[how2heap정리]fist_fit

#include 
#include 
#include 

int main()
{
	printf("This file doesn't demonstrate an attack, but shows the nature of glibc's allocator.\n");
	printf("glibc uses a first-fit algorithm to select a free chunk.\n");
	printf("If a chunk is free and large enough, malloc will select this chunk.\n");
	printf("This can be exploited in a use-after-free situation.\n");

	printf("Allocating 2 buffers. They can be large, don't have to be fastbin.\n");
	char* a = malloc(512);
	char* b = malloc(256);
	char* c;

	printf("1st malloc(512): %p\n", a);
	printf("2nd malloc(256): %p\n", b);
	printf("we could continue mallocing here...\n");
	printf("now let's put a string at a that we can read later \"this is A!\"\n");
	strcpy(a, "this is A!");
	printf("first allocation %p points to %s\n", a, a);

	printf("Freeing the first one...\n");
	free(a);

	printf("We don't need to free anything again. As long as we allocate less than 512, it will end up at %p\n", a);

	printf("So, let's allocate 500 bytes\n");
	c = malloc(500);
	printf("3rd malloc(500): %p\n", c);
	printf("And put a different string here, \"this is C!\"\n");
	strcpy(c, "this is C!");
	printf("3rd allocation %p points to %s\n", c, c);
	printf("first allocation %p points to %s\n", a, a);
	printf("If we reuse the first allocation, it now holds the data from the third allocation.");
}

This file doesn't demonstrate an attack, but shows the nature of glibc's allocator.

이 파일은 공격을 설명하는게 아니지만 glibc allocator의 원리를 보여준다

glibc uses a first-fit algorithm to select a free chunk.

glibc는 first-fit algorithm을 free청크를 select할때 사용한다.

If a chunk is free and large enough, malloc will select this chunk.

만약 청크가 free이고 충분히 크다면, malloc은 이 청크를 select할 것이다.

This can be exploited in a use-after-free situation.

이거는 uaf상황에서 exploit될수 있다.

Allocating 2 buffers. They can be large, don't have to be fastbin.

2개의 버퍼를 할당하자. 그들은 fastbin이 되지 않을 만큼 크다.

char* a = malloc(512);
char* b = malloc(256);
char* c;

1st malloc(512): 0x2366420

2nd malloc(256): 0x2366630

we could continue mallocing here...

우리는 malloc을 여기에 계속할 수 있다.

now let's put a string at a that we can read later "this is A!"

이제 a에 "this is A"라는 string을 넣자

strcpy(a, "this is A!");

first allocation 0x2366420 points to this is A!

a는 "this is A"를 가리킨다.

Freeing the first one...

a를 free하자

free(a);

We don't need to free anything again. As long as we allocate less than 512, it will end up at 0x2366420

우리는 아무것도 free할 필요 없다. 우리가 512보다 작은 값을 할당하는한, 이것은 0x2366420(a)으로 끝난다.

So, let's allocate 500 bytes

그래서 500바이트를 할당해보자

c = malloc(500);

3rd malloc(500): 0x2366420

And put a different string here, "this is C!"

그리고 "this is C!"라는 string을 넣는다.

strcpy(c, "this is C!");

3rd allocation 0x2366420 points to this is C!

3번째 allocation 0x2366420은 C를 가리킨다.

first allocation 0x2366420 points to this is C!

첫번째 allocation 0x2366420도 this is C를 가리킨다.

If we reuse the first allocation, it now holds the data from the third allocation.r

만약 우리가 첫번째 allocation을 재사용한다면, 이것은 세번째 allocation의 data를 가진다.