add a version of house_of_spirit.c that works with glibc_2.41 #207
+53
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ ldd ./a.out
linux-vdso.so.1 (0x000075282dfa0000)
libc.so.6 => /usr/lib/libc.so.6 (0x000075282dd71000)
/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x000075282dfa2000)
$ /usr/lib/libc.so.6
GNU C Library (GNU libc) stable release version 2.41.
Copyright (C) 2025 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 14.2.1 20250207.
libc ABIs: UNIQUE IFUNC ABSOLUTE
Minimum supported kernel: 4.4.0
For bug reporting instructions, please see:
<https://gitlab.archlinux.org/archlinux/packaging/packages/glibc/-/issues>.
$ ./a.out
This file demonstrates the house of spirit attack.
This attack adds a non-heap pointer into fastbin, thus leading to (nearly) arbitrary write.
Required primitives: known target address, ability to set up the start/end of the target memory
Step 1: Allocate 7 chunks and free them to fill up tcache
Step 2: Prepare the fake chunk
The target fake chunk is at 0x7fffe31b4f70
It contains two chunks. The first starts at 0x7fffe31b4f78 and the second at 0x7fffe31b4fb8.
This chunk.size of this region has to be 16 more than the region (to accommodate the chunk data) while still falling into the fastbin category (<= 128 on x64). The PREV_INUSE (lsb) bit is ignored by free for fastbin-sized chunks, however the IS_MMAPPED (second lsb) and NON_MAIN_ARENA (third lsb) bits cause problems.
... note that this has to be the size of the next malloc request rounded to the internal size used by the malloc implementation. E.g. on x64, 0x30-0x38 will all be rounded to 0x40, so they would work for the malloc parameter at the end.
Now set the size of the chunk (0x7fffe31b4f78) to 0x40 so malloc will think it is a valid chunk.
The chunk.size of the *next* fake region has to be sane. That is > 2*SIZE_SZ (> 16 on x64) && < av->system_mem (< 128kb by default for the main arena) to pass the nextsize integrity checks. No need for fastbin size.
Set the size of the chunk (0x7fffe31b4fb8) to 0x1234 so freeing the first chunk can succeed.
Step 3: Free the first fake chunk
Note that the address of the fake chunk must be 16-byte aligned.
Step 4: Take out the fake chunk
First we have to empty the tcache.
Now the next calloc (or malloc) will return our fake chunk at 0x7fffe31b4f80!
malloc(0x30): 0x7fffe31b4f80, fake chunk: 0x7fffe31b4f80 |
|
I am not sure where this should go really.. so i put it into an otherwise empty glibc_2.41 directory which I guess will be a thing? Should there be other changes to the Makefile for example? |
|
I'd say just put it in an empty 2.41 folder and add 2.41 to |
as per request: shellphish#207 (comment)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.