CTF-All-In-One/doc/1.5.11_jemalloc.md
2018-06-11 14:56:56 +08:00

66 lines
2.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 1.5.11 jemalloc
- [简介](#简介)
- [编译安装](#编译安装)
- [jemalloc 详解](#jemalloc-详解)
- [数据结构](#数据结构)
- [利用技术](#利用技术)
- [CTF 实例](#ctf-实例)
- [参考资料](#参考资料)
## 简介
jemalloc 是 Facebook 推出的一种通用 malloc 实现,在 FreeBSD、firefox 中被广泛使用。比起 ptmalloc2 具有更高的性能。
## 编译安装
我们来编译一个带调试信息的 jemalloc4.x和5.x之间似乎差别比较大
```
$ wget https://github.com/jemalloc/jemalloc/releases/download/5.0.1/jemalloc-5.0.1.tar.bz2
$ tar -xjvf jemalloc-5.0.1.tar.bz2
$ cd jemalloc-5.0.1
$ ./configure --prefix=/usr/local/jemalloc --enable-debug
$ make -j4 && sudo make install
```
接下来修改链接信息:
```
# echo /usr/local/jemalloc/ >> /etc/ld.so.conf.d/jemalloc.conf
# ldconfig
```
当我们想要在编译程序时指定 jemalloc 时可以像下面这样:
```
$ gcc -L/usr/local/jemalloc/lib -Wl,--rpath=/usr/local/jemalloc/lib -ljemalloc test.c
$ ldd a.out
linux-vdso.so.1 (0x00007fff69b62000)
libjemalloc.so.2 => /usr/local/jemalloc/lib/libjemalloc.so.2 (0x00007f744483b000)
libc.so.6 => /usr/lib/libc.so.6 (0x00007f744447f000)
libm.so.6 => /usr/lib/libm.so.6 (0x00007f74440ea000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f7443d61000)
libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007f7443b43000)
libdl.so.2 => /usr/lib/libdl.so.2 (0x00007f744393f000)
libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007f7443727000)
/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007f7444f02000)
```
可以看到 `libjemalloc.so.2` 已经被链接到程序里了。
## jemalloc 详解
我们以 jemalloc-4.5.0 版本来讲解。
#### 数据结构
## 利用技术
## CTF 实例
查看章节 6.1.29、6.1.34。
## 参考资料
- http://jemalloc.net/
- [Pseudomonarchia jemallocum](http://phrack.org/issues/68/10.html)
- [The Shadow over Android](https://census-labs.com/media/shadow-infiltrate-2017.pdf)
- https://github.com/CENSUS/shadow/
- [Exploiting VLC - A case study on jemalloc heap overflows](http://phrack.org/issues/68/13.html)
- [Exploiting the jemalloc Memory Allocator: Owning Firefox's Heap](https://media.blackhat.com/bh-us-12/Briefings/Argyoudis/BH_US_12_Argyroudis_Exploiting_the_%20jemalloc_Memory_%20Allocator_WP.pdf)