mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-25 11:41:16 +07:00
66 lines
2.4 KiB
Markdown
66 lines
2.4 KiB
Markdown
# 1.5.11 jemalloc
|
||
|
||
- [简介](#简介)
|
||
- [编译安装](#编译安装)
|
||
- [jemalloc 详解](#jemalloc-详解)
|
||
- [数据结构](#数据结构)
|
||
- [利用技术](#利用技术)
|
||
- [CTF 实例](#ctf-实例)
|
||
- [参考资料](#参考资料)
|
||
|
||
|
||
## 简介
|
||
jemalloc 是 Facebook 推出的一种通用 malloc 实现,在 FreeBSD、firefox 中被广泛使用。比起 ptmalloc2 具有更高的性能。
|
||
|
||
|
||
## 编译安装
|
||
我们来编译一个带调试信息的 jemalloc(注:4.x和5.x之间似乎差别比较大):
|
||
```
|
||
$ wget https://github.com/jemalloc/jemalloc/releases/download/5.0.1/jemalloc-5.0.1.tar.bz2
|
||
$ tar -xjvf jemalloc-5.0.1.tar.bz2
|
||
$ cd jemalloc-5.0.1
|
||
$ ./configure --prefix=/usr/local/jemalloc --enable-debug
|
||
$ make -j4 && sudo make install
|
||
```
|
||
接下来修改链接信息:
|
||
```
|
||
# echo /usr/local/jemalloc/ >> /etc/ld.so.conf.d/jemalloc.conf
|
||
# ldconfig
|
||
```
|
||
当我们想要在编译程序时指定 jemalloc 时可以像下面这样:
|
||
```
|
||
$ gcc -L/usr/local/jemalloc/lib -Wl,--rpath=/usr/local/jemalloc/lib -ljemalloc test.c
|
||
$ ldd a.out
|
||
linux-vdso.so.1 (0x00007fff69b62000)
|
||
libjemalloc.so.2 => /usr/local/jemalloc/lib/libjemalloc.so.2 (0x00007f744483b000)
|
||
libc.so.6 => /usr/lib/libc.so.6 (0x00007f744447f000)
|
||
libm.so.6 => /usr/lib/libm.so.6 (0x00007f74440ea000)
|
||
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f7443d61000)
|
||
libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007f7443b43000)
|
||
libdl.so.2 => /usr/lib/libdl.so.2 (0x00007f744393f000)
|
||
libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007f7443727000)
|
||
/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007f7444f02000)
|
||
```
|
||
可以看到 `libjemalloc.so.2` 已经被链接到程序里了。
|
||
|
||
|
||
## jemalloc 详解
|
||
我们以 jemalloc-4.5.0 版本来讲解。
|
||
|
||
#### 数据结构
|
||
|
||
|
||
## 利用技术
|
||
|
||
## CTF 实例
|
||
查看章节 6.1.29、6.1.34。
|
||
|
||
|
||
## 参考资料
|
||
- http://jemalloc.net/
|
||
- [Pseudomonarchia jemallocum](http://phrack.org/issues/68/10.html)
|
||
- [The Shadow over Android](https://census-labs.com/media/shadow-infiltrate-2017.pdf)
|
||
- https://github.com/CENSUS/shadow/
|
||
- [Exploiting VLC - A case study on jemalloc heap overflows](http://phrack.org/issues/68/13.html)
|
||
- [Exploiting the jemalloc Memory Allocator: Owning Firefox's Heap](https://media.blackhat.com/bh-us-12/Briefings/Argyoudis/BH_US_12_Argyroudis_Exploiting_the_%20jemalloc_Memory_%20Allocator_WP.pdf)
|