Shulou(Shulou.com)06/01 Report--

Most people don't understand the knowledge points of this article "what are the skills of using musl heap", so Xiaobian summarizes the following contents for everyone. The contents are detailed, the steps are clear, and they have certain reference value. I hope everyone can gain something after reading this article. Let's take a look at this article "what are the skills of using musl heap".

topic analysis

1. The first is the add function, which uses calloc. The maximum size of the application is 0x90.

2, followed by the delete function,free after the pointer is cleared

3. Then there is the edit function. The vulnerability appears here. There is a vulnerability that overflows empty bytes. You can clear index and point to fake_meta.

4. Finally, look at this update function. This realloc function copies the contents of the original chunk into the new chunk. We can use this to leak the libc address.

debugging and analysis

The difference between musl's chunk and glibc is that the chunk header structure stores less heap block information, not some pointer address information like glibc, so if we want to disclose the libc address, it is also a specific condition, that is, the chunk contains the pointer address of another chunk or other pointer address information, and can no longer directly change the pointer to achieve the effect of arbitrary allocation, but to change the only information in the chunk header to forge meta for arbitrary allocation.

malloc_contextadd(0x20,'a'*0x20)

1. secret is a key used to verify meta fields

2. free_meta_head stores the released meta, which is a single-linked list structure. It has not been released yet, so it is empty.

3. Active is a meta that is divided according to size.

usage_by_class is the number of meta

metaadd(0x20,'a'*0x20)add(0x20,'a'*0x20)add(0x20,'a'*0x20)add(0x20,'a'*0x20)free(3)

1, prev and next are the previous and next meta pages respectively, here they all point to themselves, indicating that there is only one meta page

mem represents the address of a group, which is composed of multiple chunks

avail_mask indicates the chunk case that can be allocated, 0x3f 0=0b 011110000, because we have allocated 4 heap blocks, so here indicates that the first four are not allocable.

4, free_mask indicates that the chunk has been released, because we released the first chunk, so here 0x1 means the first chunk is free.

Last_idx denotes the subscript of the last chunk, here 0x9, the total number is 0xa

6. Freeable indicates the number of heap blocks that have been released

7. sizeclass indicates the size of the managed group

8. maplen If it is not zero, it means the number of memory pages allocated by mmap

chunkadd(0x20,'a'*0x20)add(0x20,'a'*0x20)add(0x20,'a'*0x20)add(0x20,'a'*0x20)free(3)

1. The offset from the first address of the group is 0x0, 0x30, 0x60 respectively. The system finds the corresponding meta address according to this offset, so if we can change this offset, such as setting the offset of chunk1 to zero, we can forge a meta pointer in the place of chunk1- 0x10, and this place is the data field of chunk0 that we can control, so we can forge a meta anywhere, but this address must be aligned with 0x1000.

2, indicates the subscript of the current chunk, when the chunk is free will become 0xff

3, indicating the size of the remaining user space, the 4 bytes after the chunk header can be multiplexed by the previous chunk like the prev_size of glibc, so we can know the relationship between the size of our allocation and the chunk size.

0x10：0-0xc0x20：0xd-0x1c0x30：0x1d-0x2c0x40：0x2d-0x3c...

Allocation of chunk releases

add(0x50,'a'*0x50)add(0x50,'a'*0x50)add(0x50,'a'*0x50)free(0)add(0x50,'a'*0x50)

avail_mask = 0x10=0b10000

freed_mask = 0x1 =0b00001

musl chunks will not be allocated immediately after they are released. Here, there are 5 chunks in the group. First, apply for 3 chunks, then free the first chunk. When applying again, the first chunk will not be allocated, but the fourth chunk of the group will be applied, and then the corresponding avail_mask will be set to zero.

add(0x50,'a'*0x50)add(0x50,'a'*0x50)add(0x50,'a'*0x50)add(0x50,'a'*0x50)free(0)free(1)free(2)add(0x50,'a'*0x50)add(0x50,'a'*0x50)

avail_mask = 0x6 =0b0110

freed_mask = 0x0 =0b0000

When the chunk of the group is exhausted, musl will release the application and set the avail_mask corresponding to the other chunks to 1.

meta release add(0x50,'a'* 0x50)free(0)

When only one chunk is allocated and freed_mask=0, we free this chunk and the system recycles the entire meta space.

add(0x50,'a'*0x50)add(0x50,'a'*0x50)add(0x50,'a'*0x50)add(0x50,'a'*0x50)add(0x50,'a'*0x50)free(0)free(1)free(2)free(3)free(4)

To sum up, it means avail_mask| This meta is released when the result of free_mask is full.

The above is the content of this article about "what are the skills of using musl heap". I believe everyone has a certain understanding. I hope the content shared by Xiaobian will be helpful to everyone. If you want to know more relevant knowledge content, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.