欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

how2heap之开篇

来源:本站整理 作者:佚名 时间:2020-02-14 TAG: 我要投稿

因为分为glibc2.25和glibc2.26,因此我先起一个ubuntu16.04的docker
注:tcache,largebin,unsorted bin为先进后出,fastbin,smallbin为先进先出
git clone https://github.com/shellphish/how2heap.git
cd how2heap
make
对glibc的内存管理机制不熟的小伙伴,这里强烈推荐华庭师傅的glibc内存管理!!
虽然版本有些老,但是对理解glibc还是有极大的帮助的
 
0x01 first-fit
源代码
我们先看看源代码,这里我做了些处理,将一些作者的话删掉了:)
删掉的话的大概意思就是本文件不是攻击demo,而是对glibc一个选择chunk机制(first-fit)的一个说明,这个机制经常被用在uaf的利用中
所谓的first-fit就是首次适应算法,这里有一篇文章对常见内存分配算法有一个总结:常见内存分配算法
好了,不影响,我们直接看源代码,加了一小点翻译
#include
#include
#include
int main()
{
        //分配两个缓冲区,不一定是fastbin,可以比较大的
        fprintf(stderr, "Allocating 2 buffers. They can be large, don't have to be fastbin.n");
        char* a = malloc(0x512);
        char* b = malloc(0x256);
        char* c;
        fprintf(stderr, "1st malloc(0x512): %pn", a);
        fprintf(stderr, "2nd malloc(0x256): %pn", b);
        fprintf(stderr, "we could continue mallocing here...n");
        fprintf(stderr, "now let's put a string at a that we can read later "this is A!"n");
        strcpy(a, "this is A!");
        fprintf(stderr, "first allocation %p points to %sn", a, a);
        fprintf(stderr, "Freeing the first one...n");
        free(a);
        //我们不用再释放其他的缓冲区了,只要我们分配的小于0x512,就可以从刚刚free的内存里取
        fprintf(stderr, "We don't need to free anything again. As long as we allocate smaller than 0x512, it will end up at %pn", a);
        fprintf(stderr, "So, let's allocate 0x500 bytesn");
        c = malloc(0x500);
        fprintf(stderr, "3rd malloc(0x500): %pn", c);
        fprintf(stderr, "And put a different string here, "this is C!"n");
        strcpy(c, "this is C!");
        fprintf(stderr, "3rd allocation %p points to %sn", c, c);
        fprintf(stderr, "first allocation %p points to %sn", a, a);
        fprintf(stderr, "If we reuse the first allocation, it now holds the data from the third allocation.n");
}
程序结果
我们再运行一下程序
This file doesn't demonstrate an attack, but shows the nature of glibc's allocator.
glibc uses a first-fit algorithm to select a free chunk.
If a chunk is free and large enough, malloc will select this chunk.
This can be exploited in a use-after-free situation.
Allocating 2 buffers. They can be large, don't have to be fastbin.
1st malloc(0x512): 0x1e03010
2nd malloc(0x256): 0x1e03530
we could continue mallocing here...
now let's put a string at a that we can read later "this is A!"
first allocation 0x1e03010 points to this is A!
Freeing the first one...
We don't need to free anything again. As long as we allocate smaller than 0x512, it will end up at 0x1e03010
So, let's allocate 0x500 bytes
3rd malloc(0x500): 0x1e03010
And put a different string here, "this is C!"
3rd allocation 0x1e03010 points to this is C!
first allocation 0x1e03010 points to this is C!
If we reuse the first allocation, it now holds the data from the third allocation.
关键部分调试
因为内容比较简单,这里就做一个写入内容的对比吧
首先在写c之前下一个断点
pwndbg>
31              fprintf(stderr, "3rd malloc(0x500): %pn", c);
32              fprintf(stderr, "And put a different string here, "this is C!"n");
33              strcpy(c, "this is C!");
34              fprintf(stderr, "3rd allocation %p points to %sn", c, c);

[1] [2] [3] [4] [5] [6] [7] [8]  下一页

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载