shadow: jemalloc heap exploitation framework
shadow :: De Mysteriis Dom jemalloc
shadow is a jemalloc heap exploitation framework. It has been designed to be agnostic of the target application that uses jemalloc as its heap allocator (be it Android’s libc, Firefox, FreeBSD’s libc, standalone jemalloc, or whatever else). The current version (2.0) has been tested extensively with the following targets:
- Android 6 and 7 libc (ARM32 and ARM64)
- Firefox (x86 and x86-64) on Windows and Linux
Apart from the tool’s source code, this repository also includes documentation on setting up an Android userland debugging environment for utilizing shadow, a quick overview of Android’s jemalloc structures using shadow, and some notes on how double, unaligned and arbitrary free() bugs behave on Android’s jemalloc.
When you issue a jemalloc-specific command for the first time, shadow parses all jemalloc metadata it knows about and saves them to a Python pickle file. Subsequent commands use this pickle file instead of parsing the metadata from memory again in order to be faster.
When you know that the state of jemalloc metadata has changed (for example when you have made some allocations or have triggered a garbage collection), use the jeparse command to re-parse the metadata and re-create the pickle file.
First step is to install pyrsistence on your host machine.
On a rooted device do the following:
From the output of ps select a process, for example com.google.process.gapps:
You can find GDB server binaries for ARM32 and ARM64 in the “bin” directory. Or, if you don’t trust us, do:
Then on the host machine do:
Sometimes GDB server stops listening if you take too long to issue the target remote :5039 command. So if you see weird errors when you issue the jeparse command, just start from the beginning.
shadow for Windows/Firefox has been tested with the following:
- Windows 8.1 and 10 x86-64
- Windows 7 SP1 x86 and x86-64
- Various versions of WinDBG
- pykd version 0.3.2.8
- Many different Firefox releases (both x86-64 and x86), including the latest stable one (55.0)
Note: If you work with a Firefox version older than 36.0 use the mozjs branch!
At first you need to setup WinDBG with [Mozilla’s symbol server] (https://developer.mozilla.org/en/docs/Using_the_Mozilla_symbol_server). You also need to install pykd. Then copy the shadow directory you have cloned from GitHub to some path (e.g. C:\tmp\).
You can also find an example WinDBG initialization script in the file “windbg-init.cmd”. Place it at C:\tmp\ and start WinDBG with windbg.exe -c “$$>< C:\tmp\windbg-init.cmd”.
Finally, from within WinDBG issue the following commands: