从零开始学howtoheap:理解fastbins的堆块重叠的问题1

2024-02-12 22:12
文章标签 问题 理解 从零开始 重叠 堆块 fastbins howtoheap

本文主要是介绍从零开始学howtoheap:理解fastbins的堆块重叠的问题1,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

how2heap是由shellphish团队制作的堆利用教程,介绍了多种堆利用技术,后续系列实验我们就通过这个教程来学习。环境可参见从零开始配置pwn环境:从零开始配置pwn环境:从零开始配置pwn环境:优化pwn虚拟机配置支持libc等指令-CSDN博客

1.fastbins的overlapping_chunks攻击

这是一个简单的堆块重叠问题,首先申请 3 个 chunk
这三个 chunk 分别申请到了:
p1:0x603010
p2:0x603110
p3:0x603210
给他们分别填充"1""2""3"

free 掉 p2
p2 被放到 unsorted bin 中
现在假设有一个堆溢出漏洞,可以覆盖 p2
为了保证堆块稳定性,我们至少需要让 prev_inuse 为 1,确保 p1 不会被认为是空闲的堆块
我们将 p2 的大小设置为 385, 这样的话我们就能用 376 大小的空间

现在让我们分配另一个块,其大小等于块p2注入大小的数据大小
malloc 将会把前面 free 的 p2 分配给我们(p2 的 size 已经被改掉了)

p4 分配在 0x603110 到 0x603288 这一区域
p3 从 0x603210 到 0x603288
p4 应该与 p3 重叠,在这种情况下 p4 包括所有 p3
这时候通过编辑 p4 就可以修改 p3 的内容,修改 p3 也可以修改 p4 的内容

2.overlapping_chunks演示程序

#include <stdio.h>#include <stdlib.h>#include <string.h>#include <stdint.h>int main(int argc , char* argv[]){intptr_t *p1,*p2,*p3,*p4;fprintf(stderr, "这是一个简单的堆块重叠问题,首先申请 3 个 chunk\n");p1 = malloc(0x100 - 8);p2 = malloc(0x100 - 8);p3 = malloc(0x80 - 8);fprintf(stderr, "这三个 chunk 分别申请到了:\np1:%p\np2:%p\np3:%p\n给他们分别填充\"1\"\"2\"\"3\"\n\n", p1, p2, p3);memset(p1, '1', 0x100 - 8);memset(p2, '2', 0x100 - 8);memset(p3, '3', 0x80 - 8);fprintf(stderr, "free 掉 p2\n");free(p2);fprintf(stderr, "p2 被放到 unsorted bin 中\n");fprintf(stderr, "现在假设有一个堆溢出漏洞,可以覆盖 p2\n");fprintf(stderr, "为了保证堆块稳定性,我们至少需要让 prev_inuse 为 1,确保 p1 不会被认为是空闲的堆块\n");int evil_chunk_size = 0x181;int evil_region_size = 0x180 - 8;fprintf(stderr, "我们将 p2 的大小设置为 %d, 这样的话我们就能用 %d 大小的空间\n",evil_chunk_size, evil_region_size);*(p2-1) = evil_chunk_size; // 覆盖 p2 的 sizefprintf(stderr, "\n现在让我们分配另一个块,其大小等于块p2注入大小的数据大小\n");fprintf(stderr, "malloc 将会把前面 free 的 p2 分配给我们(p2 的 size 已经被改掉了)\n");p4 = malloc(evil_region_size);fprintf(stderr, "\np4 分配在 %p 到 %p 这一区域\n", (char *)p4, (char *)p4+evil_region_size);fprintf(stderr, "p3 从 %p 到 %p\n", (char *)p3, (char *)p3+0x80-8);fprintf(stderr, "p4 应该与 p3 重叠,在这种情况下 p4 包括所有 p3\n");fprintf(stderr, "这时候通过编辑 p4 就可以修改 p3 的内容,修改 p3 也可以修改 p4 的内容\n\n");fprintf(stderr, "接下来验证一下,现在 p3 与 p4:\n");fprintf(stderr, "p4 = %s\n", (char *)p4+0x10);fprintf(stderr, "p3 = %s\n", (char *)p3+0x10);fprintf(stderr, "\n如果我们使用 memset(p4, '4', %d), 将会:\n", evil_region_size);memset(p4, '4', evil_region_size);fprintf(stderr, "p4 = %s\n", (char *)p4+0x10);fprintf(stderr, "p3 = %s\n", (char *)p3+0x10);fprintf(stderr, "\n那么之后再 memset(p3, '3', 80), 将会:\n");memset(p3, '3', 80);fprintf(stderr, "p4 = %s\n", (char *)p4+0x10);fprintf(stderr, "p3 = %s\n", (char *)p3+0x10);}

