Heap overflow unlink using the method-vulnerability warning-the black bar safety net

2015-07-22T00:00:00
ID MYHACK58:62201564930
Type myhack58
Reporter 佚名
Modified 2015-07-22T00:00:00

Description

0x01 the first part of the First a brief introduction about the heap chunk structure We may be in malloc. c is found on the heap chunk structure of the code struct malloc_chunk {

INTERNAL_SIZE_T prev_size; / Size of previous chunk (if free). / INTERNAL_SIZE_T size; / Size in bytes, including overhead. /

struct malloc_chunk fd; / double links -- used only if free. / struct malloc_chunk bk;

/ Only used for large blocks: pointer to next larger size. / struct malloc_chunk fd_nextsize; / double links -- used only if free. / struct malloc_chunk bk_nextsize; }; This indicates a heap chunk is structured as follows +-----------+---------+------+------+-------------+ | | | | | | | | | | | | | prev_size |size&Flag| fd | bk | | | | | | | | | | | | | | +-----------+---------+------+------+-------------+ If the chunk previous chunk is free, then the first part of the prev_size will be recorded in front of a chunk size, the second part is the chunk size,because the size of it requires 8-byte alignment, so the size of the lower three bits will idle out, this time it three positions is used as the three Flag(the lowest bit:indicates the previous chunk is being used;the reciprocal of the second:indicates this chunk whether it is through the mmap mode to produce;reciprocal third:this chunk belongs to one of the threads of the arena) in. After the FD and the BK part in this chunk is the idle state will play a role. FD points to the next free chunk, the BK point to the previous free chunk, thereby the series into a free chunk of a doubly linked list. If it is not idle. Then from fd to start, it's user data. (Detailed information please refer to the glibc malloc. in Part c, This is no longer do more to explain.) First, for convenience, I directly quoted a foreign blogger's vulnerability sample program, in order to continue to explain / Heap overflow vulnerable program. /

include

include

int main( int argc, char * argv[] ) { char * first, * second;

/[1]/ first = malloc( 6 6 6 ); /[2]/ second = malloc( 1 2 ); if(argc!= 1) /[3]/ strcpy( first, argv[1] ); /[4]/ free( first ); /[5]/ free( second ); /[6]/ return( 0 ); } This procedure in[3]There is obviously a heap overflow vulnerability, argv[1]of the content if it is too long you'll cross coverage to the second section. Simple given this program's heap structure +---------------------+ | prev_size | +---------------------+ | size=0x201 | +---------------------+ | | | allocated | | chunk | +---------------------+ | prev_size | +---------------------+ | size=0x11 | +---------------------+ | Allocated | | chunk |

[1] [2] [3] [4] [5] [6] next