cloudburst / libheap Goto Github PK
View Code? Open in Web Editor NEWpython library to examine ptmalloc (the glibc userland heap implementation)
License: MIT License
python library to examine ptmalloc (the glibc userland heap implementation)
License: MIT License
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
bin_at
return int(gdb.parse_and_eval("&((struct malloc_state *) 0x%x).bins[%d]" % \
(m.address, int((i -1) * 2))).cast(gdb.lookup_type(cast_type)) \
- offsetof_fd)
m.address
is the type of gdb.Value
object, so %x
will crash.
"{:#x}".format(self.val['top'])
same as above
i just replace m.address
as str(m.address).split(" ")[0]
.
Could you please provide a license agreement for this code so I know what I can do with it?
https://github.com/cloudburst/libheap/blob/master/libheap.py#L1252
https://github.com/cloudburst/libheap/blob/master/utils/check_house_of_mind.py#L51
Could someone tell me where is the definition? Thanks
I followed the installation steps. libheap is successfully integrated with gdb-peda but all command's outputs are printing only " found areana"
peda output
gdb-peda$ vmmap heap
Start End Perm Name
0x08048000 0x08049000 r-xp /root/Desktop/heap/demo_/demo
0x08049000 0x0804a000 r--p /root/Desktop/heap/demo_/demo
0x0804a000 0x0804b000 rw-p /root/Desktop/heap/demo_/demo
0x0804b000 0x0806c000 rw-p [heap]
heap list
gdb-peda$ x/40wx 0x0804b000
0x804b000: 0x00000000 0x00000019 0x00000000 0x00000000
0x804b010: 0x00000000 0x00000000 0x00000000 0x00000029
0x804b020: 0x00000000 0x00000000 0x00000000 0x00000000
0x804b030: 0x00000000 0x00000000 0x00000000 0x00000000
0x804b040: 0x00000000 0x00000019 0x0804b000 0x00000000
0x804b050: 0x00000000 0x00000000 0x00000000 0x00000029
0x804b060: 0x0804b018 0x00000000 0x00000000 0x00000000
0x804b070: 0x00000000 0x00000000 0x00000000 0x00000000
0x804b080: 0x00000000 0x00000409 0x67617453 0x00372065
0x804b090: 0x00000000 0x00000000 0x00000000 0x00000000
libheap output
gdb-peda$ heap -l
Arena(s) found:
arena @ 0xf7fab780
gdb-peda$ heap -f
Arena(s) found:
arena @ 0xf7fab780
gdb-peda$ heap -s
Arena(s) found:
arena @ 0xf7fab780
gdb-peda$ heapls
ADDR SIZE STATUS
sbrk_base 0x1
[!] Could not read address 0x1
chunk 0x1 0x0 [!] Could not read address 0x1
[!] Could not read address 0x1
Python Exception <class 'TypeError'> int() argument must be a string, a bytes-like object or a number, not 'NoneType':
(F) FD Error occurred in Python command: int() argument must be a string, a bytes-like object or a number, not 'NoneType'
NOTE: It was working fine with Ubuntu 15.04 but now i am using Kalli Rolling it is not working now
my gdbinit output
source ~/peda/peda.py
python import sys
python sys.path.append('/root/.local/lib/python2.7/site-packages')
python import libheap
how can I find main arena in Android?
Hi, I'm trying to understand the heap exploitation and libheap looked great but it's not working for me? maybe you know why? I'm using Ubuntu 16.04
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
Attaching to process 12657
Reading symbols from /home/bob/Desktop/ctf/1/sytx...(no debugging symbols found)...done.
Reading symbols from ./libc-2.23.so...(no debugging symbols found)...done.
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug//lib/x86_64-linux-gnu/ld-2.23.so...done.
done.
0x00007fd31b4d8260 in read () from ./libc-2.23.so
(gdb) heap
Python Exception <class 'AttributeError'> 'NoneType' object has no attribute 'address':
Error occurred in Python command: 'NoneType' object has no attribute 'address'
(gdb) fastbins
Python Exception <class 'AttributeError'> 'NoneType' object has no attribute 'address':
Error occurred in Python command: 'NoneType' object has no attribute 'address'
(gdb) heap -h
heapls Print a flat listing of all chunks in an arena
fastbins [#] Print all fast bins, or only a single fast bin
smallbins [#] Print all small bins, or only a single small bin
freebins Print compact bin listing (only free chunks)
heaplsc Print compact arena listing (all chunks)
mstats Print memory alloc statistics similar to malloc_stats(3)
(gdb) heapls
Python Exception <class 'AttributeError'> 'NoneType' object has no attribute 'address':
Error occurred in Python command: 'NoneType' object has no attribute 'address'
(gdb)
I installed via the instructions in the installation guide and also changed ~/.local/lib/python3.5/site-packages/libheap/libheap.cfg
to 2.23
, which is my installed libc version, but I still get this issue:
gdb-peda$ heapls
[!] No gdb frame is currently selected.
Python Exception <class 'gdb.error'> Cannot find thread-local storage for process 20952, shared library /lib/x86_64-linux-gnu/libc.so.6:
Cannot find thread-local variables on this target:
Error occurred in Python command: Cannot find thread-local storage for process 20952, shared library /lib/x86_64-linux-gnu/libc.so.6:
Cannot find thread-local variables on this target
➜ /home apt-cache policy libc6
libc6:
Installed: 2.23-0ubuntu7
Candidate: 2.23-0ubuntu7
Version table:
*** 2.23-0ubuntu7 500
500 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
100 /var/lib/dpkg/status
2.23-0ubuntu3 500
500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
I am running this on Ubuntu 16.04 Xenial 64-bit.
Any suggestions on how I can fix this?
Help me fix error! I cant't not working
gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2)
(gdb) heap
Python Exception <class 'AttributeError'> 'NoneType' object has no attribute 'address':
Error occurred in Python command: 'NoneType' object has no attribute 'address'
[For help, type "help".
Type "apropos word" to search for commands related to "word"...
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/local/lib/python2.7/dist-packages/libheap/__init__.py", line 1, in <module>
from libheap.pyptmalloc import pyptmalloc
ImportError: No module named pyptmalloc
/home/xing/.gdbinit:5: Error in sourced command file:
Error while executing Python code.
Reading symbols from ./hungman...(no debugging symbols found)...done.
(gdb) heap -a
[!] No debugee could be found. Attach or start a program.
Python Exception <type 'exceptions.SystemExit'> None:
Error occurred in Python command: None
(gdb) q
how to fix it
Not sure if you think this is an important issue but when a double free is done for example in fastbins. Using the command fastbins
causes an infinite loop of printing the chunks.
fastbins
[ fb 0 ] 0x7ffff7dd1b28 -> [ 0x603410 ] (32)
[ 0x603430 ] (32)
[ 0x603410 ] (32)
[ 0x603430 ] (32)
[ 0x603410 ] (32)
[ 0x603430 ] (32)
[ 0x603410 ] (32)
....
I followed the installation steps. I can import libheap in python but not in gdb.
>>> from libheap import *
Not running inside of GDB, exiting...
gdb-peda$ python from libheap import *
Traceback (most recent call last):
File "<string>", line 1, in <module>
ImportError: No module named 'libheap'
Error while executing Python code.
Found solution in #11.
glibc version is 2.27.
When I use it. It will " 'NoneType' object has no attribute 'address' "
During debug, I find something inconsistent when referring to this flow graph of heap.
It seems the "Yes/No" option in the first branch of SYSMALLOC should be swapped,
according to glibc source.
https://github.com/lattera/glibc/blob/master/malloc/malloc.c#L2279
(This glibc version is old. But just for reference)
Ubuntu 16.04.3
run command in gdb
Python Exception <class 'AttributeError'> 'NoneType' object has no attribute 'address':
Error occurred in Python command: 'NoneType' object has no attribute 'address'
Help me!
hey ,
i came a across a weird behavior today libheap was throwing this error
Python Exception <class 'AttributeError'> 'NoneType' object has no attribute 'address':
Error occurred in Python command: 'NoneType' object has no attribute 'address'
while it is working properly for all other binary except one particular binary that i am trying to reverse
I have installed libc6-dbg , libc6-dbg:i386
Any suggestions on how I can fix this?
I don't know how to properly use the functions available from libheap. So i tried to get a chunk size using one of the features chunksize(p)
and i got this:
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib/python3.5/libheap.py", line 75, in chunksize
return (p.size & ~SIZE_BITS)
AttributeError: 'int' object has no attribute 'size'
Error while executing Python code.
In facts, there is a lot of others functions which triggers the same exception such as no attributes fd
, size
. Plus when i tried other example from the README.md, `p *(mchunkptr) 0x804b000:
Python Exception <class 'TypeError'> non-empty format string passed to object.__format__:
$1 =
print_mstats
:
==================================Malloc Stats==================================
Python Exception <class 'TypeError'> %x format: an integer is required, not gdb.Value:
Error occurred in Python command: %x format: an integer is required, not gdb.Value
I am wandering how to force gdb to use virtualenv.
$ workon libheap
$ gdb
gdb-peda$ python from libheap import *
Traceback (most recent call last):
File "<string>", line 1, in <module>
ImportError: No module named 'libheap'
Error while executing Python code.
gdb-peda$ quit
$ python
>>> import libheap.py
Not running inside of GDB, exiting...
On Arch Linux I'm getting the following error when running heap
:
Python Exception <class 'TypeError'> %x format: an integer is required, not gdb.Value:
Error occurred in Python command: %x format: an integer is required, not gdb.Value
Debugging showed this line as throwing the exception:
print("\t arena @ 0x%x" % \
ar_ptr.address.cast(gdb.lookup_type("unsigned long")))
(the exception handler throws the same exception)
I've used this library before and this wasn't happening, so I think it happened when either gdb (version 7.11) or python3 (version 3.5.1) updated. I found the fix here, which is to wrap the gdb.Value
in a call to int
.
Hey,
I really like the heap flowchart you've made, and it's the only good chart I can find. I'm working with later versions of glibc that have increased their heap corruption checks and I'd love to extend the chart. Do you still have the source file for the flowchart? So I can move boxes around and add new ones. I'm currently just using a drawing tool to annotate the .png and it's getting really cluttered.
Thanks!
"The code needs a complete refactoring to fix this."
If I want it work on my ubuntu16.04 with glibc version=2.23,how should I refactoring it to make it works?
After the modification of printing utils, I found this version couldn't work well with peda. I used to utilize source libheap.py
in my .gdbinit
. But it tampered peda's running and messed up the color print.
Hi !
I would like to know how to make libheap works on Archlinux ?
There is no package libc6-dbg and I can't find the equivalent for Archlinux ...
Thanks
Not sure if this is a bug or me just not understanding something, but I keep seeing output like:
sbrk_base 0x601000
chunk 0x601000 0x410 (inuse)
chunk 0x601410 0x20bf0 (top)
sbrk_end 0x601000
when running heap -l
. Note that sbrk_base
is the same as sbrk_end
. I'm using Arch Linux, but a friend tested it out on Ubuntu and had the same issue. Can you replicate this?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.