学逆向论坛

找回密码
立即注册

只需一步,快速开始

发新帖

2万

积分

41

好友

1157

主题

[Pwn] first fit

发表于 2020-9-2 09:49:13 | 查看: 1574| 回复: 0

相关题目:

源码
#include 
  #include 
  #include 
  int main()
  {
  fprintf(stderr, "This file doesn't demonstrate an attack, but shows the nature of glibc's allocator.\n");
  fprintf(stderr, "glibc uses a first-fit algorithm to select a free chunk.\n");
  fprintf(stderr, "If a chunk is free and large enough, malloc will select this chunk.\n");
  fprintf(stderr, "This can be exploited in a use-after-free situation.\n");
  fprintf(stderr, "Allocating 2 buffers. They can be large, don't have to be fastbin.\n");
  char* a = malloc(0x512);
  char* b = malloc(0x256);
  char* c;
  fprintf(stderr, "1st malloc(0x512): %p\n", a);
  fprintf(stderr, "2nd malloc(0x256): %p\n", b);
  fprintf(stderr, "we could continue mallocing here...\n");
  fprintf(stderr, "now let's put a string at a that we can read later \"this is A!\"\n");
  strcpy(a, "this is A!");
  fprintf(stderr, "first allocation %p points to %s\n", a, a);
  fprintf(stderr, "Freeing the first one...\n");
  free(a);
  fprintf(stderr, "We don't need to free anything again. As long as we allocate smaller than 0x512, it will end up at %p\n", a);
  fprintf(stderr, "So, let's allocate 0x500 bytes\n");
  c = malloc(0x500);
  fprintf(stderr, "3rd malloc(0x500): %p\n", c);
  fprintf(stderr, "And put a different string here, \"this is C!\"\n");
  strcpy(c, "this is C!");
  fprintf(stderr, "3rd allocation %p points to %s\n", c, c);
  fprintf(stderr, "first allocation %p points to %s\n", a, a);
  fprintf(stderr, "If we reuse the first allocation, it now holds the data from the third allocation.\n");
  }

输出结果

first fit

first fit
分析&调试
首先
a=malloc(0x512)
b=malloc(0x256)
a='This is A'
free(a)
c=malloc(0x500)
c='This is C'
之后调用a/c都会输出'This is C'
先记几个命令
heapbase,基地址
heapinfo top、lastreminder和bins信息

first fit

first fit
parseheap 查看堆信息

first fit

first fit
chunkinfo addr 查看具体chunk信息

first fit

first fit
magic  一些有用的地址

first fit

first fit
还有一些
arenainfo
chunkptr
printfastbin
tracemalloc
mergeinfo
...
free之后的变化:

first fit

first fit

first fit

first fit
再次malloc时:

first fit

first fit
unsorted bin空了

first fit

first fit
此时a和c共用同一块chunk

first fit

first fit
总结
  • glibc使用一种first-fit算法来选择空闲的chunk.如果分配时存在一个大小满足要求的空闲chunk的话,glibc就会选择这个chunk.(并不是最优)
  • malloc(b)的作用是为了防止free(a)的时候不和top chunk合并




温馨提示:
1.如果您喜欢这篇帖子,请给作者点赞评分,点赞会增加帖子的热度,评分会给作者加学币。(评分不会扣掉您的积分,系统每天都会重置您的评分额度)。
2.回复帖子不仅是对作者的认可,还可以获得学币奖励,请尊重他人的劳动成果,拒绝做伸手党!
3.发广告、灌水回复等违规行为一经发现直接禁言,如果本帖内容涉嫌违规,请点击论坛底部的举报反馈按钮,也可以在【投诉建议】板块发帖举报。
论坛交流群:672619046

小黑屋|手机版|站务邮箱|学逆向论坛 ( 粤ICP备2021023307号 )|网站地图

GMT+8, 2024-3-28 21:53 , Processed in 0.099824 second(s), 37 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表