An exemplary application that shows strengths and weaknesses of Google's TCMalloc implementation through simple, yet most complete program, adding the document with found possible exploits enumeration
We work with the exploits, which are included in so-called Thread Cache.
Only a one-byte overflow to the freed chunk allows an attacker to overwrite the next to-be-allocated chunk position. The value does not even need to be aligned to 0x10 nor any-other-number bytes. This is possible beause the chunk stores an address to the next one in free-list (first 8 bytes), which is constructed as a linked list.
The double free exploit is possible due to the fact that the TCMalloc does not check if the chunk is already freed. It is possible to free the same chunk multiple times, which can lead to a crash or even a remote code execution.
The one byte overflow exploit is used in the project. Then, overwriting of the whole address follows.
For the basic deployment, provided is enough. It installs all the required dependencies
docker build -t tcmalloc_exploit .To run the docker container, use the following command
docker run --rm -p 1337:1337 --name tcmalloc_exploit tcmalloc_exploitIt will expose the service on port 1337.
If you want to add your own flag file, add one with the name get_flag and set the permissions to at least - --x --- ---.
The implementation uses glibc library 2.36.
Compile the vuln.c code with the provided command (there needs to be google-perftools installed):
gcc -std=c99 -Wall -Wextra -pedantic -O -fstack-protector-all -fPIE -fPIC -s -z relro -z now -z noexecstack -D_POSIX_C_SOURCE=200809L vuln.c -o vuln -ltcmallocFeel free to remove any security flags, but it is not recommended.