HITCON-training-lab 10 hacknote
本题为最简单的UAF利用
add note0,note1后chunk使用情况
0x80b4000 FASTBIN { //note0
prev_size = 0,
size = 17,
fd = 0x804865b <print_note_content>, //put
bk = 0x80b4018, //content
fd_nextsize = 0x0,
bk_nextsize = 0x19
}
0x80b4010 FASTBIN { //note0.content_chunk
prev_size = 0,
size = 25,
fd = 0x61616161,
bk = 0xa,
fd_nextsize = 0x0,
bk_nextsize = 0x0
}
0x80b4028 FASTBIN { //note1
prev_size = 0,
size = 17,
fd = 0x804865b <print_note_content>,
bk = 0x80b4040, //content
fd_nextsize = 0x0,
bk_nextsize = 0x19
}
0x80b4038 FASTBIN { //note1.content_chunk
prev_size = 0,
size = 25,
fd = 0x62626262,
bk = 0xa,
fd_nextsize = 0x0,
bk_nextsize = 0x0
}
del_note(0),del_node(1)后,fastbin情况如下
16bytes_chunk:note1_chunk->note0_chunk
24bytes_chunk:note1.content_chunk->note0.content_chunk
这时,当我们创建一个note2,且它的content大小为8则,note2实际上被分配到note1_chunk,note2.content实际上被分配到note0_chunk,而note2.content在创建时是可以自定义的,即我们通过note2就可以控制note0的整个结构体,而由于free之后没有置空,即存