heapinfo 0.0.2 → 0.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fd09327165de603d3fa3350e9022d8bf642a1f7c
-  data.tar.gz: 5c1dd70e46c5fad709e187c25a8347be8262586e
+  metadata.gz: e90a4db825f5e6b53989edc82441a0800d13aaa7
+  data.tar.gz: f638662fb165a7c884c5427b378cfac091ebe83a
 SHA512:
-  metadata.gz: 6827c2c7129162b716046200e71cdba7475de9edad4a1880b0aec374c3e9a5649c6a2ae934566097794671bc1c30d255e4fed9142e6a1de4b95a914f3c8c5ee1
-  data.tar.gz: 82bfd1db1bca104fa62d54e7c14a63ad91d2a208dfa346d8a23464141d9767e1f9d18dda21dfd106a840d2799c92c3d4dad2a78893b4bcbc224aa9c415f38692
+  metadata.gz: f2356a124a5a9480e2e170f6abb2ee782f671734d4e7edbe2f15f47f690609a40580ac1d3d8f027342d03a82901c996b32d9dc21dccb4473105f027814149503
+  data.tar.gz: 3e3df55aca650bf6c8277185afdf56bb3f9c4e3ded9ec444af64f6159302aa9eb5d001da0f3f7dac82d174348c5e8af5b4340abfa1a5cca6f205a7936fa640b0

data/lib/heapinfo/arena.rb

@@ -3,22 +3,25 @@ module HeapInfo
   class Arena
     # @return [Array<HeapInfo::Fastbin>] Fastbins in an array.
     attr_reader :fastbin
-    # @return [Array<HeapInfo::UnsortedBin>] The unsorted bin (only one).
+    # @return [HeapInfo::Chunk] Current top chunk.
+    attr_reader :top_chunk
+    # @return [HeapInfo::Chunk] Current last remainder.
+    attr_reader :last_remainder
+    # @return [Array<HeapInfo::UnsortedBin>] The unsorted bin (array size will always be one).
     attr_reader :unsorted_bin
     # @return [Array<HeapInfo::Smallbin>] Smallbins in an array.
     attr_reader :smallbin
-    # @return [HeapInfo::Chunk] Current top chunk.
-    attr_reader :top_chunk
+    # @return [Integer] The <tt>system_mem</tt>
+    attr_reader :system_mem
     # attr_reader :largebin, :last_remainder
 
     # Instantiate a <tt>HeapInfo::Arena</tt> object.
     #
     # @param [Integer] base Base address of arena.
-    # @param [Integer] bits Either 64 or 32
+    # @param [Integer] size_t Either 8 or 4
     # @param [Proc] dumper For dump more data
-    def initialize(base, bits, dumper)
-      @base, @dumper = base, dumper
-      @size_t = bits / 8
+    def initialize(base, size_t, dumper)
+      @base, @size_t, @dumper = base, size_t, dumper
       reload!
     end
 
@@ -26,16 +29,19 @@ module HeapInfo
     # Retrive data using <tt>@dumper</tt>, load bins, top chunk etc.
     # @return [HeapInfo::Arena] self
     def reload!
-      top_ptr = Helper.unpack(size_t, @dumper.call(@base + 8 + size_t * 10, size_t))
+      top_ptr_offset = @base + 8 + size_t * 10
+      top_ptr = Helper.unpack(size_t, @dumper.call(top_ptr_offset, size_t))
       @fastbin = []
       return self if top_ptr == 0 # arena not init yet
       @top_chunk = Chunk.new size_t, top_ptr, @dumper
+      @last_remainder = Chunk.new size_t, top_ptr_offset + 8, @dumper
+      @system_mem = Helper.unpack(size_t, @dumper.call(top_ptr_offset + 258 * size_t + 16, size_t))
       @fastbin = Array.new(7) do |idx|
         f = Fastbin.new(size_t, @base + 8 - size_t * 2 + size_t * idx, @dumper, head: true)
         f.index = idx
         f
       end
-      @unsorted_bin = UnsortedBin.new(size_t, @base + 8 + size_t * 10, @dumper, head: true)
+      @unsorted_bin = UnsortedBin.new(size_t, top_ptr_offset, @dumper, head: true)
       @smallbin = Array.new(55) do |idx|
         s = Smallbin.new(size_t, @base + 8 + size_t * (26 + 2 * idx), @dumper, head: true)
         s.index = idx

