RubyGems - heapinfo - Versions diffs - 0.0.4 → 0.0.5 - Mend

heapinfo 0.0.4 → 0.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3afc942b75cd48a72f4d699b68423d2b6e23ff01
-  data.tar.gz: 69bbf96563700cdf3275b680229f65c6ba20e8e5
+  metadata.gz: 38cb3f9332f88d77ee939beeec7ef2e1563e92fb
+  data.tar.gz: 897f2130e7167fcae28c678df332b4aa0c8be682
 SHA512:
-  metadata.gz: c3cceb98b2e06f7c02a6ce16c9d9322de0a554742a213aeb26e8e7dce945fb35f9e425cf2e316e9317128df0ef061317c57fbcf449842888c9a35886c6549783
-  data.tar.gz: b1285f36856258f0834707b54252cc2989050fc72f99a9ebead0fadc565ab10e0e090fe03bbd42bb1c3ebd6e52c293ea1ef49e237451dcc81f33d43d9f5f30ac
+  metadata.gz: 3fcb02ec66361586e3f5c00466f266dd1c388b0b27651c3ce030f88ab7d084b080cf7296bd71bbc32dc96a1a41e65f4318d73456c2d6126f6b37a9659e72bcb6
+  data.tar.gz: 7884b477325650a2baf197a303387f580d4cb6de6100691b9e985842b23b8ea863afce4f07b1385a65cf5ce189aff3b70979b00681d39b6863fdde337375d62f

data/lib/heapinfo/arena.rb CHANGED Viewed

@@ -73,9 +73,9 @@ module HeapInfo
   # Class for record fastbin type chunk.
   class Fastbin < Chunk
-    # @return [Integer]
+    # @return [Integer] fd
     attr_reader :fd
-    # @return [Integer]
+    # @return [Integer] index
     attr_accessor :index
     # Instantiate a <tt>HeapInfo::Fastbin</tt> object.

data/lib/heapinfo/chunks.rb CHANGED Viewed

@@ -6,8 +6,7 @@ module HeapInfo
       @chunks = []
     end
-    # Redirect methods to private records.
-    def method_missing(method_sym, *arguments, &block)
+    def method_missing(method_sym, *arguments, &block) # :nodoc:
       return super unless @chunks.respond_to? method_sym
       @chunks.send(method_sym, *arguments, &block)
     end

data/lib/heapinfo/glibc/free.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 module HeapInfo
   module Glibc
     # Implmentation of <tt>void __libc_free(void *mem)</tt>.
-    # [Source](https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#__libc_free)
+    # [glibc-2.23](https://github.com/david942j/heapinfo/blob/master/examples/libcdb/libc-2.23/malloc.c#L2934) or [Online Source](https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#__libc_free)
     # @param [Integer] mem Memory address to be free.
     def libc_free(mem)
       # TODO: free_hook
@@ -18,7 +18,7 @@ module HeapInfo
   private
     # Implmentation of <tt>void _int_free (mstate av, mchunkptr p, [int have_lock])</tt>.
-    # [Source](https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#_int_free)
+    # [glibc-2.23](https://github.com/david942j/heapinfo/blob/master/examples/libcdb/libc-2.23/malloc.c#L2934) or [Online Source](https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#__libc_free)
     #
     # The original method in C is too long, split to multiple methods to match ruby convention.
     # @param [HeapInfo::Arena] av
@@ -40,10 +40,14 @@ module HeapInfo
     def int_free_fast(av, ptr, size)
       invalid_next_size(:fast, av, ptr, size)
+      idx = fastbin_index(size)
+      old = av.fastbin[idx].fd
+      malloc_assert( old != ptr ) { "double free or corruption (fasttop)\ntop of fastbin[0x%x]: 0x%x=0x%x" % [size & -8, ptr, ptr]   }
       true
     end
     def int_free_small(av, ptr, size)
+      # TODO: unfinished
       true
     end

data/lib/heapinfo/glibc/helper.rb CHANGED Viewed

@@ -40,5 +40,9 @@ module HeapInfo
       main_arena
     end
+    # @return [Integer]
+    def fastbin_index(size)
+      (size >> (size_t == 8 ? 4 : 3)) - 2
+    end
   end
 end

data/lib/heapinfo/process.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module HeapInfo
     # The default options of libaries,
     # use for matching glibc and ld segments in <tt>/proc/[pid]/maps</tt>
     DEFAULT_LIB = {
-      libc: /libc[^\w]/,
+      libc: /bc.*\.so/,
       ld:   /\/ld-.+\.so/,
     }
     # @return [Fixnum, NilClass] return the pid of process, <tt>nil</tt> if no such process found
@@ -197,7 +197,7 @@ module HeapInfo
       false
     end
-    def load_info!
+    def load_info! # :nodoc:
       @info = ProcessInfo.new(self)
       ProcessInfo::EXPORT.each do |m|
         self.class.send(:define_method, m) {@info.send(m)}

data/lib/heapinfo/segment.rb CHANGED Viewed

@@ -28,6 +28,7 @@ module HeapInfo
     # @param [Regexp, String] pattern The segment name want to match in maps. If <tt>String</tt> is given, the pattern is matched as a substring.
     # @return [HeapInfo::Segment, NilClass] The request <tt>Segment</tt> object. If the pattern is not matched, <tt>nil</tt> will be returned.
     def self.find(maps, pattern)
+      return Nil.new if pattern.nil?
       needs = maps.select{|m| pattern.is_a?(Regexp) ? m[3] =~ pattern : m[3].include?(pattern)}
       self.new needs.map{|m| m[0]}.min, needs[0][3] unless needs.empty?
     end

data/lib/heapinfo/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module HeapInfo
-  VERSION = '0.0.4'.freeze
+  VERSION = '0.0.5'.freeze
 end

data/spec/files/victim.cpp CHANGED Viewed

@@ -2,7 +2,7 @@
 #include <cstdio>
 #include <unistd.h>
 int main(int argc, char **argv) {
-  if(argc <=1 ) alarm(10);
+  if(argc <= 1) alarm(10);
   void *v, *u;
   int *i, *j;
@@ -12,7 +12,7 @@ int main(int argc, char **argv) {
   v = malloc(24); u = malloc(24);
   free(v); free(u);
-  // invalid
+  // invalid fd
   i = (int*)malloc(40);
   free(i);
   *i = 0xdeadbeef;

data/spec/libc_spec.rb CHANGED Viewed

@@ -49,6 +49,27 @@ describe HeapInfo::Libc do
         @set_memory.call [0, 0x21, 0, 0, 0, 0x21000].pack("Q*")
         expect {@h.libc.free(@fake_mem + 16)}.to raise_error "free(): invalid next size (fast)\nnext chunk(#{HeapInfo::Helper.hex(@fake_mem + 32)}) has size(0x21000) >= av.system_mem(0x21000)"
       end
+      it 'double free (fastop)' do
+        expect { @h.libc.free(@h.heap.base + 0x30) }.to raise_error "double free or corruption (fasttop)\ntop of fastbin[0x20]: 0x602020=0x602020"
+      end
+      it 'success' do
+        expect(@h.libc.free(@h.heap.base + 0x10)).to be true
+      end
+    end
+    describe 'munmap' do
+      it 'success' do
+        mmap_addr = HeapInfo::Helper.unpack(8, @h.dump(:heap, 0x190, 8)) # backdoor of victim.cpp
+        expect(@h.libc.free(mmap_addr)).to be true
+      end
+    end
+    describe 'small' do
+      it 'success' do
+        expect(@h.libc.free(@h.heap.base + 0x280)).to be true
+      end
     end
   end
 end

data/spec/process_spec.rb CHANGED Viewed

@@ -151,6 +151,32 @@ describe HeapInfo::Process do
     end
   end
+  describe 'static-link' do
+    before(:all) do
+      @victim = HeapInfo::TMP_DIR + '/victim'
+      %x(g++ -static #{File.expand_path('../files/victim.cpp', __FILE__)} -o #{@victim} 2>&1 > /dev/null)
+      pid = fork
+      # run without ASLR
+      exec "setarch `uname -m` -R /bin/sh -c #{@victim}" if pid.nil?
+      loop until `pidof #{@victim}` != ''
+      @h = heapinfo(@victim)
+    end
+    after(:all) do
+      `killall #{@victim}`
+      FileUtils.rm(@victim)
+    end
+    it 'normal' do
+      expect(@h.libc).to be_a HeapInfo::Nil
+      expect(@h.ld).to be_a HeapInfo::Nil
+    end
+    it 'dump' do
+      expect(@h.dump :elf, 4).to eq "\x7fELF"
+    end
+  end
   describe 'no process' do
     before(:all) do
       @h = heapinfo('NO_SUCH_PROCESS~~~')

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: heapinfo
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.0.5
 platform: ruby
 authors:
 - david942j
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-12-28 00:00:00.000000000 Z
+date: 2017-01-03 00:00:00.000000000 Z
 dependencies: []
 description: create an interactive memory info interface while pwn / exploiting
 email: