Frida exploring the exploitation of Heap algorithms

OTUS expert Alexander Kolesnikov shared with us a useful article, which he wrote specifically for students of the Reverse-Engineering course  . Basic

We invite you to  watch the demo day of the course , in which our teachers spoke in detail about the course program and answered questions.

---

Reverse engineering to get an algorithm is always tempting, but reverse engineering to create something new is even cooler. In this article, we will try to use the Frida tool to make the process of analyzing a vulnerable application a little easier and to create an exploit for this application a little easier.

All examples in the article will deal with heap attacks in the Linux operating system, so we reserve ourselves with patience and popcorn.

Heap

Heap — , . , malloc



. , . , .

. . , libc, . :

1. heap grooming attack

   
   
   
   
   

2. fastbin attack

   
   
   
   
   

3. tcache attack

   
   
   
   
   

4. unlink

   
   
   
   
   

5. largebin

   
   
   
   
   

6. unsortedbin attack

   
   
   
   
   

, . . — , . , — libc. — .

Frida

frida 2 : frida-trace MemoryMonitor. , . , ,   CTF.

Heap Grooming

, libc 2.23. , , , , . , . 7.  :

#include <stdio.h>
#include <stdlib.h>
int main(void)
{
  unsigned long int *mem0, *mem1, *mem2;
  
  mem0 = malloc(0x10); 
  mem1 = malloc(0x10); 
  mem2 = malloc(0x10); 
  
  printf("Allocated memory on:\nptr0: %p\nptr1: %p\nptr2: %p\n\n", mem0, mem1, mem2);
  
  free(mem0);
  free(mem1);
  free(mem2);
  
  printf("mem0 after free and alloc again: %p\n", malloc(0x10));
  printf("mem1 after free and alloc again: %p\n", malloc(0x10));
  printf("mem2 after free and alloc again: %p\n\n", malloc(0x10));
}
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

. :

, , , printf



? printf



frida-trace



. :

Frida-trace -f test -i “malloc”

handler



. “handlers” frida-trace. malloc.js OnLeave



, :

. pico CTF “Are you root”. frida-trace:

, , . , login;



Auth level



. ? malloc 0x10 0x7. , , 0x10, 2 - 0x1514eb0 0x1514ed0. . 

TCACHE

, , tcache



, . , tcache



, tcache



:

#include <stdio.h>
#include <stdlib.h>
int main(void)
{
    unsigned long int *mem0, *mem1;
	  int target;
    
	  mem0 = malloc(0x10);
    mem1 = malloc(0x10);
    target = 0xdead;
    
    printf("mem0: %p\n", mem0);
	  printf("mem1: %p\n", mem1);
	  printf("int:  %p\n\n", &target);
    
    free(mem0);
    free(mem1);
    
 		printf("Next pointer for mem1: %p\n\n", (unsigned long int *)mem1);
 
    *mem1 = (unsigned long int)&target;
 		printf("Next pointer for mem1: %p\n\n", (unsigned long int )mem1);
     
    printf("Malloc Allocated: %p\n\n", malloc(0x10));
	  printf("Malloc Allocated: %p\n\n", malloc(0x10));
}
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

, frida-trace , :

, , , . , malloc



. , Use-After-Free. Plaid CTF “cpp”. :

, malloc



. :

, .

. . , . . 

---

"Reverse-Engineering. Basic"

:

• « » Frida Windows