3.调试overlapping_chunks

3.1 获得可执行程序 

gcc -g overlapping_chunks.c -o overlapping_chunks

3.2 第一次调试程序

root@pwn_test1604:/ctf/work/how2heap# gcc -g overlapping_chunks.c -o overlapping_chunks
root@pwn_test1604:/ctf/work/how2heap# ll
total 232
drwxr-xr-x  2 1000 1000  4096 Feb 12 01:24 ./
drwxr-xr-x 12 1000 1000  4096 Feb  8 13:06 ../
-rwxr-xr-x  1 root root 11168 Feb  9 02:26 fastbin_dup*
-rw-r--r--  1 1000 1000  1383 Feb  9 02:25 fastbin_dup.c
-rwxr-xr-x  1 root root 11176 Feb 10 03:42 fastbin_dup_consolidate*
-rw-r--r--  1 1000 1000   957 Feb 10 03:27 fastbin_dup_consolidate.c
-rwxr-xr-x  1 root root 15432 Feb  9 04:05 fastbin_dup_into_stack*
-rw-r--r--  1 1000 1000  2124 Feb  9 03:52 fastbin_dup_into_stack.c
-rwx--x--x  1 1000 1000 15224 Feb  8 13:26 first_fit*
-rwxr-xr-x  1 root root 21408 Feb  8 15:02 first_fit1*
-rw-r--r--  1 1000 1000  1591 Feb  8 13:16 first_fit.c
-rw-------  1 root root 12944 Feb 12 01:13 .gdb_history
-rwxr-xr-x  1 root root 15744 Feb 11 13:15 house_of_lore*
-rw-r--r--  1 1000 1000  2794 Feb 11 13:15 house_of_lore.c
-rwxr-xr-x  1 root root 11240 Feb 11 03:43 house_of_spirit*
-rw-r--r--  1 1000 1000  1575 Feb 11 03:43 house_of_spirit.c
-rwxr-xr-x  1 root root 15512 Feb 12 01:24 overlapping_chunks*
-rw-r--r--  1 1000 1000  2929 Feb 12 01:23 overlapping_chunks.c
-rwxr-xr-x  1 root root 15624 Feb 11 04:37 poison_null_byte*
-rw-r--r--  1 1000 1000  2853 Feb 11 04:36 poison_null_byte.c
-rwxr-xr-x  1 root root 10176 Feb  8 15:20 uaf*
-rw-r--r--  1 1000 1000  1023 Feb  8 15:19 uaf.c
-rwxr-xr-x  1 root root 15544 Feb 10 05:39 unsafe_unlink*
-rw-r--r--  1 1000 1000  2965 Feb 10 05:39 unsafe_unlink.c
root@pwn_test1604:/ctf/work/how2heap# gdb ./overlapping_chunks
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 171 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
Reading symbols from ./overlapping_chunks...done.
pwndbg> r
Starting program: /ctf/work/how2heap/overlapping_chunks 
这是一个简单的堆块重叠问题,首先申请 3 个 chunk
这三个 chunk 分别申请到了:
p1:0x603010
p2:0x603110
p3:0x603210
给他们分别填充"1""2""3"free 掉 p2
p2 被放到 unsorted bin 中
现在假设有一个堆溢出漏洞,可以覆盖 p2
为了保证堆块稳定性,我们至少需要让 prev_inuse 为 1,确保 p1 不会被认为是空闲的堆块
我们将 p2 的大小设置为 385, 这样的话我们就能用 376 大小的空间现在让我们分配另一个块,其大小等于块p2注入大小的数据大小
malloc 将会把前面 free 的 p2 分配给我们(p2 的 size 已经被改掉了)p4 分配在 0x603110 到 0x603288 这一区域
p3 从 0x603210 到 0x603288
p4 应该与 p3 重叠,在这种情况下 p4 包括所有 p3
这时候通过编辑 p4 就可以修改 p3 的内容,修改 p3 也可以修改 p4 的内容接下来验证一下,现在 p3 与 p4:
p4 = 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222
p3 = 33333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333�如果我们使用 memset(p4, '4', 376), 将会:
p4 = 444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444�
p3 = 44444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444�那么之后再 memset(p3, '3', 80), 将会:
p4 = 444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444333333333333333333333333333333333333333333333333333333333333333333333333333333334444444444444444444444444444444444444444�
p3 = 33333333333333333333333333333333333333333333333333333333333333334444444444444444444444444444444444444444�
[Inferior 1 (process 114) exited normally]
pwndbg>

 

