUSE (0x1)IS_MMAPPED (0x2)

NON_MAIN_ARENA (0x4)

Size of previous chunk, if unallocated (P clear)

Size of chunk A 0 P

Unused Space

Size of chunk

Allocated chunk Free chunk

Size of next chunk A 0 0

Forward pointer to next chunk in list

Back pointer to previous chunk in list


Size of next chunk A 0 1

- Previous chunk is in use.- Chunk obtained with mmap().- Chunk belongs to a thread arena.

malloc_state


typedef struct malloc_chunk *mfastbinptr;

typedef struct malloc_chunk *mchunkptr;

Fastbins


• Recently freed small chunks

• Singly linked list

• LIFO

• Total 10 Fastbins

• Sizes:• 32bit: 16 to 64

• 64bit: 32 to 128

• No Coalescing

0x10

0x20

0x30

0x40

0x50

0x60

0x70

Chunk

FD

Chunk

FD

Chunk

FD

Chunk

FD

Normal Bins


• Unsorted Bin• The first of the regular bins. bins[1]

• One chance to be quickly re-used before sorting

• Small Bins• bins[2 to 63]

• FIFO

• Chunks of the same size

• Size range:• 32-bit: 16 to 512 bytes

• 64-bit: 32 to 1024 bytes

• Each bin maintains a doubly-linked list

• Large Bins• bins[64 to 126]

• Doubly-linked list sorted by size

• Find the best chunk and if needed split in two chunks• One for the requested size and one for the reminder

bins[126]FIFO

Unsorted BinSmall Bins

[2~63]Large Bins[64~126]

Chunk

FD

BK

Chunk

FD

BK

Size=132

FD

BK

fd_nextsize

bk_nextsize

Size=132

FD

BK

Size=120

FD

BK

fd_nextsize

bk_nextsize

Per-thread Cache (tcache) Bins


• Introduced in glibc 2.26 to improve performance

• tcache_entry *entries chunks of similar size linked in singly-linked list, similar to fastbins

• counts: number of free chunks in tcache_entry:

• Up to 7 maximum chunks per chain

• Most security checks are bypassed

Heap Attacks / Exploitation Techniques


• Heap Overflow• Use After Free• Double Free• Invalid Free

https://github.com/shellphish/how2heap



Is there an easier way to study heap exploitation?


Heap Made Easy (HeapME)

https://heapme.f2tc.com/

• Open Source

• Intuitive User Interface

• Timeless Heap Debugging

• Tracks and records all chunks/free bins states

• Seamless Analysis Collaboration

• Shared link for read-only visualization

• Great for CTFs 😎

• Current version supports ptmalloc2

• Integrated with GEF and Pwntools

Please contribute!

https://heapme.f2tc.com/

Heap Exploitation: Example 1


Strategy1. Heap overflow (off-by-one / one byte overflow)

2. Overlap fastbins B and C: Free chunk D to consolidate with chunk A3. Overwrite FD of first two chunks: target puts@got and fake chunk (house of spirit)

printf@plt4. Leak __libc_start_main+2405. Calculate libc_base: leaked address – libc.symbols['__libc_start_main']-2406. One-gadget = libc_base + onegadget_offset7. Overwrite read with the one-gadget

size_t length = strlen(arr[selected_index]);read(0, arr[selected_index], length);

allocate(0x28, 'A'* 0x27)

allocate(0x28, ‘B'* 0x27)

edit(0, 'D' * 0x28 + '\x01')



https://heapme.f2tc.com/QrBY09ldku0iPNP4bM0a

HeapME Address

https://heapme.f2tc.com/QrBY09ldku0iPNP4bM0a



• Glibc 2.29• Checksec: Canary, NX, PIE, Fortify, RelRO• Off by one / one byte overflow

for (int i=0; i <= size; i++) { … }

• Tcache Poisoning• House of Spirit

https://heapme.f2tc.com/GbPUIfcm2eehIpDVlLtq

HeapME Address

Strategy1. Fill up tcache bin2. Leak libc from unsorted bin3. One byte overflow4. Tcache poisoning: arbitrary malloc overwrite

1. Overwrite __free_hook with one-gadget

https://heapme.f2tc.com/GbPUIfcm2eehIpDVlLtq

Automation and Artificial Intelligence

• Cyber Grand Challenge

• Shellphish published their set of tools: http://shellphish.net/cgc/

• Driller: crash discovery tool

• REX: automated exploitation tool

• Patcherex: automated patcher

• Angrop: automated ROP chain builder

• ArcHeap - Automatic Techniques to Systematically Discover New Heap Exploitation Primitives

• https://github.com/sslab-gatech/ArcHeap/

• Fastbin to other bin

• House of Unsorted Einherjar

• Overlapping Chunks Small bin

• Unaligned Double Free

The Future of Heap Exploitation


Huascar Tejeda <[email protected]>

@htejeda


Interesting Links

• Glibc’s Source Code

• MallocInternals

https://sourceware.org/glibc/wiki/MallocInternals

• Shellphish how2heap


• Understanding glibc malloc

https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/

• The Malloc Maleficarum

https://dl.packetstormsecurity.net/papers/attack/MallocMaleficarum.tx

• Malloc des-maleficarum

http://phrack.org/issues/66/10.html#article

http://shellphish.net/cgc/

https://github.com/sslab-gatech/ArcHeap/

mailto:[email protected]


https://sourceware.org/glibc/wiki/MallocInternals


https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/

https://dl.packetstormsecurity.net/papers/attack/MallocMaleficarum.tx

http://phrack.org/issues/66/10.html#article

Introduction to Modern Heap Exploitation for · Introduction to Modern Heap Exploitation for Penetration Testers •Efficiently handle multi-threaded applications • Avoid race conditions

Documents