data/lib/heapinfo/chunk.rb

@@ -61,6 +61,27 @@ module HeapInfo
       flag
     end
 
+    # Ask if chunk not belongs to main arena.
+    #
+    # @return [Boolean] <tt>true|false</tt> if chunk not belongs to main arena
+    def non_main_arena?
+      flags.include? :non_main_arena
+    end
+
+    # Ask if chunk is mmapped.
+    #
+    # @return [Boolean] <tt>true|false</tt> if chunk is mmapped
+    def mmapped?
+      flags.include? :mmapped
+    end
+
+    # Ask if chunk has set the prev-inuse bit.
+    #
+    # @return [Boolean] <tt>true|false</tt> if the <tt>prev_inuse</tt> bit has been set
+    def prev_inuse?
+      flags.include? :prev_inuse
+    end
+
     # Size of chunk
     # @return [Integer] The chunk size without flag masks
     def size

data/lib/heapinfo/glibc/error.rb

@@ -0,0 +1,11 @@
+module HeapInfo
+  module Glibc
+    # @abstract Exceptions raised by HeapInfo inherit from Error
+    class Error < StandardError; end
+    # Exception raised in malloc.c(malloc, free, etc.) methods.
+    class MallocError < Error; end
+    def malloc_assert(condition)
+      raise MallocError.new(yield) unless condition
+    end
+  end
+end

data/lib/heapinfo/glibc/free.rb

@@ -0,0 +1,77 @@
+# Implment glibc's free-related functions
+# [Reference](https://code.woboq.org/userspace/glibc/malloc/malloc.c.html)
+module HeapInfo
+  module Glibc
+    # Implmentation of <tt>void __libc_free(void *mem)</tt>.
+    # [Source](https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#__libc_free)
+    # @param [Integer] mem Memory address to be free.
+    def libc_free(mem)
+      # TODO: free_hook
+      mem = ulong mem
+      return if mem == 0 # free(0) has no effect
+      ptr = mem2chunk(mem)
+      return munmap_chunk(ptr) if chunk_is_mmapped(ptr)
+      av = arena_for_chunk(ptr)
+      int_free(av, ptr)
+    end
+    alias :free :libc_free
+
+  private
+    # Implmentation of <tt>void _int_free (mstate av, mchunkptr p, [int have_lock])</tt>.
+    # [Source](https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#_int_free)
+    # 
+    # The original method in C is too long, split to multiple methods to match ruby convention.
+    # @param [HeapInfo::Arena] av
+    # @param [Integer] ptr Use <tt>ptr</tt> instead of <tt>p</tt> to prevent confusing with ruby native method.
+    def int_free(av, ptr) # is have_lock important?
+      chunk = dumper.call(ptr, size_t * 2).to_chunk
+      size = ulong chunk.size
+      invalid_pointer(ptr, size)
+      invalid_size(size)
+      # check_inuse_chunk # off
+      if size <= get_max_fast
+        int_free_fast(av, ptr, size)
+      elsif !chunk_is_mmapped(ptr) # Though this has been checked in #libc_free
+        int_free_small(av, ptr, size)
+      else
+        munmap_chunk(ptr)
+      end
+    end
+
+    def int_free_fast(av, ptr, size)
+      invalid_next_size(:fast, av, ptr, size)
+      true
+    end
+
+    def int_free_small(av, ptr, size)
+      true
+    end
+
+    def munmap_chunk(ptr)
+      # TODO: check page alignment and... page exists? 
+      true
+    end
+
+    # Start of checkers
+
+    def invalid_pointer(ptr, size)
+      errmsg = "free(): invalid pointer\n"
+      # unsigned compare
+      malloc_assert(ptr <= ulong(-size)) { errmsg + "ptr(0x%x) > -size(0x%x)" % [ptr, ulong(-size)] }
+      malloc_assert(ptr % (size_t * 2) == 0) { errmsg + "ptr(0x%x) %% %d != 0" % [ptr, size_t * 2] }
+    end
+
+    def invalid_size(size)
+      errmsg = "free(): invalid size\n"
+      malloc_assert(size >= min_chunk_size) { errmsg + "size(0x%x) < min_chunk_size(0x%x)" % [size, min_chunk_size] }
+      malloc_assert(aligned_ok size) { errmsg + "alignment error: size(0x%x) %% 0x%x != 0" % [size, size_t * 2] }
+    end
+
+    def invalid_next_size(type, av, ptr, size)
+      errmsg = "free(): invalid next size (#{type})\n"
+      nxt_chk = dumper.call(ptr + size, size_t * 2).to_chunk(base: ptr + size)
+      malloc_assert(nxt_chk.size > 2 * size_t) { errmsg + "next chunk(0x%x) has size(#{nxt_chk.size}) <=  2 * #{size_t}" % nxt_chk.base }
+      malloc_assert(nxt_chk.size < av.system_mem) { errmsg + "next chunk(0x%x) has size(0x%x) >= av.system_mem(0x%x)" % [nxt_chk.base, nxt_chk.size, av.system_mem] }
+    end
+  end
+end

data/lib/heapinfo/glibc/glibc.rb

@@ -0,0 +1,11 @@
+module HeapInfo
+  module Glibc
+    attr_accessor :size_t
+  private
+    attr_accessor :main_arena
+    attr_accessor :dumper
+  end
+end
+require 'heapinfo/glibc/error.rb'
+require 'heapinfo/glibc/helper.rb'
+require 'heapinfo/glibc/free.rb'

data/lib/heapinfo/glibc/helper.rb

@@ -0,0 +1,44 @@
+module HeapInfo
+  module Glibc
+  private
+    def mem2chunk(mem)
+      ulong(mem - 2 * size_t)
+    end
+
+    # @return [Boolean]
+    def chunk_is_mmapped(ptr)
+      # TODO: handle memory not accessible
+      dumper.call(ptr, size_t * 2).to_chunk.mmapped?
+    end
+
+    def get_max_fast
+      size_t * 16
+    end
+
+    # The minimal chunk size.
+    # Not the real implmentation, maybe wrong some day?
+    # @return [Integer] The size.
+    def min_chunk_size
+      size_t * 4
+    end
+
+    # Not the real implmentation, maybe wrong some day?
+    # @return [Boolean]
+    def aligned_ok(size)
+      size & (2 * size_t - 1) == 0
+    end
+
+    # @return [Integer]
+    def ulong(n)
+      n % 2 ** (size_t * 8)
+    end
+
+    # @return [HeapInfo::Arena]
+    def arena_for_chunk(ptr)
+      # not support arena other than initial main_arena
+      return if dumper.call(ptr, size_t * 2).to_chunk.non_main_arena? 
+      main_arena 
+    end
+
+  end
+end

data/lib/heapinfo/helper.rb

@@ -93,6 +93,16 @@ module HeapInfo
       data.unpack(size_t == 4 ? 'L*' : 'Q*')[0]
     end
 