3.3 第二次调试程序

3.3.1 ​设置断点第14行并走起

这个比较简单,就是堆块重叠的问题。通过一个溢出漏洞,改写unsorted bin 中空闲堆块的size,改变下一次malloc可以返回的堆块大小。

​ 直接动手调试,首先申请三个堆块。

pwndbg> b 14
Breakpoint 2 at 0x4006dd: file overlapping_chunks.c, line 14.
pwndbg> c
Continuing.
这是一个简单的堆块重叠问题,首先申请 3 个 chunkBreakpoint 2, main (argc=1, argv=0x7fffffffe6a8) at overlapping_chunks.c:14
14                   fprintf(stderr, "这三个 chunk 分别申请到了:\np1:%p\np2:%p\np3:%p\n给他们分别填充\"1\"\"2\"\"3\"\n\n", p1, p2, p3);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────RAX  0x603210 ◂— 0x0RBX  0x0RCX  0x7ffff7dd1b20 (main_arena) ◂— 0x100000000RDX  0x603210 ◂— 0x0RDI  0x0RSI  0x603280 ◂— 0x0R8   0x603000 ◂— 0x0R9   0xdR10  0x7ffff7dd1b78 (main_arena+88) —▸ 0x603280 ◂— 0x0R11  0x0R12  0x400590 (_start) ◂— xor    ebp, ebpR13  0x7fffffffe6a0 ◂— 0x1R14  0x0R15  0x0RBP  0x7fffffffe5c0 —▸ 0x400a40 (__libc_csu_init) ◂— push   r15RSP  0x7fffffffe580 —▸ 0x7fffffffe6a8 —▸ 0x7fffffffe8d1 ◂— '/ctf/work/how2heap/overlapping_chunks'RIP  0x4006dd (main+87) ◂— mov    rax, qword ptr [rip + 0x20197c]
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────────────────────► 0x4006dd <main+87>     mov    rax, qword ptr [rip + 0x20197c] <0x602060>0x4006e4 <main+94>     mov    rsi, qword ptr [rbp - 0x10]0x4006e8 <main+98>     mov    rcx, qword ptr [rbp - 0x18]0x4006ec <main+102>    mov    rdx, qword ptr [rbp - 0x20]0x4006f0 <main+106>    mov    r8, rsi0x4006f3 <main+109>    mov    esi, 0x400b100x4006f8 <main+114>    mov    rdi, rax0x4006fb <main+117>    mov    eax, 00x400700 <main+122>    call   fprintf@plt <0x400550>0x400705 <main+127>    mov    rax, qword ptr [rbp - 0x20]0x400709 <main+131>    mov    edx, 0xf8
─────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────
In file: /ctf/work/how2heap/overlapping_chunks.c9              fprintf(stderr, "这是一个简单的堆块重叠问题,首先申请 3 个 chunk\n");10          11              p1 = malloc(0x100 - 8);12              p2 = malloc(0x100 - 8);13              p3 = malloc(0x80 - 8);► 14              fprintf(stderr, "这三个 chunk 分别申请到了:\np1:%p\np2:%p\np3:%p\n给他们分别填充\"1\"\"2\"\"3\"\n\n", p1, p2, p3);15          16              memset(p1, '1', 0x100 - 8);17              memset(p2, '2', 0x100 - 8);18              memset(p3, '3', 0x80 - 8);19          
─────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fffffffe580 —▸ 0x7fffffffe6a8 —▸ 0x7fffffffe8d1 ◂— '/ctf/work/how2heap/overlapping_chunks'
01:0008│      0x7fffffffe588 ◂— 0x100400a8d
02:0010│      0x7fffffffe590 ◂— 0x0
... ↓
04:0020│      0x7fffffffe5a0 —▸ 0x603010 ◂— 0x0
05:0028│      0x7fffffffe5a8 —▸ 0x603110 ◂— 0x0
06:0030│      0x7fffffffe5b0 —▸ 0x603210 ◂— 0x0
07:0038│      0x7fffffffe5b8 ◂— 0x0
───────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────► f 0           4006dd main+87f 1     7ffff7a2d830 __libc_start_main+240
Breakpoint /ctf/work/how2heap/overlapping_chunks.c:14
pwndbg> n
这三个 chunk 分别申请到了:
p1:0x603010
p2:0x603110
p3:0x603210
给他们分别填充"1""2""3"16                   memset(p1, '1', 0x100 - 8);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────RAX  0x6eRBX  0x0RCX  0x7ffff7b042c0 (__write_nocancel+7) ◂— cmp    rax, -0xfffRDX  0x7ffff7dd3770 (_IO_stdfile_2_lock) ◂— 0x0RDI  0x2RSI  0x7fffffffbef0 ◂— 0xb8e489b8e499bfe8R8   0x7ffff7feb700 ◂— 0x7ffff7feb700R9   0x6eR10  0x0R11  0x246R12  0x400590 (_start) ◂— xor    ebp, ebpR13  0x7fffffffe6a0 ◂— 0x1R14  0x0R15  0x0RBP  0x7fffffffe5c0 —▸ 0x400a40 (__libc_csu_init) ◂— push   r15RSP  0x7fffffffe580 —▸ 0x7fffffffe6a8 —▸ 0x7fffffffe8d1 ◂— '/ctf/work/how2heap/overlapping_chunks'RIP  0x400705 (main+127) ◂— mov    rax, qword ptr [rbp - 0x20]
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────────────────────0x4006f0 <main+106>    mov    r8, rsi0x4006f3 <main+109>    mov    esi, 0x400b100x4006f8 <main+114>    mov    rdi, rax0x4006fb <main+117>    mov    eax, 00x400700 <main+122>    call   fprintf@plt <0x400550>► 0x400705 <main+127>    mov    rax, qword ptr [rbp - 0x20]0x400709 <main+131>    mov    edx, 0xf80x40070e <main+136>    mov    esi, 0x310x400713 <main+141>    mov    rdi, rax0x400716 <main+144>    call   memset@plt <0x400530>0x40071b <main+149>    mov    rax, qword ptr [rbp - 0x18]
─────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────
