The toddler’s introduction to Heap Exploitation, FastBin Dup to Stack (Part 4.1)

This post is part of a series of articles related to x64 Linux Binary Exploitation techniques. In my previous posts, I started by exploring simple stack corruption bugs and their mitigation techniques and gradually progressed to more complex topics. In the last post, I delved into the concept of using memory that has been previously freed, a bug known as Use-After-Free (UAF) in the context of Heap Memory exploitation.

Continuing the line of thought, in this post I am going to discuss about a heap exploitation technique known as fastbin dup to stack, using references from the https://github.com/shellphish/how2heap repo. That being said, picking up where we left off, here are the links to my previous articles:

• The toddler’s introduction to Heap Exploitation (Part 1)
• The toddler’s introduction to Heap exploitation (Part 2)
• The toddler’s introduction to Heap exploitation — Overflows (Part 3)
• The toddler’s introduction to Heap exploitation — Use After Free & Double free (Part 4)

FastBin Double Free to Stack

This attack leverages a double free vulnerability in order to force calloc to return a fake chunk which will point to a controlled location (in this case, the stack). I am going to use a slightly modified version of the how2heap’s example which can be found here:

figure 1: https://github.com/shellphish/how2heap/blob/master/glibc_2.23/fastbin_dup_into_stack.c

The code that I will be using for this example is depicted below:

Let’s see step by step what this code is doing:

• Since we want to describe a fastbin exploitation technique and the allocator uses the tcache first when a memory allocation is requested, the code “packs” the tcache in lines 12 to 19 by allocating seven chunks of the same size. This will force the allocator to use the fastbins list:

figure 2: Packing the tcache list

• Then, it creates three new allocations, assigns them to the a, b, c variables and calls the free function twice (double free) for a :

figure 3: Double free the a pointer

figure 4: gdb view of the double free

figure 5: In the fastbins list the first and last chunk point to the same address.

• The next two calls to calloc will return chunks from the fastbins list, but due to the double free, there will still be an entry in the fastbins which will point to an allocated chunk:

figure 6: next two calls to calloc

To verify the above, load the program in gdb and follow up the addresses returned by the two calls to calloc:

First calloc(1,8) →0x0000555555559790

figure 7: chunk address returned to $rax

Second calloc(1,8) →0x00005555555597b0

figure 8: chunk address returned to $rax

An entry in the fastbins still points to the allocated chunk (0x0000555555559790):

figure 9: There is still an entry in the fastbin list which points to an allocated chunk

• In line 61 the program simulates the case where the attacker controls the d pointer, which (by now) points to an in-use and free (at the same time) chunk:

figure 10: d points to the address of the stack_var while there is an entry in the fastbin pointing to the same memory address

• After d `s assignment to the address of the stack_var a fake link will be added to the fastbins list which will now contain two chunks (the one that d points to as well as the fake):

figure 11: The fastbin list contains a node which points to the stack

Due to the first fit, the next allocation will assign the chunk at 0x555555559790:

figure 12: The call to malloc removed the head chunk from the fastbins

A subsequent call to malloc for a similar size will return the fake chunk at 0x7fffffffe2f0, as it is shown after compiling and runing the program:

Final sample has been pushed here: https://github.com/shellphish/how2heap/blob/master/glibc_2.31/fastbin_dup.c