matrix1001 / heapinspect Goto Github PK

View Code? Open in Web Editor NEW

221.0 10.0 20.0 11.98 MB

🔍Heap analysis tool for CTF pwn.

License: MIT License

Python 94.21% C 5.02% Makefile 0.76%

python heap exploit pwn gdbheap gdb

heapinspect's Introduction

HeapInspect

Pwnning is an art.

HeapInspect is designed to make heap much more prettier.

Now this tool is a plugin of nadbg. Try it!

Features

Free of gdb and other requirement
Multi glibc support
- 2.19, 2.23-2.27 (currently tested)
- both 32bit and 64bit
Nice UI to show heap
- HeapShower (detailed)
- PrettyPrinter (colorful, summary)
Heapdiff (working)
Corruption detect & exploit analysis (working)
Also support gdb
Python2 & Python3 compatible

Usage

Quick shot

A quick use of this tool.

You can also use it as a gdb plugin, very useful when pwndbg or other plugins failed to analysis heap.

sed -i "1i source `pwd`/gdbscript.py" ~/.gdbinit # alternatively, you can add that line manually

Note

Basic

Pretty easy to use. I will make it a package later.

from heapinspect.core import *
hi = HeapInspector(1234)       #pid here
hs = HeapShower(hi)

print(hs.fastbins)
print(hs.smallbins)
print(hs.largebins)
print(hs.unsortedbins)
print(hs.tcache_chunks)

hs.relative = 1              #relative mode, check Quick shot
print(hs.fastbins)

sleep(10)
#now assume that the heap state has changed
hs.update()                  #use this to refresh

pp = PrettyPrinter(hi)
print(pp.all)                #pretty printer
pp.update()                  #use this to update

Test

There are some testcases.

heapinspect/tests/ $ python test.py  #this will run all test cases for you to check this tool.

......
......

test case unsortedbins64 at test/testcases/libc-2.27/64bit
pid:6704
=========================           fastbins           =========================
=========================         unsortedbins         =========================
chunk(0x7f9aae2e6720): prev_size=0x0      size=0xb1     fd=0x7f9aacdfbca0  bk=0x7f9aae2e6880
chunk(0x7f9aae2e6880): prev_size=0x0      size=0xb1     fd=0x7f9aae2e6720  bk=0x7f9aacdfbca0
=========================          smallbins           =========================
=========================          largebins           =========================
=========================            tcache            =========================
tcache[9]:
chunk(0x7f9aae2e6670): prev_size=0x0      size=0xb1     fd=0x7f9aae2e65d0  bk=0x0
chunk(0x7f9aae2e65c0): prev_size=0x0      size=0xb1     fd=0x7f9aae2e6520  bk=0x0
chunk(0x7f9aae2e6510): prev_size=0x0      size=0xb1     fd=0x7f9aae2e6470  bk=0x0
chunk(0x7f9aae2e6460): prev_size=0x0      size=0xb1     fd=0x7f9aae2e63c0  bk=0x0
chunk(0x7f9aae2e63b0): prev_size=0x0      size=0xb1     fd=0x7f9aae2e6310  bk=0x0
chunk(0x7f9aae2e6300): prev_size=0x0      size=0xb1     fd=0x7f9aae2e6260  bk=0x0
chunk(0x7f9aae2e6250): prev_size=0x0      size=0xb1     fd=0x0             bk=0x0

Docs

Detailed docstrings have been written into the source code.

I have built a sphinx doc in docs. Just open docs/build/html/index.html with your browser.

Devlog

2020/5/11 Version 0.1.4

python3 support

2018/12/10 Version 0.1.3

add support for gdb

2018/11/6 version 0.1.2

docs update.

update sphinx docs
reshape file structure

2018/11/5 version 0.1.1

not a functional update.

PEP8
docstrings
performance update

2018/10/31 version 0.1.0

first release

better cmdline option

2018/10/30 version 0.0.8

next version will be a release.

CRLF to LF
code refine
readme refine
pretty printer

2018/10/29 version 0.0.7

auto test
code refine

2018/10/27 version 0.0.6

this is not a stable version. im trying to fix bugs due to different glibc. i need help to test this.

add multi libc support
add x86 support

2018/10/26 version 0.0.5

next version will add multi libc support. heapdiff and heap check will be added later.