In file: /ctf/work/how2heap/overlapping_chunks.c11              p1 = malloc(0x100 - 8);12              p2 = malloc(0x100 - 8);13              p3 = malloc(0x80 - 8);14              fprintf(stderr, "这三个 chunk 分别申请到了:\np1:%p\np2:%p\np3:%p\n给他们分别填充\"1\"\"2\"\"3\"\n\n", p1, p2, p3);15          ► 16              memset(p1, '1', 0x100 - 8);17              memset(p2, '2', 0x100 - 8);18              memset(p3, '3', 0x80 - 8);19          20              fprintf(stderr, "free 掉 p2\n");21              free(p2);
─────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fffffffe580 —▸ 0x7fffffffe6a8 —▸ 0x7fffffffe8d1 ◂— '/ctf/work/how2heap/overlapping_chunks'
01:0008│      0x7fffffffe588 ◂— 0x100400a8d
02:0010│      0x7fffffffe590 ◂— 0x0
... ↓
04:0020│      0x7fffffffe5a0 —▸ 0x603010 ◂— 0x0
05:0028│      0x7fffffffe5a8 —▸ 0x603110 ◂— 0x0
06:0030│      0x7fffffffe5b0 —▸ 0x603210 ◂— 0x0
07:0038│      0x7fffffffe5b8 ◂— 0x0
───────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────► f 0           400705 main+127f 1     7ffff7a2d830 __libc_start_main+240
pwndbg> parseheap
addr                prev                size                 status              fd                bk                
0x603000            0x0                 0x100                Used                None              None
0x603100            0x0                 0x100                Used                None              None
0x603200            0x0                 0x80                 Used                None              None
pwndbg>

3.3.2 设置断点第22行并走起

接着free掉p2,这时候p2被放到unsorted bin中。

pwndbg> b 22
Breakpoint 3 at 0x400771: file overlapping_chunks.c, line 22.
pwndbg> c
Continuing.
free 掉 p2Breakpoint 3, main (argc=1, argv=0x7fffffffe6a8) at overlapping_chunks.c:22
22                   fprintf(stderr, "p2 被放到 unsorted bin 中\n");
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────RAX  0x1RBX  0x0RCX  0x7ffff7b042c0 (__write_nocancel+7) ◂— cmp    rax, -0xfffRDX  0x0RDI  0x7ffff7dd1b20 (main_arena) ◂— 0x100000000RSI  0x0R8   0xcR9   0x1R10  0x8b8R11  0x7ffff7a914f0 (free) ◂— push   r13R12  0x400590 (_start) ◂— xor    ebp, ebpR13  0x7fffffffe6a0 ◂— 0x1R14  0x0R15  0x0RBP  0x7fffffffe5c0 —▸ 0x400a40 (__libc_csu_init) ◂— push   r15RSP  0x7fffffffe580 —▸ 0x7fffffffe6a8 —▸ 0x7fffffffe8d1 ◂— '/ctf/work/how2heap/overlapping_chunks'RIP  0x400771 (main+235) ◂— mov    rax, qword ptr [rip + 0x2018e8]
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────────────────────► 0x400771 <main+235>    mov    rax, qword ptr [rip + 0x2018e8] <0x602060>0x400778 <main+242>    mov    rcx, rax0x40077b <main+245>    mov    edx, 0x1e0x400780 <main+250>    mov    esi, 10x400785 <main+255>    mov    edi, 0x400b800x40078a <main+260>    call   fwrite@plt <0x400570>0x40078f <main+265>    mov    rax, qword ptr [rip + 0x2018ca] <0x602060>0x400796 <main+272>    mov    rcx, rax0x400799 <main+275>    mov    edx, 0x370x40079e <main+280>    mov    esi, 10x4007a3 <main+285>    mov    edi, 0x400ba0
─────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────
In file: /ctf/work/how2heap/overlapping_chunks.c17              memset(p2, '2', 0x100 - 8);18              memset(p3, '3', 0x80 - 8);19          20              fprintf(stderr, "free 掉 p2\n");21              free(p2);► 22              fprintf(stderr, "p2 被放到 unsorted bin 中\n");23          24              fprintf(stderr, "现在假设有一个堆溢出漏洞,可以覆盖 p2\n");25              fprintf(stderr, "为了保证堆块稳定性,我们至少需要让 prev_inuse 为 1,确保 p1 不会被认为是空闲的堆块\n");26          27              int evil_chunk_size = 0x181;
─────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fffffffe580 —▸ 0x7fffffffe6a8 —▸ 0x7fffffffe8d1 ◂— '/ctf/work/how2heap/overlapping_chunks'
01:0008│      0x7fffffffe588 ◂— 0x100400a8d
02:0010│      0x7fffffffe590 ◂— 0x0
... ↓
04:0020│      0x7fffffffe5a0 —▸ 0x603010 ◂— 0x3131313131313131 ('11111111')
05:0028│      0x7fffffffe5a8 —▸ 0x603110 —▸ 0x7ffff7dd1b78 (main_arena+88) —▸ 0x603280 ◂— 0x3333333333333333 ('33333333')
06:0030│      0x7fffffffe5b0 —▸ 0x603210 ◂— 0x3333333333333333 ('33333333')
07:0038│      0x7fffffffe5b8 ◂— 0x0
───────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────► f 0           400771 main+235f 1     7ffff7a2d830 __libc_start_main+240
Breakpoint /ctf/work/how2heap/overlapping_chunks.c:22
pwndbg> biin
Undefined command: "biin".  Try "help".
pwndbg> bins
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x603100 —▸ 0x7ffff7dd1b78 (main_arena+88) ◂— 0x603100
smallbins
empty
largebins
empty
pwndbg>

