RubyGems - heapinfo - Versions diffs - 0.0.4 → 0.0.5 - Mend

heapinfo 0.0.4 → 0.0.5

Files changed (12) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3afc942b75cd48a72f4d699b68423d2b6e23ff01
-  data.tar.gz: 69bbf96563700cdf3275b680229f65c6ba20e8e5
+  metadata.gz: 38cb3f9332f88d77ee939beeec7ef2e1563e92fb
+  data.tar.gz: 897f2130e7167fcae28c678df332b4aa0c8be682
 SHA512:
-  metadata.gz: c3cceb98b2e06f7c02a6ce16c9d9322de0a554742a213aeb26e8e7dce945fb35f9e425cf2e316e9317128df0ef061317c57fbcf449842888c9a35886c6549783
-  data.tar.gz: b1285f36856258f0834707b54252cc2989050fc72f99a9ebead0fadc565ab10e0e090fe03bbd42bb1c3ebd6e52c293ea1ef49e237451dcc81f33d43d9f5f30ac
+  metadata.gz: 3fcb02ec66361586e3f5c00466f266dd1c388b0b27651c3ce030f88ab7d084b080cf7296bd71bbc32dc96a1a41e65f4318d73456c2d6126f6b37a9659e72bcb6
+  data.tar.gz: 7884b477325650a2baf197a303387f580d4cb6de6100691b9e985842b23b8ea863afce4f07b1385a65cf5ce189aff3b70979b00681d39b6863fdde337375d62f

data/lib/heapinfo/arena.rb CHANGED Viewed

@@ -73,9 +73,9 @@ module HeapInfo
   # Class for record fastbin type chunk.
   class Fastbin < Chunk
-    # @return [Integer]
+    # @return [Integer] fd
     attr_reader :fd
-    # @return [Integer]
+    # @return [Integer] index
     attr_accessor :index
     # Instantiate a <tt>HeapInfo::Fastbin</tt> object.

data/lib/heapinfo/chunks.rb CHANGED Viewed

@@ -6,8 +6,7 @@ module HeapInfo
       @chunks = []
     end
-    # Redirect methods to private records.
-    def method_missing(method_sym, *arguments, &block)
+    def method_missing(method_sym, *arguments, &block) # :nodoc:
       return super unless @chunks.respond_to? method_sym
       @chunks.send(method_sym, *arguments, &block)
     end

data/lib/heapinfo/glibc/free.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 module HeapInfo
   module Glibc
     # Implmentation of <tt>void __libc_free(void *mem)</tt>.
-    # [Source](https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#__libc_free)
+    # [glibc-2.23](https://github.com/david942j/heapinfo/blob/master/examples/libcdb/libc-2.23/malloc.c#L2934) or [Online Source](https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#__libc_free)
     # @param [Integer] mem Memory address to be free.
     def libc_free(mem)
       # TODO: free_hook
@@ -18,7 +18,7 @@ module HeapInfo
   private
     # Implmentation of <tt>void _int_free (mstate av, mchunkptr p, [int have_lock])</tt>.
-    # [Source](https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#_int_free)
+    # [glibc-2.23](https://github.com/david942j/heapinfo/blob/master/examples/libcdb/libc-2.23/malloc.c#L2934) or [Online Source](https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#__libc_free)
     #
     # The original method in C is too long, split to multiple methods to match ruby convention.
     # @param [HeapInfo::Arena] av
@@ -40,10 +40,14 @@ module HeapInfo
     def int_free_fast(av, ptr, size)
       invalid_next_size(:fast, av, ptr, size)
+      idx = fastbin_index(size)
+      old = av.fastbin[idx].fd
+      malloc_assert( old != ptr ) { "double free or corruption (fasttop)\ntop of fastbin[0x%x]: 0x%x=0x%x" % [size & -8, ptr, ptr]   }
       true
     end
     def int_free_small(av, ptr, size)
+      # TODO: unfinished
       true
     end

data/lib/heapinfo/glibc/helper.rb CHANGED Viewed

@@ -40,5 +40,9 @@ module HeapInfo
       main_arena
     end
+    # @return [Integer]
+    def fastbin_index(size)
+      (size >> (size_t == 8 ? 4 : 3)) - 2
+    end
   end
 end