HeapShower
relative heap & libc offset showing
fix search loop bug
bins now search from bk instead of fd, as the manner of glibc

2018/10/24 version 0.0.4

HeapRecoder , I will make a heapdiff
smallbins and largebins

2018/10/23 version 0.0.3

fastbin prototype
unsortedbin prototype
bins prototype
tcache prototype

2018/10/22 version 0.0.2

add C_Struct to handle c structure

2018/10/19 version 0.0.1

add class HeapInspector
trying to parse more information of arena

2018/10/18 version 0.0.0

add class Proc in proc_util
experimental test in test.py

heapinspect's People

Contributors

Stargazers

Watchers

Forkers

tcode2k16 emorasoul nepire didadoudou demon-wang imulmul johndoex1 pullp sung3r lacraig2 0xc4se kejripraveen 0x6b7966 yunaranyancat clayne farrimwildaxe m0ngi synthwave-systems

heapinspect's Issues

OverflowError: Python int too large to convert to C long

使用Heapinspect.py刚开始不会有错误，但是运行一段时间之后，随着操作的增加，会在某一个固定操作之后，报如下错误。

Traceback (most recent call last):
File "HeapInspect.py", line 55, in
pp = PrettyPrinter(hi)
File "/home/leo/Desktop/CTF/heapinspect/heapinspect/layout.py", line 176, in init
self.record = hi.record
File "/home/leo/Desktop/CTF/heapinspect/heapinspect/core.py", line 310, in record
return HeapRecord(self)
File "/home/leo/Desktop/CTF/heapinspect/heapinspect/core.py", line 336, in init
self.unsortedbins = hi.unsortedbins
File "/home/leo/Desktop/CTF/heapinspect/heapinspect/core.py", line 253, in unsortedbins
result = self.bins(0, 1)
File "/home/leo/Desktop/CTF/heapinspect/heapinspect/core.py", line 283, in bins
self.proc.read(chunk_ptr, chunk_size),
File "/home/leo/Desktop/CTF/heapinspect/heapinspect/proc.py", line 296, in read
f.seek(addr)
OverflowError: Python int too large to convert to C long

No LICENSE file

There is no license included in this code, which makes it hard for others to use. I recommend adding a LICENSE file, with the license of your choice. Learn more at http://choosealicense.com.

I personally recommend the MIT License.

Does heapinspect work for a core file ?

Using gdb with heapinspect plugin, I got the following error:
(gdb) hi heap
Python Exception <class 'FileNotFoundError'> [Errno 2] No such file or directory: '/proc/1251943/exe':
Error occurred in Python command: [Errno 2] No such file or directory: '/proc/1251943/exe'

If it does work for a core file, how to inspect heap for a core file ?

come accross a “OSError: [Errno 13] Permission denied”

Hi，matrix1001. I try to use heapinspect to practice pwn.
when I try to use it in pwndocker,I get “OSError: [Errno 13] Permission denied”.
url of pwndocker:

https://github.com/skysider/pwndocker

How I run the docker：

docker run -it --rm -v /root:/ctf/work --cap-add=SYS_PTRACE skysider/pwndocker

and the error info:

root@c83c5dbb35eb:/ctf/work# python HeapInspect.py 48                                                    
Traceback (most recent call last):                                                                      
  File "HeapInspect.py", line 34, in <module>                                                            
    hi = HeapInspector(pid)                                                                              
  File "/ctf/work/heapinspect/core.py", line 93, in __init__                                             
    libc_info = get_libc_info(self.libc_path)                                                             
  File "/ctf/work/heapinspect/libc.py", line 133, in get_libc_info                                        
    info.update(get_arena_info(libc_path, size_t))                                                        
  File "/ctf/work/heapinspect/libc.py", line 79, in get_arena_info                                        
    result = subprocess.check_output(command.split())                                                     
  File "/usr/lib/python2.7/subprocess.py", line 567, in check_output                                    
    process = Popen(stdout=PIPE, *popenargs, **kwargs)                                                    
  File "/usr/lib/python2.7/subprocess.py", line 711, in __init__                                         
    errread, errwrite)                                                                                    
  File "/usr/lib/python2.7/subprocess.py", line 1343, in _execute_child                                  
    raise child_exception                                                                                 
OSError: [Errno 13] Permission denied

would you please tell me how to solve this problem?
thanks a lot : )

<class 'UnicodeDecodeError'> 'utf-8' codec can't decode byte

/proc/*/maps are not utf-8 encoded files

https://github.com/matrix1001/heapinspect/blob/master/heapinspect/proc.py#L23
https://github.com/matrix1001/heapinspect/blob/master/heapinspect/proc.py#L104
https://github.com/matrix1001/heapinspect/blob/master/heapinspect/proc.py#L295

217gdb> hi tcache
Python Exception <class 'UnicodeDecodeError'> 'utf-8' codec can't decode byte 0xb8 in position 40: invalid start byte: 
Error occurred in Python command: 'utf-8' codec can't decode byte 0xb8 in position 40: invalid start byte

➜  ~ locale  
LANG=en_US.UTF-8
LANGUAGE=
LC_CTYPE=en_US.UTF-8
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US.UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=

Does this work for other allocators?

It seems that glibc is being referred in the README file. Does this mean that the library only works for ptmalloc2?
I believe a heap-diff doesn't need any priors, but the size, next, prev etc are very related to the allocator.