Thursday, September 19, 2019
Heap Exploitation Part 3 (TCache)
With this new structure, there are 64 of these bins based on increments of 16 bytes, from 24 to 1024 bytes (so it includes much of fastbin and smallbin sizes). Each bin only holds 7 chunks maximum. Additionally, chunks can enter tcache if only one chunk from its same fastbin/smallbin list gets returned in malloc. One interesting thing to note is that tcache bins don't coalesce with top or neighboring chunks; I should have read the source more carefully before thinking that my heap was going insane during debugging. Now as for exploiting it...
It's like fastbin, but with less security checks! They don't check if the next chunk is in the free list before allocation has a valid size and their double free mechanism is simpler too! You can simply free the same chunk twice in a row! You can see this in action in this file from how2heap. Lastly, tcache_put also does not have the next size check anymore (which will make House of Spirit much easier). I personally haven't done a House of Spirit with TCache yet though.
The most common problems I have seen relate to TCache poisoning, which is very similar to a fastbin attack (I talked about it here). I can simply use the bug I find to overwrite the next pointer and direct it anywhere else for arbitrary write. I can have it perform GOT overwrite, malloc_hook overwrite, and even free_hook overwrite. My preference is personally to overwrite free_hook (previously before tcache, an unsorted bin attack would have been necessary to achieve this because there are no nearby misaligned 7fs around free_hook) with system. This way, I can then call it on a chunk with the string "/bin/sh" in it, without having to deal with the constraints imposed upon us by one gadget.