data/lib/heapinfo/process.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module HeapInfo
     # The default options of libaries,
     # use for matching glibc and ld segments in <tt>/proc/[pid]/maps</tt>
     DEFAULT_LIB = {
-      libc: /libc[^\w]/,
+      libc: /bc.*\.so/,
       ld:   /\/ld-.+\.so/,
     }
     # @return [Fixnum, NilClass] return the pid of process, <tt>nil</tt> if no such process found
@@ -197,7 +197,7 @@ module HeapInfo
       false
     end
-    def load_info!
+    def load_info! # :nodoc:
       @info = ProcessInfo.new(self)
       ProcessInfo::EXPORT.each do |m|
         self.class.send(:define_method, m) {@info.send(m)}

data/lib/heapinfo/segment.rb CHANGED Viewed

@@ -28,6 +28,7 @@ module HeapInfo
     # @param [Regexp, String] pattern The segment name want to match in maps. If <tt>String</tt> is given, the pattern is matched as a substring.
     # @return [HeapInfo::Segment, NilClass] The request <tt>Segment</tt> object. If the pattern is not matched, <tt>nil</tt> will be returned.
     def self.find(maps, pattern)
+      return Nil.new if pattern.nil?
       needs = maps.select{|m| pattern.is_a?(Regexp) ? m[3] =~ pattern : m[3].include?(pattern)}
       self.new needs.map{|m| m[0]}.min, needs[0][3] unless needs.empty?
     end

data/lib/heapinfo/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module HeapInfo
-  VERSION = '0.0.4'.freeze
+  VERSION = '0.0.5'.freeze
 end

data/spec/files/victim.cpp CHANGED Viewed

@@ -2,7 +2,7 @@
 #include <cstdio>
 #include <unistd.h>
 int main(int argc, char **argv) {
-  if(argc <=1 ) alarm(10);
+  if(argc <= 1) alarm(10);
   void *v, *u;
   int *i, *j;
@@ -12,7 +12,7 @@ int main(int argc, char **argv) {
   v = malloc(24); u = malloc(24);
   free(v); free(u);
-  // invalid
+  // invalid fd
   i = (int*)malloc(40);
   free(i);
   *i = 0xdeadbeef;

data/spec/libc_spec.rb CHANGED Viewed

@@ -49,6 +49,27 @@ describe HeapInfo::Libc do
         @set_memory.call [0, 0x21, 0, 0, 0, 0x21000].pack("Q*")
         expect {@h.libc.free(@fake_mem + 16)}.to raise_error "free(): invalid next size (fast)\nnext chunk(#{HeapInfo::Helper.hex(@fake_mem + 32)}) has size(0x21000) >= av.system_mem(0x21000)"
       end
+      it 'double free (fastop)' do
+        expect { @h.libc.free(@h.heap.base + 0x30) }.to raise_error "double free or corruption (fasttop)\ntop of fastbin[0x20]: 0x602020=0x602020"
+      end
+      it 'success' do
+        expect(@h.libc.free(@h.heap.base + 0x10)).to be true
+      end
+    end
+    describe 'munmap' do
+      it 'success' do
+        mmap_addr = HeapInfo::Helper.unpack(8, @h.dump(:heap, 0x190, 8)) # backdoor of victim.cpp
+        expect(@h.libc.free(mmap_addr)).to be true
+      end
+    end
+    describe 'small' do
+      it 'success' do
+        expect(@h.libc.free(@h.heap.base + 0x280)).to be true
+      end
     end
   end
 end

data/spec/process_spec.rb CHANGED Viewed

@@ -151,6 +151,32 @@ describe HeapInfo::Process do
     end
   end
+  describe 'static-link' do
+    before(:all) do
+      @victim = HeapInfo::TMP_DIR + '/victim'
+      %x(g++ -static #{File.expand_path('../files/victim.cpp', __FILE__)} -o #{@victim} 2>&1 > /dev/null)
+      pid = fork
+      # run without ASLR
+      exec "setarch `uname -m` -R /bin/sh -c #{@victim}" if pid.nil?
+      loop until `pidof #{@victim}` != ''
+      @h = heapinfo(@victim)
+    end
+    after(:all) do
+      `killall #{@victim}`
+      FileUtils.rm(@victim)
+    end
+    it 'normal' do
+      expect(@h.libc).to be_a HeapInfo::Nil
+      expect(@h.ld).to be_a HeapInfo::Nil
+    end
+    it 'dump' do
+      expect(@h.dump :elf, 4).to eq "\x7fELF"
+    end
+  end
   describe 'no process' do
     before(:all) do
       @h = heapinfo('NO_SUCH_PROCESS~~~')

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: heapinfo
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.0.5
 platform: ruby
 authors:
 - david942j
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-12-28 00:00:00.000000000 Z
+date: 2017-01-03 00:00:00.000000000 Z
 dependencies: []
 description: create an interactive memory info interface while pwn / exploiting
 email: