cloudburst / libheap Goto Github PK

View Code? Open in Web Editor NEW

491.0 16.0 79.0 934 KB

python library to examine ptmalloc (the glibc userland heap implementation)

License: MIT License

Python 100.00%

gdb python ptmalloc glibc

libheap's Introduction

Libheap

[libheap] is a python library to examine ptmalloc (the glibc userland heap implementation).

It is currently tested and known working on:

glibc	distro
2.15	Ubuntu 12.04 LTS amd64
2.19	Ubuntu 14.04 LTS i386, Ubuntu 14.04 LTS amd64
2.23	Ubuntu 16.04 LTS i386, Ubuntu 16.04 LTS amd64
2.24	Fedora 25 x86_64, Ubuntu 16.10 amd64, Ubuntu 17.04 amd64

Installation

Please refer to the Install Guide.

Usage

Please refer to the User Guide.

Design

-----------------------------------------------------------------------
                       debugger frontend (commands and prettyprinters)
                                                      libheap/frontend

                     +-----+
                     |     |
                     | gdb |
                     |     |
                     +--+--+
                        |
------------------------+----------------------------------------------
                        |               core logic (debugger-agnostic)
                        |                             libheap/ptmalloc
                   +----+-----+
                   |          |
                   | ptmalloc |
                   |          |
                   +----+-----+
                        |
------------------------+----------------------------------------------
                        |                      debugger-dependent APIs
                        |                                libheap/pydbg
   +--------------+-----+---------+-------------+
   |              |               |             |
+--+---+   +------+------+   +----+----+   +----+---+
|      |   |             |   |         |   |        |
| lldb |   | pygdbpython |   | pygdbmi |   | r2pipe |
| TODO |   |             |   |  TODO   |   |  TODO  |
|      |   |             |   |         |   |        |
+---+--+   +-------+-----+   +---+-----+   +----+---+
    |              |             |              |
    |              |             |    +---------+
    |              |             |    |
----+--------------+-------------+----+--------------------------------
    |              |             |    |      debugger-provided backend
    |              |             | +--+
    |              |    +--------+ |
 +--+---+       +--+--+ |   +------+-+
 |      |       |     | |   |        |
 | lldb |       | gdb +-+   | ptrace |
 |      |       |     |     |        |
 +------+       +-----+     +--------+
-----------------------------------------------------------------------

libheap's People

Contributors

Stargazers

Watchers

libheap's Issues

Infinite Loop when Double Free

Not sure if you think this is an important issue but when a double free is done for example in fastbins. Using the command fastbins causes an infinite loop of printing the chunks.

fastbins
[ fb 0 ] 0x7ffff7dd1b28  -> [ 0x603410 ] (32)
                            [ 0x603430 ] (32)
                            [ 0x603410 ] (32)
                            [ 0x603430 ] (32)
                            [ 0x603410 ] (32)
                            [ 0x603430 ] (32)
                            [ 0x603410 ] (32)
....

"%x format: an integer is required, not gdb.Value" on latest gdb/python3

On Arch Linux I'm getting the following error when running heap:

Python Exception <class 'TypeError'> %x format: an integer is required, not gdb.Value: 
Error occurred in Python command: %x format: an integer is required, not gdb.Value

Debugging showed this line as throwing the exception:

print("\t arena @ 0x%x" % \
                        ar_ptr.address.cast(gdb.lookup_type("unsigned long")))

(the exception handler throws the same exception)

I've used this library before and this wasn't happening, so I think it happened when either gdb (version 7.11) or python3 (version 3.5.1) updated. I found the fix here, which is to wrap the gdb.Value in a call to int.

sbrk_base is the same as sbrk_end

Not sure if this is a bug or me just not understanding something, but I keep seeing output like:

sbrk_base 0x601000
chunk     0x601000         0x410        (inuse)
chunk     0x601410         0x20bf0      (top)
sbrk_end  0x601000

when running heap -l. Note that sbrk_base is the same as sbrk_end. I'm using Arch Linux, but a friend tested it out on Ubuntu and had the same issue. Can you replicate this?

