Use After Free

2021-03-29

UAF

Trying to pass CET-6 and get used to using English in daily life (Nu1l ‘s Write up looks so cool.)

If this make it inconvenient for you to read this article, please use translation tools of browsers.

Principle

The main cause of the vulnerability is free the pointer without setting it to NULL after being freed. This kind of memory pointer that was not set to NULL after being freed is often called dangling pointer.

Using dangling pointer will cause following 3 situations:

Crash
If the chunk it point to hasn’t been changed before it is used next time, then the program is likely to work properly.
If the chunk it point to has been changed before it is used next time, then the program is likely to work weirdly.

Leak Main arena

We can see that if the length we enter is between 16 Bytes and 64 Bytes, the chunk will be sorted into fastbin at first after being freed. But the chunks of which size is bigger than max_fast or free chunks in fastbin will be sort into unsorted bin after being integrated. While the fastbin is empty, the pointer fd and bk of unsortedbin point to the itself and the bin is in the main arena so we can get the address of main arena. After UAF, we can get the real address of main_arena, to get the real address of the libc.

So what’s the relation of the address of unsorted bin and main arena?q

in 64-bit the offset is0x58

in 32-bit the offset is 0x30

After getting the real address of main arena, we can get the real address of libc.

In 32-bit, main_arena equals __malloc_hook + 0x10

fd & bk in unsorted bin often points to <main_arena+88 >

In 32-bit, main_arena equals __malloc_hook + 0x18

fd & bk in unsorted bin often points to <main_arena+48 >

address of __malloc_hook can be find in libc(drag it into IDA Pro)

Example

Let’s take freenote as an example.

As we are talking about UAF, we won’t solve the problem in this part. Instead, we will just try to leak the address of the Main Arena.

Reverse Analysis

ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked.

libc: libc-2.23.so

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    Canary found
NX:       NX enabled
PIE:      No PIE (0x400000)

Canary and NX are enabled.

Use IDA to decompile the file.

Main logical structure :

while ( 1 )
  {
    switch ( sub_400998() )
    {
      case 1:
        List();
        break;
      case 2:
        New();
        break;
      case 3:
        Edit();
        break;
      case 4:
        Delete();
        break;
      case 5:
        puts("Bye");
        return 0LL;
      default:
        puts("Invalid!");
        break;
    }

int New()
{
  __int64 v0; // rax
  void *addr; // ST18_8
  int i; // [rsp+Ch] [rbp-14h]
  int length; // [rsp+10h] [rbp-10h]

  if ( *(_QWORD *)(start_of_note + 8) < *(_QWORD *)start_of_note )
  {
    for ( i = 0; ; ++i )
    {
      v0 = *(_QWORD *)start_of_note;
      if ( (signed __int64)i >= *(_QWORD *)start_of_note )
        break;
      if ( !*(_QWORD *)(start_of_note + 24LL * i + 16) )
      {
        printf("Length of new note: ");
        length = sub_40094E();
        if ( length > 0 )
        {
          if ( length > 4096 )
            length = 4096;
          addr = malloc((128 - length % 128) % 128 + length);
            // apply for the minimum size(128mod) bigger than length
          printf("Enter your note: ");
          read_note((__int64)addr, length);
          *(_QWORD *)(start_of_note + 24LL * i + 16) = 1LL;
          *(_QWORD *)(start_of_note + 24LL * i + 24) = length;// record the length of the note
          *(_QWORD *)(start_of_note + 24LL * i + 32) = addr;// addr of the note
          ++*(_QWORD *)(start_of_note + 8);
          LODWORD(v0) = puts("Done.");
        }
        else
        {
          LODWORD(v0) = puts("Invalid length!");
        }
        return v0;
      }
    }
  }
  else
  {
    LODWORD(v0) = puts("Unable to create new note.");
  }
  return v0;
}

start_note’s address is 0x006020A8, we can use gdb to see what’s in it.