pwndbg> bins
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x603100 —▸ 0x7ffff7dd1b78 (main_arena+88) ◂— 0x603100
smallbins
empty
largebins
empty
 

3.3.3 设置断点第39行并走起

​ 然后把p2的size改成0x180,这时候就把p3给包含进去了。

pwndbg> c
Continuing.
我们将 p2 的大小设置为 385, 这样的话我们就能用 376 大小的空间Breakpoint 5, main (argc=1, argv=0x7fffffffe6a8) at overlapping_chunks.c:31
31                   *(p2-1) = evil_chunk_size; // 覆盖 p2 的 size
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────RAX  0x55RBX  0x0RCX  0x7ffff7b042c0 (__write_nocancel+7) ◂— cmp    rax, -0xfffRDX  0x7ffff7dd3770 (_IO_stdfile_2_lock) ◂— 0x0RDI  0x2RSI  0x7fffffffbef0 ◂— 0xb0e5acbbe49188e6R8   0x7ffff7feb700 ◂— 0x7ffff7feb700R9   0x55R10  0x0R11  0x246R12  0x400590 (_start) ◂— xor    ebp, ebpR13  0x7fffffffe6a0 ◂— 0x1R14  0x0R15  0x0RBP  0x7fffffffe5c0 —▸ 0x400a40 (__libc_csu_init) ◂— push   r15RSP  0x7fffffffe580 —▸ 0x7fffffffe6a8 —▸ 0x7fffffffe8d1 ◂— '/ctf/work/how2heap/overlapping_chunks'RIP  0x4007f8 (main+370) ◂— mov    rax, qword ptr [rbp - 0x18]
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────────────────────0x4007e3 <main+349>    mov    edx, dword ptr [rbp - 0x28]0x4007e6 <main+352>    mov    esi, 0x400c500x4007eb <main+357>    mov    rdi, rax0x4007ee <main+360>    mov    eax, 00x4007f3 <main+365>    call   fprintf@plt <0x400550>► 0x4007f8 <main+370>    mov    rax, qword ptr [rbp - 0x18]0x4007fc <main+374>    lea    rdx, [rax - 8]0x400800 <main+378>    mov    eax, dword ptr [rbp - 0x28]0x400803 <main+381>    cdqe   0x400805 <main+383>    mov    qword ptr [rdx], rax0x400808 <main+386>    mov    rax, qword ptr [rip + 0x201851] <0x602060>
─────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────
In file: /ctf/work/how2heap/overlapping_chunks.c26          27              int evil_chunk_size = 0x181;28              int evil_region_size = 0x180 - 8;29              fprintf(stderr, "我们将 p2 的大小设置为 %d, 这样的话我们就能用 %d 大小的空间\n",evil_chunk_size, evil_region_size);30          ► 31              *(p2-1) = evil_chunk_size; // 覆盖 p2 的 size32          33              fprintf(stderr, "\n现在让我们分配另一个块,其大小等于块p2注入大小的数据大小\n");34              fprintf(stderr, "malloc 将会把前面 free 的 p2 分配给我们(p2 的 size 已经被改掉了)\n");35              p4 = malloc(evil_region_size);36          
─────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fffffffe580 —▸ 0x7fffffffe6a8 —▸ 0x7fffffffe8d1 ◂— '/ctf/work/how2heap/overlapping_chunks'
01:0008│      0x7fffffffe588 ◂— 0x100400a8d
02:0010│      0x7fffffffe590 ◂— 0x0
03:0018│      0x7fffffffe598 ◂— 0x17800000181
04:0020│      0x7fffffffe5a0 —▸ 0x603010 ◂— 0x3131313131313131 ('11111111')
05:0028│      0x7fffffffe5a8 —▸ 0x603110 —▸ 0x7ffff7dd1b78 (main_arena+88) —▸ 0x603280 ◂— 0x3333333333333333 ('33333333')
06:0030│      0x7fffffffe5b0 —▸ 0x603210 ◂— 0x3333333333333333 ('33333333')
07:0038│      0x7fffffffe5b8 ◂— 0x0
───────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────► f 0           4007f8 main+370f 1     7ffff7a2d830 __libc_start_main+240
Breakpoint /ctf/work/how2heap/overlapping_chunks.c:30
pwndbg> n
33                   fprintf(stderr, "\n现在让我们分配另一个块,其大小等于块p2注入大小的数据大小\n");
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────RAX  0x181RBX  0x0RCX  0x7ffff7b042c0 (__write_nocancel+7) ◂— cmp    rax, -0xfffRDX  0x603108 ◂— 0x181RDI  0x2RSI  0x7fffffffbef0 ◂— 0xb0e5acbbe49188e6R8   0x7ffff7feb700 ◂— 0x7ffff7feb700R9   0x55R10  0x0R11  0x246R12  0x400590 (_start) ◂— xor    ebp, ebpR13  0x7fffffffe6a0 ◂— 0x1R14  0x0R15  0x0RBP  0x7fffffffe5c0 —▸ 0x400a40 (__libc_csu_init) ◂— push   r15RSP  0x7fffffffe580 —▸ 0x7fffffffe6a8 —▸ 0x7fffffffe8d1 ◂— '/ctf/work/how2heap/overlapping_chunks'RIP  0x400808 (main+386) ◂— mov    rax, qword ptr [rip + 0x201851]
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────────────────────0x4007f8 <main+370>    mov    rax, qword ptr [rbp - 0x18]0x4007fc <main+374>    lea    rdx, [rax - 8]0x400800 <main+378>    mov    eax, dword ptr [rbp - 0x28]0x400803 <main+381>    cdqe   0x400805 <main+383>    mov    qword ptr [rdx], rax► 0x400808 <main+386>    mov    rax, qword ptr [rip + 0x201851] <0x602060>0x40080f <main+393>    mov    rcx, rax0x400812 <main+396>    mov    edx, 0x550x400817 <main+401>    mov    esi, 10x40081c <main+406>    mov    edi, 0x400ca80x400821 <main+411>    call   fwrite@plt <0x400570>
─────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────
In file: /ctf/work/how2heap/overlapping_chunks.c28              int evil_region_size = 0x180 - 8;29              fprintf(stderr, "我们将 p2 的大小设置为 %d, 这样的话我们就能用 %d 大小的空间\n",evil_chunk_size, evil_region_size);30          31              *(p2-1) = evil_chunk_size; // 覆盖 p2 的 size32          ► 33              fprintf(stderr, "\n现在让我们分配另一个块,其大小等于块p2注入大小的数据大小\n");34              fprintf(stderr, "malloc 将会把前面 free 的 p2 分配给我们(p2 的 size 已经被改掉了)\n");35              p4 = malloc(evil_region_size);36          37              fprintf(stderr, "\np4 分配在 %p 到 %p 这一区域\n", (char *)p4, (char *)p4+evil_region_size);38              fprintf(stderr, "p3 从 %p 到 %p\n", (char *)p3, (char *)p3+0x80-8);
─────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fffffffe580 —▸ 0x7fffffffe6a8 —▸ 0x7fffffffe8d1 ◂— '/ctf/work/how2heap/overlapping_chunks'
01:0008│      0x7fffffffe588 ◂— 0x100400a8d
02:0010│      0x7fffffffe590 ◂— 0x0
03:0018│      0x7fffffffe598 ◂— 0x17800000181
04:0020│      0x7fffffffe5a0 —▸ 0x603010 ◂— 0x3131313131313131 ('11111111')
05:0028│      0x7fffffffe5a8 —▸ 0x603110 —▸ 0x7ffff7dd1b78 (main_arena+88) —▸ 0x603280 ◂— 0x3333333333333333 ('33333333')
06:0030│      0x7fffffffe5b0 —▸ 0x603210 ◂— 0x3333333333333333 ('33333333')
07:0038│      0x7fffffffe5b8 ◂— 0x0
───────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────► f 0           400808 main+386f 1     7ffff7a2d830 __libc_start_main+240
pwndbg> p p3
$1 = (intptr_t *) 0x603210
pwndbg> x/10gx 0x603210
0x603210:       0x3333333333333333      0x3333333333333333
0x603220:       0x3333333333333333      0x3333333333333333
0x603230:       0x3333333333333333      0x3333333333333333
0x603240:       0x3333333333333333      0x3333333333333333
0x603250:       0x3333333333333333      0x3333333333333333
pwndbg> p p2
$2 = (intptr_t *) 0x603110
pwndbg> bins
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x603100 —▸ 0x7ffff7dd1b78 (main_arena+88) ◂— 0x603100
smallbins
empty
largebins
empty
pwndbg> x/10gx  0x7ffff7dd1b78
0x7ffff7dd1b78 <main_arena+88>: 0x0000000000603280      0x0000000000000000
0x7ffff7dd1b88 <main_arena+104>:        0x0000000000603100      0x0000000000603100
0x7ffff7dd1b98 <main_arena+120>:        0x00007ffff7dd1b88      0x00007ffff7dd1b88
0x7ffff7dd1ba8 <main_arena+136>:        0x00007ffff7dd1b98      0x00007ffff7dd1b98
0x7ffff7dd1bb8 <main_arena+152>:        0x00007ffff7dd1ba8      0x00007ffff7dd1ba8
pwndbg> parseheap
addr                prev                size                 status              fd                bk                
0x603000            0x0                 0x100                Used                None              None
0x603100            0x3131313131313131  0x180                Used                None              None
pwndbg> x/10gx 0x603110
0x603110:       0x00007ffff7dd1b78      0x00007ffff7dd1b78
0x603120:       0x3232323232323232      0x3232323232323232
0x603130:       0x3232323232323232      0x3232323232323232

pwndbg> p p3
$1 = (intptr_t *) 0x603210

pwndbg> p p2
$2 = (intptr_t *) 0x603110


pwndbg> bins
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x603100 —▸ 0x7ffff7dd1b78 (main_arena+88) ◂— 0x603100
smallbins
empty
largebins
empty

pwndbg> parseheap
addr                prev                size                 status              fd                bk                
0x603000            0x0                 0x100                Used                None              None
0x603100            0x3131313131313131  0x180                Used                None              None

p2->fd 

pwndbg> x/10gx 0x603110
0x603110:       0x00007ffff7dd1b78      0x00007ffff7dd1b78

p2->bk 

pwndbg> x/10gx 0x603110
0x603110:       0x00007ffff7dd1b78      0x00007ffff7dd1b78

pwndbg> x/10gx 0x603110
0x603110:       0x00007ffff7dd1b78      0x00007ffff7dd1b78
0x603120:       0x3232323232323232      0x3232323232323232
0x603130:       0x3232323232323232      0x3232323232323232
0x603140:       0x3232323232323232      0x3232323232323232
0x603150:       0x3232323232323232      0x3232323232323232
 

3.3.4 设置断点第52行并走起

​ 然后再去申请一块大小为0x180的堆块p4,就能够编辑p4,就可以修改p3的内容,编辑p3也可以修改p4的内容。

pwndbg> b 51
Breakpoint 10 at 0x4009b6: file overlapping_chunks.c, line 51.
pwndbg> c
Continuing.
p3 = 44444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444�Breakpoint 10, main (argc=1, argv=0x7fffffffe6a8) at overlapping_chunks.c:52
52                   fprintf(stderr, "\n那么之后再 memset(p3, '3', 80), 将会:\n");
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────RAX  0x71RBX  0x0RCX  0x7ffff7b042c0 (__write_nocancel+7) ◂— cmp    rax, -0xfffRDX  0x7ffff7dd3770 (_IO_stdfile_2_lock) ◂— 0x0RDI  0x2RSI  0x7fffffffbef0 ◂— 0x343434203d203370 ('p3 = 444')R8   0x7ffff7feb700 ◂— 0x7ffff7feb700R9   0x71R10  0x6bR11  0x246R12  0x400590 (_start) ◂— xor    ebp, ebpR13  0x7fffffffe6a0 ◂— 0x1R14  0x0R15  0x0RBP  0x7fffffffe5c0 —▸ 0x400a40 (__libc_csu_init) ◂— push   r15RSP  0x7fffffffe580 —▸ 0x7fffffffe6a8 —▸ 0x7fffffffe8d1 ◂— '/ctf/work/how2heap/overlapping_chunks'RIP  0x4009b6 (main+816) ◂— mov    rax, qword ptr [rip + 0x2016a3]
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────────────────────► 0x4009b6 <main+816>    mov    rax, qword ptr [rip + 0x2016a3] <0x602060>0x4009bd <main+823>    mov    rcx, rax0x4009c0 <main+826>    mov    edx, 0x2e0x4009c5 <main+831>    mov    esi, 10x4009ca <main+836>    mov    edi, 0x400eb00x4009cf <main+841>    call   fwrite@plt <0x400570>0x4009d4 <main+846>    mov    rax, qword ptr [rbp - 0x10]0x4009d8 <main+850>    mov    edx, 0x500x4009dd <main+855>    mov    esi, 0x330x4009e2 <main+860>    mov    rdi, rax0x4009e5 <main+863>    call   memset@plt <0x400530>
─────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────
In file: /ctf/work/how2heap/overlapping_chunks.c47              fprintf(stderr, "\n如果我们使用 memset(p4, '4', %d), 将会:\n", evil_region_size);48              memset(p4, '4', evil_region_size);49              fprintf(stderr, "p4 = %s\n", (char *)p4+0x10);50              fprintf(stderr, "p3 = %s\n", (char *)p3+0x10);51          ► 52              fprintf(stderr, "\n那么之后再 memset(p3, '3', 80), 将会:\n");53              memset(p3, '3', 80);54              fprintf(stderr, "p4 = %s\n", (char *)p4+0x10);55              fprintf(stderr, "p3 = %s\n", (char *)p3+0x10);56          } 
─────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fffffffe580 —▸ 0x7fffffffe6a8 —▸ 0x7fffffffe8d1 ◂— '/ctf/work/how2heap/overlapping_chunks'
01:0008│      0x7fffffffe588 ◂— 0x100400a8d
02:0010│      0x7fffffffe590 ◂— 0x0
03:0018│      0x7fffffffe598 ◂— 0x17800000181
04:0020│      0x7fffffffe5a0 —▸ 0x603010 ◂— 0x3131313131313131 ('11111111')
05:0028│      0x7fffffffe5a8 —▸ 0x603110 ◂— 0x3434343434343434 ('44444444')
06:0030│      0x7fffffffe5b0 —▸ 0x603210 ◂— 0x3434343434343434 ('44444444')
07:0038│      0x7fffffffe5b8 —▸ 0x603110 ◂— 0x3434343434343434 ('44444444')
───────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────► f 0           4009b6 main+816f 1     7ffff7a2d830 __libc_start_main+240
Breakpoint /ctf/work/how2heap/overlapping_chunks.c:51
pwndbg> parseheap
addr                prev                size                 status              fd                bk                
0x603000            0x0                 0x100                Used                None              None
0x603100            0x3131313131313131  0x180                Used                None              None
pwndbg> p p3
$3 = (intptr_t *) 0x603210pwndbg> x/20gx 0x603210
0x603210:       0x3434343434343434      0x3434343434343434
0x603220:       0x3434343434343434      0x3434343434343434
0x603230:       0x3434343434343434      0x3434343434343434
0x603240:       0x3434343434343434      0x3434343434343434
0x603250:       0x3434343434343434      0x3434343434343434
0x603260:       0x3434343434343434      0x3434343434343434
0x603270:       0x3434343434343434      0x3434343434343434
0x603280:       0x3434343434343434      0x0000000000020d81
0x603290:       0x0000000000000000      0x0000000000000000
0x6032a0:       0x0000000000000000      0x0000000000000000
pwndbg> p p4
$4 = (intptr_t *) 0x603110pwndbg> x/80gx 0x603110
0x603110:       0x3434343434343434      0x3434343434343434
0x603120:       0x3434343434343434      0x3434343434343434
0x603130:       0x3434343434343434      0x3434343434343434
0x603140:       0x3434343434343434      0x3434343434343434
0x603150:       0x3434343434343434      0x3434343434343434
0x603160:       0x3434343434343434      0x3434343434343434
0x603170:       0x3434343434343434      0x3434343434343434
0x603180:       0x3434343434343434      0x3434343434343434
0x603190:       0x3434343434343434      0x3434343434343434
0x6031a0:       0x3434343434343434      0x3434343434343434
0x6031b0:       0x3434343434343434      0x3434343434343434
0x6031c0:       0x3434343434343434      0x3434343434343434
0x6031d0:       0x3434343434343434      0x3434343434343434
0x6031e0:       0x3434343434343434      0x3434343434343434
0x6031f0:       0x3434343434343434      0x3434343434343434
0x603200:       0x3434343434343434      0x3434343434343434
0x603210:       0x3434343434343434      0x3434343434343434
0x603220:       0x3434343434343434      0x3434343434343434
0x603230:       0x3434343434343434      0x3434343434343434
0x603240:       0x3434343434343434      0x3434343434343434
0x603250:       0x3434343434343434      0x3434343434343434
0x603260:       0x3434343434343434      0x3434343434343434
0x603270:       0x3434343434343434      0x3434343434343434
0x603280:       0x3434343434343434      0x0000000000020d81
0x603290:       0x0000000000000000      0x0000000000000000
0x6032a0:       0x0000000000000000      0x0000000000000000
0x6032b0:       0x0000000000000000      0x0000000000000000
0x6032c0:       0x0000000000000000      0x0000000000000000
0x6032d0:       0x0000000000000000      0x0000000000000000
0x6032e0:       0x0000000000000000      0x0000000000000000
0x6032f0:       0x0000000000000000      0x0000000000000000
0x603300:       0x0000000000000000      0x0000000000000000
0x603310:       0x0000000000000000      0x0000000000000000
0x603320:       0x0000000000000000      0x0000000000000000
0x603330:       0x0000000000000000      0x0000000000000000
0x603340:       0x0000000000000000      0x0000000000000000
0x603350:       0x0000000000000000      0x0000000000000000
0x603360:       0x0000000000000000      0x0000000000000000
0x603370:       0x0000000000000000      0x0000000000000000
0x603380:       0x0000000000000000      0x0000000000000000
pwndbg>

