House-Of-Rabbit
November 8, 2019 PWN 访问: 28 次
原理
malloc_conslidate函数合并堆块的时候没有检查chunk的size字段,当我们可以伪造已经在fast bin中chunk的size字段时,就可以获得一个伪造大小的small bin chunk,这样可以很快的构造出来chunk overlap
利用条件:
- 能够控制
chunk的size字段或者是fd字段 - 能够
malloc很大的size或者存在scanf函数
一、通过修改size来利用House-of-Rabbit
demo:
#include<stdio.h>
#include<stdlib.h>
int main()
{
char *heap[5];
heap[0]=malloc(0x40);
heap[1]=malloc(0x40);
heap[2]=malloc(0x10);
free(heap[0]);
free(heap[1]);
heap[3]=malloc(0x1000);//trigger
return 0;
}
在11行下断点,修改chunk为:
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x602050 —▸ 0x602000 ◂— 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
0x602000: 0x0000000000000000 0x0000000000000071
0x602010: 0x0000000000000000 0x0000000000000000
0x602020: 0x0000000000000000 0x0000000000000000
0x602030: 0x0000000000000000 0x0000000000000000
0x602040: 0x0000000000000000 0x0000000000000000
0x602050: 0x0000000000000000 0x0000000000000051
0x602060: 0x0000000000602000 0x0000000000000000
0x602070: 0x0000000000000000 0x0000000000000051
0x602080: 0x0000000000000000 0x0000000000000000
0x602090: 0x0000000000000000 0x0000000000000000
0x6020a0: 0x0000000000000000 0x0000000000000021
0x6020b0: 0x0000000000000000 0x0000000000000000
0x6020c0: 0x0000000000000000 0x0000000000020f41
0x6020d0: 0x0000000000000000 0x0000000000000000
0x6020e0: 0x0000000000000000 0x0000000000000000
执行第11行之后,chunk为:
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
0x50: 0x602050 —▸ 0x7ffff7dd1bb8 (main_arena+152) ◂— 0x602050 /* 'P `' */
0x70: 0x602000 —▸ 0x7ffff7dd1bd8 (main_arena+184) ◂— 0x602000
largebins
empty
成功的伪造出来一个0x70的chunk,原来这个chunk时0x50的,所以可以造成chunk overlap
需要注意的是,伪造的chunk的next chunk时,最好要合并chunk不要拆分chunk
一、通过修改fd指针来利用House-of-Rabbit
demo:
#include<stdio.h>
#include<stdlib.h>
int main()
{
char *heap[5];
heap[0]=malloc(0x40);
heap[4]=malloc(0x10);
heap[1]=malloc(0x100);
heap[2]=malloc(0x10);
free(heap[0]);
heap[3]=malloc(0x1000);
return 0;
}
也是再free之后下断点,查看heap:
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x602000 ◂— 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/60gx 0x602000
0x602000: 0x0000000000000000 0x0000000000000051
0x602010: 0x0000000000000000 0x0000000000000000
0x602020: 0x0000000000000000 0x0000000000000000
0x602030: 0x0000000000000000 0x0000000000000000
0x602040: 0x0000000000000000 0x0000000000000000
0x602050: 0x0000000000000000 0x0000000000000021
0x602060: 0x0000000000000000 0x0000000000000000
0x602070: 0x0000000000000000 0x0000000000000111
0x602080: 0x0000000000000000 0x0000000000000000
0x602090: 0x0000000000000000 0x0000000000000000
0x6020a0: 0x0000000000000000 0x0000000000000000
0x6020b0: 0x0000000000000000 0x0000000000000000
0x6020c0: 0x0000000000000000 0x0000000000000000
0x6020d0: 0x0000000000000000 0x0000000000000000
0x6020e0: 0x0000000000000000 0x0000000000000000
0x6020f0: 0x0000000000000000 0x0000000000000000
0x602100: 0x0000000000000000 0x0000000000000000
0x602110: 0x0000000000000000 0x0000000000000000
0x602120: 0x0000000000000000 0x0000000000000000
0x602130: 0x0000000000000000 0x0000000000000000
0x602140: 0x0000000000000000 0x0000000000000000
0x602150: 0x0000000000000000 0x0000000000000000
0x602160: 0x0000000000000000 0x0000000000000000
0x602170: 0x0000000000000000 0x0000000000000000
0x602180: 0x0000000000000000 0x0000000000000021
0x602190: 0x0000000000000000 0x0000000000000000
0x6021a0: 0x0000000000000000 0x0000000000020e61
0x6021b0: 0x0000000000000000 0x0000000000000000
0x6021c0: 0x0000000000000000 0x0000000000000000
0x6021d0: 0x0000000000000000 0x0000000000000000
修改0x602000的fd指针为0x602070,然后执行下一句代码
heap情况:
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
0x50: 0x602000 —▸ 0x7ffff7dd1bb8 (main_arena+152) ◂— 0x602000
0x110: 0x602070 —▸ 0x7ffff7dd1c78 (main_arena+344) ◂— 0x602070 /* 'p `' */
largebins
empty
此时就多出来一个chunk在small bin中