+    # Convert number in hex format
+    #
+    # @param [Integer] num Non-negative integer.
+    # @return [String] number in hex format.
+    # @example
+    #   HeapInfo::Helper.hex(1000) # => '0x3e8'
+    def self.hex(num)
+      '0x' + num.to_s(16)
+    end
+
     # Retrieve pure class name(without module) of an object
     # @param [Object] obj Any instance
     # @return [String] Class name of <tt>obj</tt>

data/lib/heapinfo/libc.rb

@@ -1,7 +1,7 @@
 module HeapInfo
   # Record libc's base, name, and offsets.
   class Libc < Segment
-
+    include HeapInfo::Glibc
     # Instantiate a <tt>HeapInfo::Libc</tt> object.
     #
     # @param [Mixed] args See <tt>#HeapInfo::Segment.initialize</tt> for more information.
@@ -24,21 +24,25 @@ module HeapInfo
       return @main_arena.reload! if @main_arena
       off = main_arena_offset
       return if off.nil?
-      @main_arena = Arena.new(off + self.base, process.bits, process.method(:dump))
+      @main_arena = Arena.new(off + self.base, size_t, dumper)
     end
 
     # @param [Array] maps See <tt>#HeapInfo::Segment.find</tt> for more information.
     # @param [String] name See <tt>#HeapInfo::Segment.find</tt> for more information.
-    # @param [HeapInfo::Process] process The process.
+    # @param [Integer] bits Either 64 or 32.
+    # @param [String] ld_name The loader's realpath, will be used for running subprocesses.
+    # @param [Proc] dumper The memory dumper for fetch more information.
     # @return [HeapInfo::Libc] libc segment found in maps.
-    def self.find(maps, name, process)
+    def self.find(maps, name, bits, ld_name, dumper)
       obj = super(maps, name)
-      obj.send(:process=, process)
+      obj.size_t = bits / 8
+      obj.send(:ld_name=, ld_name)
+      obj.send(:dumper=, dumper)
       obj
     end
 
   private
-    attr_accessor :process
+    attr_accessor :ld_name
     # only for searching offset of main_arena now
     def exhaust_search(symbol)
       return false if symbol != :main_arena
@@ -58,9 +62,9 @@ module HeapInfo
       tmp_elf = HeapInfo::TMP_DIR + "/get_arena"
       libc_file = HeapInfo::TMP_DIR + "/libc.so.6"
       ld_file = HeapInfo::TMP_DIR + "/ld.so"
-      flags = "-w #{@process.bits == 32 ? '-m32' : ''}"
+      flags = "-w #{size_t == 4 ? '-m32' : ''}"
       %x(cp #{self.name} #{libc_file} && \
-         cp #{@process.ld.name} #{ld_file} && \
+         cp #{ld_name} #{ld_file} && \
          gcc #{flags} #{File.expand_path('../tools/get_arena.c', __FILE__)} -o #{tmp_elf} 2>&1 > /dev/null && \
          #{ld_file} --library-path #{HeapInfo::TMP_DIR} #{tmp_elf} && \
          rm #{tmp_elf} #{libc_file} #{ld_file}).to_i(16)

data/lib/heapinfo/process.rb

@@ -21,6 +21,17 @@ module HeapInfo
       return unless load?
     end
 
+    # Reload a new process with same program name
+    #
+    # @return [HeapInfo::Process] return <tt>self</tt> for chainable.
+    # @example
+    #   puts h.reload!
+    def reload!
+      @pid = nil
+      load!
+      self
+    end
+
     # Use this method to wrapper all HeapInfo methods.
     #
     # Since <tt>::HeapInfo</tt> is a tool(debugger) for local usage, 
@@ -164,7 +175,7 @@ module HeapInfo
     def load! # try to load
       return true if @pid
       @pid = fetch_pid
-      return false if @pid.nil? # still can't load
+      return clear_process if @pid.nil? # still can't load
       load_info!
       true
     end
@@ -179,6 +190,13 @@ module HeapInfo
       pid
     end
 