We can see the structure of the start_note, it’s a table recording data of notes

gdb-peda$ x/30wx *0x06020A8
0x00000100	0x00000000	0x00000002	
                         ^ :num of notes
0x00000000  0x00000001 || 0x00000000  0x00000002 || 0x00000000	0x00604830	
                ^ flag(if active)        ^ len of note             ^addr of the note
0x00000000	0x00000001 || 0x00000000  0x00000001 ||	0x00000000	0x006048c0

So we can know that the struct of node_note is

struct node_note
{
	int if_active;
    int len;
    char *note;
}

Let’s take a look at the function Delete()

int Delete()
{
  int id; // [rsp+Ch] [rbp-4h]
    
  if ( *(_QWORD *)(start_of_note + 8) <= 0LL )
    return puts("No notes yet.");
  printf("Note number: ");
  id = sub_40094E();
  if ( id < 0 || (signed __int64)id >= *(_QWORD *)start_of_note )
    return puts("Invalid number!");
  --*(_QWORD *)(start_of_note + 8);//set flag as 0
  *(_QWORD *)(start_of_note + 24LL * id + 16) = 0LL;//set len as 0
  *(_QWORD *)(start_of_note + 24LL * id + 24) = 0LL;
  free(*(void **)(start_of_note + 24LL * id + 32));//free the content pointed by the addr
  return puts("Done.");
}

We can see that the pointer hasn’t been set as NULL after the content it points being freed, so it becomes a dangling pointer. Perhaps there exist double free vulnerability. (Of course it’s double free, after all we are talking about double free.)

Since the ‘\n’ take 1 byte, we can only enter (Length-1) characters.

GDB debugging

Create 2 notes. In order to leak main arena, we’re supposed to ensure the length of note is small so that it will be sorted into fastbin at first and then integrated into unsortedbin.

== 0ops Free Note ==
1. List Note
2. New Note
3. Edit Note
4. Delete Note
5. Exit
====================
Your choice: 2
Length of new note: 8
Enter your note: aaaaaaa
Done.
== 0ops Free Note ==
1. List Note
2. New Note
3. Edit Note
4. Delete Note
5. Exit
====================
Your choice: 2
Length of new note: 8
Enter your note: bbbbbbb
Done.

1 2	gdb-peda$ x/wx 0x006020A8 0x6020a8: 0x00603010

0x00603010 is the real memory block storing the data of notes, so let’s take a look at it.

gdb-peda$ x/30wx 0x00603010
0x603010:	0x00000100	0x00000000	0x00000002	0x00000000
0x603020:	0x00000001	0x00000000	0x00000008	0x00000000
0x603030:	0x00604830	0x00000000	0x00000001	0x00000000
0x603040:	0x00000008	0x00000000	0x006048c0	0x00000000
0x603050:	0x00000000	0x00000000	0x00000000	0x00000000
0x603060:	0x00000000	0x00000000	0x00000000	0x00000000
0x603070:	0x00000000	0x00000000	0x00000000	0x00000000
0x603080:	0x00000000	0x00000000

We can resort it to make it easy for us to see the structure.

1
2
3

0x00000100	0x00000000	0x00000002	;head of note
0x00000000  0x00000001	0x00000000	0x00000008	0x00000000	0x00604830	;note 0
0x00000000	0x00000001	0x00000000	0x00000008	0x00000000	0x006048c0	;note 1

gdb-peda$ x/2wx 0x00604830
0x604830:	0x61616161	0x0a616161
gdb-peda$ x/2wx 0x006048c0
0x6048c0:	0x62626262	0x0a626262

Free the first note.

1
2
3

Your choice: 4
Note number: 0
Done.

gdb-peda$ x/20wx 0x00603010
0x603010:	0x00000100	0x00000000	0x00000001	0x00000000
0x603020:	0x00000000	0x00000000	0x00000000	0x00000000
0x603030:	0x00604830	0x00000000	0x00000001	0x00000000
0x603040:	0x00000008	0x00000000	0x006048c0	0x00000000
0x603050:	0x00000000	0x00000000	0x00000000	0x00000000

we can see that the number of notes has been changed to 1 and the if_active and len have been set to 0. However, the pointer still exist. Let’ see what is in it.

