how2heap 1:优先原则

标签：

how2heap 1:优先原则
－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－
示例代码
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main()
{
    printf("This file doesn‘t demonstrate an attack, but shows the nature of glibc‘s allocator.\n");
    printf("glibc uses a first-fit algorithm to select a free chunk.\n");
    printf("If a chunk is free and large enough, malloc will select this chunk.\n");
    printf("This can be exploited in a use-after-free situation.\n");

    printf("Allocating 2 buffers. They can be large, don‘t have to be fastbin.\n");
    char* a = malloc(512);
    char* b = malloc(256);
    char* c;

    printf("1st malloc(512): %p\n", a);
    printf("2nd malloc(256): %p\n", b);
    printf("we could continue mallocing here...\n");
    printf("now let‘s put a string at a that we can read later \"this is A!\"\n");
    strcpy(a, "this is A!");
    printf("first allocation %p points to %s\n", a, a);

    printf("Freeing the first one...\n");
    free(a);

    printf("We don‘t need to free anything again. As long as we allocate less than 512, it will end up at %p\n", a);

    printf("So, let‘s allocate 500 bytes\n");
    c = malloc(500);
    printf("3rd malloc(500): %p\n", c);
    printf("And put a different string here, \"this is C!\"\n");
    strcpy(c, "this is C!");
    printf("3rd allocation %p points to %s\n", c, c);
    printf("first allocation %p points to %s\n", a, a);
    printf("If we reuse the first allocation, it now holds the data from the third allocation.");
}
－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－
运行结果
junmoxiao@sky /m/p/H/资/how2heap-master> ./first_fit
This file doesn‘t demonstrate an attack, but shows the nature of glibc‘s allocator.
glibc uses a first-fit algorithm to select a free chunk.
If a chunk is free and large enough, malloc will select this chunk.
This can be exploited in a use-after-free situation.
Allocating 2 buffers. They can be large, don‘t have to be fastbin.
1st malloc(512): 0x16bb010
2nd malloc(256): 0x16bb220
we could continue mallocing here...
now let‘s put a string at a that we can read later "this is A!"
first allocation 0x16bb010 points to this is A!
Freeing the first one...
We don‘t need to free anything again. As long as we allocate less than 512, it will end up at 0x16bb010
So, let‘s allocate 500 bytes
3rd malloc(500): 0x16bb010
And put a different string here, "this is C!"
3rd allocation 0x16bb010 points to this is C!
first allocation 0x16bb010 points to this is C!
If we reuse the first allocation, it now holds the data from the third allocation.?   
－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－
一些总结
1 glibc使用了一种优先算法来挑选free chunk。如果一个chunk是free的，并且足够大，malloc就会挑选此chunk。在UAF中会利用到这个特性

how2heap 1:优先原则

标签：

原文地址：http://www.cnblogs.com/junmoxiao/p/5353141.html