+    def clear_process
+      ProcessInfo::EXPORT.each do |m|
+        self.class.send(:define_method, m) {Nil.new}
+      end
+      false
+    end
+
     def load_info!
       @info = ProcessInfo.new(self)
       ProcessInfo::EXPORT.each do |m|

data/lib/heapinfo/process_info.rb

@@ -32,8 +32,8 @@ module HeapInfo
       @stack = Segment.find(maps, '[stack]')
       # well.. stack is a strange case because it will grow in runtime..
       # should i detect stack base growing..?
-      @libc = Libc.find(maps, match_maps(maps, options[:libc]), process)
       @ld = Segment.find(maps, match_maps(maps, options[:ld]))
+      @libc = Libc.find(maps, match_maps(maps, options[:libc]), @bits, @ld.name, ->(*args){ process.dump(*args) })
     end
 
     # Heap will not be mmapped if the process not use heap yet, so create a lazy loading method.

data/lib/heapinfo/version.rb

@@ -1,3 +1,3 @@
 module HeapInfo
-  VERSION = '0.0.2'.freeze
+  VERSION = '0.0.3'.freeze
 end

data/lib/heapinfo.rb

@@ -63,6 +63,7 @@ require 'heapinfo/cache'
 require 'heapinfo/process_info'
 require 'heapinfo/process'
 require 'heapinfo/segment'
+require 'heapinfo/glibc/glibc'
 require 'heapinfo/libc'
 require 'heapinfo/chunk'
 require 'heapinfo/chunks'

data/spec/libc_spec.rb

@@ -0,0 +1,54 @@
+# encoding: ascii-8bit
+require 'heapinfo'
+describe HeapInfo::Libc do
+  describe 'free' do
+    before(:all) do
+      HeapInfo::Cache.send :clear_all # force cache miss, to make sure coverage
+      @victim = HeapInfo::TMP_DIR + '/victim'
+      %x(g++ #{File.expand_path('../files/victim.cpp', __FILE__)} -o #{@victim} 2>&1 > /dev/null)
+      pid = fork
+      # run without ASLR
+      exec "setarch `uname -m` -R /bin/sh -c #{@victim}" if pid.nil?
+      loop until `pidof #{@victim}` != '' 
+      @h = HeapInfo::Process.new(@victim, ld: '/ld')
+      @fake_mem = 0x13371000
+      @set_memory = ->(str) do
+        @h.libc.send(:dumper=, ->(ptr, len){
+          if ptr.between?(@fake_mem, @fake_mem + 0x1000)
+            str[ptr - @fake_mem, len]
+          else
+            @h.dump(ptr, len)
+          end
+        })
+      end
+    end
+    after(:all) do
+      `killall #{@victim}`
+      FileUtils.rm(@victim)
+    end
+
+    describe 'invalid' do
+      it 'invalid pointer' do
+        @set_memory.call [0, 0x21, 0x21, 0x0, 0x0].pack("Q*")
+        expect {@h.libc.free(@fake_mem + 24)}.to raise_error "free(): invalid pointer\nptr(#{HeapInfo::Helper.hex(@fake_mem + 8)}) % 16 != 0"
+        expect {@h.libc.free(@fake_mem + 32)}.to raise_error "free(): invalid pointer\nptr(#{HeapInfo::Helper.hex(@fake_mem + 16)}) > -size(0x0)"
+      end
+
+      it 'invalid size' do
+        @set_memory.call [0, 0x11].pack("Q*")
+        expect {@h.libc.free(@fake_mem + 16)}.to raise_error "free(): invalid size\nsize(0x10) < min_chunk_size(0x20)"
+        @set_memory.call [0, 0x38].pack("Q*")
+        expect {@h.libc.free(@fake_mem + 16)}.to raise_error "free(): invalid size\nalignment error: size(0x38) % 0x10 != 0"
+      end
+    end
+
+    describe 'fast' do
+      it 'invalid next size' do
+        @set_memory.call [0, 0x21, 0, 0, 0, 0xf].pack("Q*")
+        expect {@h.libc.free(@fake_mem + 16)}.to raise_error "free(): invalid next size (fast)\nnext chunk(#{HeapInfo::Helper.hex(@fake_mem + 32)}) has size(8) <=  2 * 8"
+        @set_memory.call [0, 0x21, 0, 0, 0, 0x21000].pack("Q*")
+        expect {@h.libc.free(@fake_mem + 16)}.to raise_error "free(): invalid next size (fast)\nnext chunk(#{HeapInfo::Helper.hex(@fake_mem + 32)}) has size(0x21000) >= av.system_mem(0x21000)"
+      end
+    end
+  end
+end