接下来验证一下,现在 p3 与 p4:
p4 = 22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222
p3 = 33333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333�

如果我们使用 memset(p4, '4', 376), 将会:
p4 = 444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444�
p3 = 44444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444�

 

3.3.5 设置断点第54行并走起 

pwndbg> b 54
Breakpoint 12 at 0x4009ea: file overlapping_chunks.c, line 54.
pwndbg> c
Continuing.那么之后再 memset(p3, '3', 80), 将会:Breakpoint 12, main (argc=1, argv=0x7fffffffe6a8) at overlapping_chunks.c:54
54                   fprintf(stderr, "p4 = %s\n", (char *)p4+0x10);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────RAX  0x603210 ◂— 0x3333333333333333 ('33333333')RBX  0x0RCX  0x7ffff7b042c0 (__write_nocancel+7) ◂— cmp    rax, -0xfffRDX  0x50RDI  0x603210 ◂— 0x3333333333333333 ('33333333')RSI  0x603260 ◂— 0x3434343434343434 ('44444444')R8   0x2eR9   0x7ffff7dd2540 (_IO_2_1_stderr_) ◂— 0xfbad2887R10  0x1R11  0x246R12  0x400590 (_start) ◂— xor    ebp, ebpR13  0x7fffffffe6a0 ◂— 0x1R14  0x0R15  0x0RBP  0x7fffffffe5c0 —▸ 0x400a40 (__libc_csu_init) ◂— push   r15RSP  0x7fffffffe580 —▸ 0x7fffffffe6a8 —▸ 0x7fffffffe8d1 ◂— '/ctf/work/how2heap/overlapping_chunks'RIP  0x4009ea (main+868) ◂— mov    rax, qword ptr [rbp - 8]
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────────────────────0x4009d4 <main+846>    mov    rax, qword ptr [rbp - 0x10]0x4009d8 <main+850>    mov    edx, 0x500x4009dd <main+855>    mov    esi, 0x330x4009e2 <main+860>    mov    rdi, rax0x4009e5 <main+863>    call   memset@plt <0x400530>► 0x4009ea <main+868>    mov    rax, qword ptr [rbp - 8]0x4009ee <main+872>    lea    rdx, [rax + 0x10]0x4009f2 <main+876>    mov    rax, qword ptr [rip + 0x201667] <0x602060>0x4009f9 <main+883>    mov    esi, 0x400e630x4009fe <main+888>    mov    rdi, rax0x400a01 <main+891>    mov    eax, 0
─────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────
In file: /ctf/work/how2heap/overlapping_chunks.c49              fprintf(stderr, "p4 = %s\n", (char *)p4+0x10);50              fprintf(stderr, "p3 = %s\n", (char *)p3+0x10);51          52              fprintf(stderr, "\n那么之后再 memset(p3, '3', 80), 将会:\n");53              memset(p3, '3', 80);► 54              fprintf(stderr, "p4 = %s\n", (char *)p4+0x10);55              fprintf(stderr, "p3 = %s\n", (char *)p3+0x10);56          } 
─────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fffffffe580 —▸ 0x7fffffffe6a8 —▸ 0x7fffffffe8d1 ◂— '/ctf/work/how2heap/overlapping_chunks'
01:0008│      0x7fffffffe588 ◂— 0x100400a8d
02:0010│      0x7fffffffe590 ◂— 0x0
03:0018│      0x7fffffffe598 ◂— 0x17800000181
04:0020│      0x7fffffffe5a0 —▸ 0x603010 ◂— 0x3131313131313131 ('11111111')
05:0028│      0x7fffffffe5a8 —▸ 0x603110 ◂— 0x3434343434343434 ('44444444')
06:0030│      0x7fffffffe5b0 —▸ 0x603210 ◂— 0x3333333333333333 ('33333333')
07:0038│      0x7fffffffe5b8 —▸ 0x603110 ◂— 0x3434343434343434 ('44444444')
───────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────► f 0           4009ea main+868f 1     7ffff7a2d830 __libc_start_main+240
Breakpoint /ctf/work/how2heap/overlapping_chunks.c:54
pwndbg> p p3
$5 = (intptr_t *) 0x603210
pwndbg> x/80gx 0x603210
0x603210:       0x3333333333333333      0x3333333333333333
0x603220:       0x3333333333333333      0x3333333333333333
0x603230:       0x3333333333333333      0x3333333333333333
0x603240:       0x3333333333333333      0x3333333333333333
0x603250:       0x3333333333333333      0x3333333333333333
0x603260:       0x3434343434343434      0x3434343434343434
0x603270:       0x3434343434343434      0x3434343434343434
0x603280:       0x3434343434343434      0x0000000000020d81
0x603290:       0x0000000000000000      0x0000000000000000
0x6032a0:       0x0000000000000000      0x0000000000000000
0x6032b0:       0x0000000000000000      0x0000000000000000
0x6032c0:       0x0000000000000000      0x0000000000000000
0x6032d0:       0x0000000000000000      0x0000000000000000
0x6032e0:       0x0000000000000000      0x0000000000000000
0x6032f0:       0x0000000000000000      0x0000000000000000
0x603300:       0x0000000000000000      0x0000000000000000
0x603310:       0x0000000000000000      0x0000000000000000
0x603320:       0x0000000000000000      0x0000000000000000
0x603330:       0x0000000000000000      0x0000000000000000
0x603340:       0x0000000000000000      0x0000000000000000
0x603350:       0x0000000000000000      0x0000000000000000
0x603360:       0x0000000000000000      0x0000000000000000
0x603370:       0x0000000000000000      0x0000000000000000
0x603380:       0x0000000000000000      0x0000000000000000
0x603390:       0x0000000000000000      0x0000000000000000
0x6033a0:       0x0000000000000000      0x0000000000000000
0x6033b0:       0x0000000000000000      0x0000000000000000
0x6033c0:       0x0000000000000000      0x0000000000000000
0x6033d0:       0x0000000000000000      0x0000000000000000
0x6033e0:       0x0000000000000000      0x0000000000000000
0x6033f0:       0x0000000000000000      0x0000000000000000
0x603400:       0x0000000000000000      0x0000000000000000
0x603410:       0x0000000000000000      0x0000000000000000
0x603420:       0x0000000000000000      0x0000000000000000
0x603430:       0x0000000000000000      0x0000000000000000
0x603440:       0x0000000000000000      0x0000000000000000
0x603450:       0x0000000000000000      0x0000000000000000
0x603460:       0x0000000000000000      0x0000000000000000
0x603470:       0x0000000000000000      0x0000000000000000
0x603480:       0x0000000000000000      0x0000000000000000
pwndbg> p p4
$6 = (intptr_t *) 0x603110
pwndbg> x/80gx 0x603110
0x603110:       0x3434343434343434      0x3434343434343434
0x603120:       0x3434343434343434      0x3434343434343434
0x603130:       0x3434343434343434      0x3434343434343434
0x603140:       0x3434343434343434      0x3434343434343434
0x603150:       0x3434343434343434      0x3434343434343434
0x603160:       0x3434343434343434      0x3434343434343434
0x603170:       0x3434343434343434      0x3434343434343434
0x603180:       0x3434343434343434      0x3434343434343434
0x603190:       0x3434343434343434      0x3434343434343434
0x6031a0:       0x3434343434343434      0x3434343434343434
0x6031b0:       0x3434343434343434      0x3434343434343434
0x6031c0:       0x3434343434343434      0x3434343434343434
0x6031d0:       0x3434343434343434      0x3434343434343434
0x6031e0:       0x3434343434343434      0x3434343434343434
0x6031f0:       0x3434343434343434      0x3434343434343434
0x603200:       0x3434343434343434      0x3434343434343434
0x603210:       0x3333333333333333      0x3333333333333333
0x603220:       0x3333333333333333      0x3333333333333333
0x603230:       0x3333333333333333      0x3333333333333333
0x603240:       0x3333333333333333      0x3333333333333333
0x603250:       0x3333333333333333      0x3333333333333333
0x603260:       0x3434343434343434      0x3434343434343434
0x603270:       0x3434343434343434      0x3434343434343434
0x603280:       0x3434343434343434      0x0000000000020d81
0x603290:       0x0000000000000000      0x0000000000000000
0x6032a0:       0x0000000000000000      0x0000000000000000
0x6032b0:       0x0000000000000000      0x0000000000000000
0x6032c0:       0x0000000000000000      0x0000000000000000
0x6032d0:       0x0000000000000000      0x0000000000000000
0x6032e0:       0x0000000000000000      0x0000000000000000
0x6032f0:       0x0000000000000000      0x0000000000000000
0x603300:       0x0000000000000000      0x0000000000000000
0x603310:       0x0000000000000000      0x0000000000000000
0x603320:       0x0000000000000000      0x0000000000000000
0x603330:       0x0000000000000000      0x0000000000000000
0x603340:       0x0000000000000000      0x0000000000000000
0x603350:       0x0000000000000000      0x0000000000000000
0x603360:       0x0000000000000000      0x0000000000000000
0x603370:       0x0000000000000000      0x0000000000000000
0x603380:       0x0000000000000000      0x0000000000000000
pwndbg>

