[how2heap] first_fit (Use After Free)

first_fit에서는 공격 증명이 아닌, 단순히 glibc의 메모리 할당에 관하여 설명하고 있다.

glibc에서는 free되어 있는 chunk를 선택할 때 first-fit이라는 알고리즘을 사용한다.

first_fit.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
int main()
{
    printf("This file doesn't demonstrate an attack, but shows the nature of glibc's allocator.\n");
    printf("glibc uses a first-fit algorithm to select a free chunk.\n");
    printf("If a chunk is free and large enough, malloc will select this chunk.\n");
    printf("This can be exploited in a use-after-free situation.\n");
 
    printf("Allocating 2 buffers. They can be large, don't have to be fastbin.\n");
    char* a = malloc(512);
    char* b = malloc(256);
    char* c;
 
    printf("1st malloc(512): %p\n", a);
    printf("2nd malloc(256): %p\n", b);
    printf("we could continue mallocing here...\n");
    printf("now let's put a string at a that we can read later \"this is A!\"\n");
    strcpy(a, "this is A!");
    printf("first allocation %p points to %s\n", a, a);
 
    printf("Freeing the first one...\n");
    free(a);
 
    printf("We don't need to free anything again. As long as we allocate less than 512, it will end up at %p\n", a);
 
    printf("So, let's allocate 500 bytes\n");
    c = malloc(500);
    printf("3rd malloc(500): %p\n", c);
    printf("And put a different string here, \"this is C!\"\n");
    strcpy(c, "this is C!");
    printf("3rd allocation %p points to %s\n", c, c);
    printf("first allocation %p points to %s\n", a, a);
    printf("If we reuse the first allocation, it now holds the data from the third allocation.");
}
 
 
 

위의 내용을 요약하자면 다음과 같다.

우선 a와 b를 malloc()을 사용해 할당해준 뒤 a를 free 시킨다. 

그 후 이전 a보다 작은 크기(512 미만)로 할당 해주면, 같은 위치의 chunk에 재할당 받게 된다. 이 성질을 이용하여 UAF(Use After Free) 공격을 할 수 있다.

root@ubuntu:~/pwn# ./first_fit 

This file doesn't demonstrate an attack, but shows the nature of glibc's allocator.

glibc uses a first-fit algorithm to select a free chunk.

If a chunk is free and large enough, malloc will select this chunk.

This can be exploited in a use-after-free situation.

Allocating 2 buffers. They can be large, don't have to be fastbin.

1st malloc(512): 0x602420

2nd malloc(256): 0x602630

we could continue mallocing here...

now let's put a string at a that we can read later "this is A!"

first allocation 0x602420 points to this is A!

Freeing the first one...

We don't need to free anything again. As long as we allocate less than 512, it will end up at 0x602420

So, let's allocate 500 bytes

3rd malloc(500): 0x602420

And put a different string here, "this is C!"

3rd allocation 0x602420 points to this is C!

first allocation 0x602420 points to this is C!

If we reuse the first allocation, it now holds the data from the third allocation.