Python Exception <class 'AttributeError'> 'NoneType' object has no attribute 'address':

Hi, I'm trying to understand the heap exploitation and libheap looked great but it's not working for me? maybe you know why? I'm using Ubuntu 16.04

GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
Attaching to process 12657
Reading symbols from /home/bob/Desktop/ctf/1/sytx...(no debugging symbols found)...done.
Reading symbols from ./libc-2.23.so...(no debugging symbols found)...done.
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug//lib/x86_64-linux-gnu/ld-2.23.so...done.
done.
0x00007fd31b4d8260 in read () from ./libc-2.23.so
(gdb) heap
Python Exception <class 'AttributeError'> 'NoneType' object has no attribute 'address': 
Error occurred in Python command: 'NoneType' object has no attribute 'address'
(gdb) fastbins
Python Exception <class 'AttributeError'> 'NoneType' object has no attribute 'address': 
Error occurred in Python command: 'NoneType' object has no attribute 'address'
(gdb) heap -h
heapls         Print a flat listing of all chunks in an arena
fastbins [#]   Print all fast bins, or only a single fast bin
smallbins [#]  Print all small bins, or only a single small bin
freebins       Print compact bin listing (only free chunks)
heaplsc        Print compact arena listing (all chunks)
mstats         Print memory alloc statistics similar to malloc_stats(3)
(gdb) heapls
Python Exception <class 'AttributeError'> 'NoneType' object has no attribute 'address': 
Error occurred in Python command: 'NoneType' object has no attribute 'address'
(gdb)

problem when installed in virtualenv

I am wandering how to force gdb to use virtualenv.

$ workon libheap
$ gdb
gdb-peda$ python from libheap import *
Traceback (most recent call last):
  File "<string>", line 1, in <module>
ImportError: No module named 'libheap'
Error while executing Python code.
gdb-peda$ quit
$ python
>>> import libheap.py
Not running inside of GDB, exiting...

Need a license agreement

Could you please provide a license agreement for this code so I know what I can do with it?

how to use it with diffirent glibc version

"The code needs a complete refactoring to fix this."
If I want it work on my ubuntu16.04 with glibc version=2.23,how should I refactoring it to make it works?

gdb.error 'Cannot find thread-local storage'

I installed via the instructions in the installation guide and also changed ~/.local/lib/python3.5/site-packages/libheap/libheap.cfg to 2.23, which is my installed libc version, but I still get this issue:

gdb-peda$ heapls
[!] No gdb frame is currently selected.

Python Exception <class 'gdb.error'> Cannot find thread-local storage for process 20952, shared library /lib/x86_64-linux-gnu/libc.so.6:
Cannot find thread-local variables on this target: 
Error occurred in Python command: Cannot find thread-local storage for process 20952, shared library /lib/x86_64-linux-gnu/libc.so.6:
Cannot find thread-local variables on this target

➜  /home apt-cache policy libc6
libc6:
  Installed: 2.23-0ubuntu7
  Candidate: 2.23-0ubuntu7
  Version table:
 *** 2.23-0ubuntu7 500
        500 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.23-0ubuntu3 500
        500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

I am running this on Ubuntu 16.04 Xenial 64-bit.

Any suggestions on how I can fix this?

Colorful print issue with peda

After the modification of printing utils, I found this version couldn't work well with peda. I used to utilize source libheap.py in my .gdbinit. But it tampered peda's running and messed up the color print.

heap.png issue

During debug, I find something inconsistent when referring to this flow graph of heap.

It seems the "Yes/No" option in the first branch of SYSMALLOC should be swapped,
according to glibc source.
https://github.com/lattera/glibc/blob/master/malloc/malloc.c#L2279
（This glibc version is old. But just for reference）

How can use it in Kali 2.0-64bit?

glibc version is 2.27.
When I use it. It will " 'NoneType' object has no attribute 'address' "

Lots of Python runtime error

I don't know how to properly use the functions available from libheap. So i tried to get a chunk size using one of the features chunksize(p) and i got this:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python3.5/libheap.py", line 75, in chunksize
    return (p.size & ~SIZE_BITS)
AttributeError: 'int' object has no attribute 'size'
Error while executing Python code.

In facts, there is a lot of others functions which triggers the same exception such as no attributes fd, size. Plus when i tried other example from the README.md, `p *(mchunkptr) 0x804b000:

Python Exception <class 'TypeError'> non-empty format string passed to object.__format__: 
$1 =

print_mstats:

==================================Malloc Stats==================================
Python Exception <class 'TypeError'> %x format: an integer is required, not gdb.Value: 
Error occurred in Python command: %x format: an integer is required, not gdb.Value

libheap fails to load any heap status

I followed the installation steps. libheap is successfully integrated with gdb-peda but all command's outputs are printing only " found areana"

peda output

gdb-peda$ vmmap heap
Start      End        Perm	Name
0x08048000 0x08049000 r-xp	/root/Desktop/heap/demo_/demo
0x08049000 0x0804a000 r--p	/root/Desktop/heap/demo_/demo
0x0804a000 0x0804b000 rw-p	/root/Desktop/heap/demo_/demo
0x0804b000 0x0806c000 rw-p	[heap]

heap list

gdb-peda$ x/40wx 0x0804b000
0x804b000:	0x00000000	0x00000019	0x00000000	0x00000000
0x804b010:	0x00000000	0x00000000	0x00000000	0x00000029
0x804b020:	0x00000000	0x00000000	0x00000000	0x00000000
0x804b030:	0x00000000	0x00000000	0x00000000	0x00000000
0x804b040:	0x00000000	0x00000019	0x0804b000	0x00000000
0x804b050:	0x00000000	0x00000000	0x00000000	0x00000029
0x804b060:	0x0804b018	0x00000000	0x00000000	0x00000000
0x804b070:	0x00000000	0x00000000	0x00000000	0x00000000
0x804b080:	0x00000000	0x00000409	0x67617453	0x00372065
0x804b090:	0x00000000	0x00000000	0x00000000	0x00000000

libheap output

gdb-peda$ heap -l 
Arena(s) found:
  arena @ 0xf7fab780

gdb-peda$ heap -f
Arena(s) found:
  arena @ 0xf7fab780

gdb-peda$ heap -s
Arena(s) found:
  arena @ 0xf7fab780

gdb-peda$ heapls
           ADDR             SIZE            STATUS
sbrk_base  0x1
[!] Could not read address 0x1
chunk      0x1              0x0             [!] Could not read address 0x1
[!] Could not read address 0x1
Python Exception <class 'TypeError'> int() argument must be a string, a bytes-like object or a number, not 'NoneType': 
(F) FD Error occurred in Python command: int() argument must be a string, a bytes-like object or a number, not 'NoneType'

NOTE: It was working fine with Ubuntu 15.04 but now i am using Kalli Rolling it is not working now

my gdbinit output

source ~/peda/peda.py
python import sys
python sys.path.append('/root/.local/lib/python2.7/site-packages')
python import libheap

ImportError: No module named pyptmalloc

[For help, type "help".
Type "apropos word" to search for commands related to "word"...
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/local/lib/python2.7/dist-packages/libheap/__init__.py", line 1, in <module>
    from libheap.pyptmalloc import pyptmalloc
ImportError: No module named pyptmalloc
/home/xing/.gdbinit:5: Error in sourced command file:
Error while executing Python code.
Reading symbols from ./hungman...(no debugging symbols found)...done.
(gdb) heap -a
[!] No debugee could be found.  Attach or start a program.
Python Exception <type 'exceptions.SystemExit'> None: 
Error occurred in Python command: None
(gdb) q

how to fix it

ERROR - Run command

Help me fix error! I cant't not working
gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2)

(gdb) heap
Python Exception <class 'AttributeError'> 'NoneType' object has no attribute 'address':
Error occurred in Python command: 'NoneType' object has no attribute 'address'

mainarena in android

how can I find main arena in Android?

Unable to import from gdb

I followed the installation steps. I can import libheap in python but not in gdb.

>>> from libheap import *
Not running inside of GDB, exiting...

gdb-peda$ python from libheap import *
Traceback (most recent call last):
  File "<string>", line 1, in <module>
ImportError: No module named 'libheap'
Error while executing Python code.

Found solution in #11.

Exception

Ubuntu 16.04.3
run command in gdb
Python Exception <class 'AttributeError'> 'NoneType' object has no attribute 'address':
Error occurred in Python command: 'NoneType' object has no attribute 'address'

Help me!

Compatibility problems with gdb.Value

GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1

Issue: `bin_at`

    return int(gdb.parse_and_eval("&((struct malloc_state *) 0x%x).bins[%d]" % \
            (m.address, int((i -1) * 2))).cast(gdb.lookup_type(cast_type)) \
            - offsetof_fd)

m.address is the type of gdb.Value object, so %x will crash.

Issue: `"{:#x}".format(self.val['top'])`

same as above

i just replace m.address as str(m.address).split(" ")[0].

heap.png how to extend?

Hey,

I really like the heap flowchart you've made, and it's the only good chart I can find. I'm working with later versions of glibc that have increased their heap corruption checks and I'd love to extend the chart. Do you still have the source file for the flowchart? So I can move boxes around and add new ones. I'm currently just using a drawing tool to annotate the .png and it's getting really cluttered.

Thanks!

Python Exception <class 'AttributeError'> 'NoneType' object has no attribute 'address': 
Error occurred in Python command: 'NoneType' object has no attribute 'address'

while it is working properly for all other binary except one particular binary that i am trying to reverse
I have installed libc6-dbg , libc6-dbg:i386