该楼层疑似违规已被系统折叠 隐藏此楼查看此楼
知道他
35 int 36 __nss_hostname_digits_dots (const char *name, struct hostent *resbuf, 37 char **buffer, size_t *buffer_size, 38 size_t buflen, struct hostent **result, 39 enum nss_status *status, int af, int *h_errnop) 40 { .. 57 if (isdigit (name[0]) || isxdigit (name[0]) || name[0] == ':') 58 { 59 const char *cp; 60 char *hostname; 61 typedef unsigned char host_addr_t[16]; 62 host_addr_t *host_addr; 63 typedef char *host_addr_list_t[2]; 64 host_addr_list_t *h_addr_ptrs; 65 char **h_alias_ptr; 66 size_t size_needed; .. 85 size_needed = (sizeof (*host_addr) 86 + sizeof (*h_addr_ptrs) + strlen (name) + 1); 87 88 if (buffer_size == NULL) 89 { 90 if (buflen < size_needed) 91 { .. 95 goto done; 96 } 97 } 98 else if (buffer_size != NULL && *buffer_size < size_needed) 99 {100 char *new_buf;101 *buffer_size = size_needed;102 new_buf = (char *) realloc (*buffer, *buffer_size);103104 if (new_buf == NULL)105 {...114 goto done;115 }116 *buffer = new_buf;117 }...121 host_addr = (host_addr_t *) *buffer;122 h_addr_ptrs = (host_addr_list_t *)123 ((char *) host_addr + sizeof (*host_addr));124 h_alias_ptr = (char **) ((char *) h_addr_ptrs + sizeof (*h_addr_ptrs));125 hostname = (char *) h_alias_ptr + sizeof (*h_alias_ptr);126127 if (isdigit (name[0]))128 {129 for (cp = name;; ++cp)130 {131 if (*cp == '\0')132 {133 int ok;134135 if (*--cp == '.')136 break;...142 if (af == AF_INET)143 ok = __inet_aton (name, (struct in_addr *) host_addr);144 else145 {146 assert (af == AF_INET6);147 ok = inet_pton (af, name, host_addr) > 0;148 }149 if (! ok)150 {...154 goto done;155 }156157 resbuf->h_name = strcpy (hostname, name);...194 goto done;195 }196197 if (!isdigit (*cp) && *cp != '.')198 break;199 }200 }
他85行,溢出了32位4个字节,64位8个字节
As a result, this artificially-enlarged free chunk, which is managed byglibc's malloc, overlaps another block of memory, Exim's current_block,which is managed by Exim's internal memory allocator: |< malloc_chunk |< storeblock | |-----|----------------------|------------------------|---------------+---|----- ... | gethostbyname buffer |p|s|f|b|F|B| free chunk |n|l| current_block | ...-----|----------------------|------------------------|---------------+---|----- | | || artificially enlarged free chunkwhere:typedef struct storeblock { struct storeblock *next; size_t length;} storeblock;Then, we partially allocate the enlarged free chunk and overwrite thebeginning of Exim's current_block of memory (the "storeblock" structure)with arbitrary data. In particular, we overwrite its "next" field: |< malloc_chunk |< storeblock | |-----|----------------------|------------------------|--------+----------|----- ... | gethostbyname buffer |p|s|f|b|F|B| aaaaaaaaaa |n|l| current_block | ...-----|----------------------|------------------------|--------+----------|----- | X | || allocated chunk
但是看不懂他怎么远程在他的溢出堆里面执行代码,求科普
扫一扫
182
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