1 2	gdb-peda$ x/4wx 0x604830 0x604830: 0xf7dd1b78 0x00007fff 0xf7dd1b78 0x00007fff

since its Arch is amd64-64-little, fd is actually 0x7ffff7dd1b78

gdb-peda$ x/10wx 0x7ffff7dd1b78
0x7ffff7dd1b78 <main_arena+88> :	0x00604940	0x00000000	0x00000000	0x00000000
0x7ffff7dd1b88 <main_arena+104>:	0x00604820	0x00000000	0x00604820	0x00000000
0x7ffff7dd1b98 <main_arena+120>:	0xf7dd1b88	0x00007fff

0x7ffff7dd1b78 - 0x58 == 0x7ffff7dd1b20

gdb-peda$ x/16wx 0x7ffff7dd1b20-0x20
0x7ffff7dd1b00 <__memalign_hook>:	0xf7a92ea0	0x00007fff	0xf7a92a70	0x00007fff
0x7ffff7dd1b10 <__malloc_hook>:	0x00000000	0x00000000	0x00000000	0x00000000
0x7ffff7dd1b20 <main_arena>:	0x00000000	0x00000001	0x00000000	0x00000000
0x7ffff7dd1b30 <main_arena+16>:	0x00000000	0x00000000	0x00000000	0x00000000

It works.

the address of __malloc_hook just work as a toolman: help us find the main_arena

In IDA we can see that the offset of main_arena is 0x003C2740

In IDA, we can see the offset of main_arena is 0x3C4B20

0x7ffff7dd1b20 - 0x3C4B20 == 0x7ffff7a0d000

It seems like we get the real address of the libc_base, let’s check it.

gdb-peda$ vmmap
Start              End                Perm	Name
0x00400000         0x00402000         r-xp	/home/giantbranch/Desktop/heap/freenote/freenote_x64
0x00601000         0x00602000         r--p	/home/giantbranch/Desktop/heap/freenote/freenote_x64
0x00602000         0x00603000         rw-p	/home/giantbranch/Desktop/heap/freenote/freenote_x64
0x00603000         0x00625000         rw-p	[heap]
0x00007ffff7a0d000 0x00007ffff7bcd000 r-xp	/lib/x86_64-linux-gnu/libc-2.23.so
0x00007ffff7bcd000 0x00007ffff7dcd000 ---p	/lib/x86_64-linux-gnu/libc-2.23.so
0x00007ffff7dcd000 0x00007ffff7dd1000 r--p	/lib/x86_64-linux-gnu/libc-2.23.so
0x00007ffff7dd1000 0x00007ffff7dd3000 rw-p	/lib/x86_64-linux-gnu/libc-2.23.so
0x00007ffff7dd3000 0x00007ffff7dd7000 rw-p	mapped
0x00007ffff7dd7000 0x00007ffff7dfd000 r-xp	/lib/x86_64-linux-gnu/ld-2.23.so
0x00007ffff7fdb000 0x00007ffff7fde000 rw-p	mapped
0x00007ffff7ff7000 0x00007ffff7ffa000 r--p	[vvar]
0x00007ffff7ffa000 0x00007ffff7ffc000 r-xp	[vdso]
0x00007ffff7ffc000 0x00007ffff7ffd000 r--p	/lib/x86_64-linux-gnu/ld-2.23.so
0x00007ffff7ffd000 0x00007ffff7ffe000 rw-p	/lib/x86_64-linux-gnu/ld-2.23.so
0x00007ffff7ffe000 0x00007ffff7fff000 rw-p	mapped
0x00007ffffffde000 0x00007ffffffff000 rw-p	[stack]
0xffffffffff600000 0xffffffffff601000 r-xp	[vsyscall]

That’ true! We get the real address of the libc base.