data/spec/process_spec.rb

@@ -38,7 +38,7 @@ describe HeapInfo::Process do
       @io = Cio.new
     end
     after(:all) do
-      %x(killall #{@victim})
+      `killall #{@victim}`
       FileUtils.rm(@victim)
     end
 
@@ -84,6 +84,19 @@ describe HeapInfo::Process do
       end
     end
 
+    describe 'reload' do
+      it 'monkey' do
+        prog = File.readlink('/proc/self/exe')
+        @h = HeapInfo::Process.new(prog)
+        expect(@h.pid.is_a? Integer).to be true
+        pid = @h.pid
+        @h.instance_variable_set(:@prog, 'NO_THIS')
+        expect(@h.reload!.pid).to be nil
+        @h.instance_variable_set(:@prog, prog)
+        expect(@h.reload!.pid).to be pid
+      end
+    end
+
     describe 'fastbin' do
       it 'normal' do
         expect(@h.libc.main_arena.fastbin[0].list).to eq [0x602020, 0x602000, nil]
@@ -154,5 +167,9 @@ describe HeapInfo::Process do
     it 'nil chain' do
       expect(@h.dump(:heap).no_such_method.xdd.nil?).to be true
     end
+
+    it 'info methods' do
+      expect(@h.libc.base.nil?).to be true
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: heapinfo
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.0.3
 platform: ruby
 authors:
 - david942j
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-05-21 00:00:00.000000000 Z
+date: 2016-12-20 00:00:00.000000000 Z
 dependencies: []
 description: create an interactive memory info interface while pwn / exploiting
 email:
@@ -25,6 +25,10 @@ files:
 - lib/heapinfo/chunks.rb
 - lib/heapinfo/dumper.rb
 - lib/heapinfo/ext/string.rb
+- lib/heapinfo/glibc/error.rb
+- lib/heapinfo/glibc/free.rb
+- lib/heapinfo/glibc/glibc.rb
+- lib/heapinfo/glibc/helper.rb
 - lib/heapinfo/helper.rb
 - lib/heapinfo/libc.rb
 - lib/heapinfo/nil.rb
@@ -41,6 +45,7 @@ files:
 - spec/files/64bit_maps
 - spec/files/victim.cpp
 - spec/helper_spec.rb
+- spec/libc_spec.rb
 - spec/nil_spec.rb
 - spec/process_spec.rb
 - spec/spec_helper.rb
@@ -65,20 +70,21 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.8
+rubygems_version: 2.5.2
 signing_key: 
 specification_version: 4
 summary: HeapInfo - interactive heap exploitation helper
 test_files:
-- spec/chunk_spec.rb
 - spec/files/32bit_maps
-- spec/files/64bit_maps
 - spec/files/victim.cpp
-- spec/helper_spec.rb
+- spec/files/64bit_maps
 - spec/cache_spec.rb
+- spec/dumper_spec.rb
+- spec/process_spec.rb
+- spec/chunk_spec.rb
+- spec/chunks_spec.rb
 - spec/string_spec.rb
 - spec/spec_helper.rb
+- spec/helper_spec.rb
 - spec/nil_spec.rb
-- spec/chunks_spec.rb
-- spec/dumper_spec.rb
-- spec/process_spec.rb
+- spec/libc_spec.rb