 

那么之后再 memset(p3, '3', 80), 将会:
p4 = 444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444333333333333333333333333333333333333333333333333333333333333333333333333333333334444444444444444444444444444444444444444�
p3 = 33333333333333333333333333333333333333333333333333333333333333334444444444444444444444444444444444444444�

  4.参考资料

【PWN】how2heap | 狼组安全团队公开知识库

这篇关于从零开始学howtoheap:理解fastbins的堆块重叠的问题1的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!


http://www.chinasem.cn/article/703736

相关文章

springboot循环依赖问题案例代码及解决办法

springboot循环依赖问题案例代码及解决办法

《springboot循环依赖问题案例代码及解决办法》在SpringBoot中,如果两个或多个Bean之间存在循环依赖(即BeanA依赖BeanB,而BeanB又依赖BeanA),会导致Spring的... 目录1. 什么是循环依赖?2. 循环依赖的场景案例3. 解决循环依赖的常见方法方法 1:使用 @La
阅读更多...
SpringBoot启动报错的11个高频问题排查与解决终极指南

SpringBoot启动报错的11个高频问题排查与解决终极指南

《SpringBoot启动报错的11个高频问题排查与解决终极指南》这篇文章主要为大家详细介绍了SpringBoot启动报错的11个高频问题的排查与解决,文中的示例代码讲解详细,感兴趣的小伙伴可以了解一... 目录1. 依赖冲突:NoSuchMethodError 的终极解法2. Bean注入失败:No qu
阅读更多...
MySQL新增字段后Java实体未更新的潜在问题与解决方案

MySQL新增字段后Java实体未更新的潜在问题与解决方案

《MySQL新增字段后Java实体未更新的潜在问题与解决方案》在Java+MySQL的开发中,我们通常使用ORM框架来映射数据库表与Java对象,但有时候,数据库表结构变更(如新增字段)后,开发人员可... 目录引言1. 问题背景:数据库与 Java 实体不同步1.1 常见场景1.2 示例代码2. 不同操作
阅读更多...
如何解决mysql出现Incorrect string value for column ‘表项‘ at row 1错误问题

如何解决mysql出现Incorrect string value for column ‘表项‘ at row 1错误问题

《如何解决mysql出现Incorrectstringvalueforcolumn‘表项‘atrow1错误问题》:本文主要介绍如何解决mysql出现Incorrectstringv... 目录mysql出现Incorrect string value for column ‘表项‘ at row 1错误报错
阅读更多...
如何解决Spring MVC中响应乱码问题

如何解决Spring MVC中响应乱码问题

《如何解决SpringMVC中响应乱码问题》:本文主要介绍如何解决SpringMVC中响应乱码问题,具有很好的参考价值,希望对大家有所帮助,如有错误或未考虑完全的地方,望不吝赐教... 目录Spring MVC最新响应中乱码解决方式以前的解决办法这是比较通用的一种方法总结Spring MVC最新响应中乱码解
阅读更多...
pip无法安装osgeo失败的问题解决

pip无法安装osgeo失败的问题解决

《pip无法安装osgeo失败的问题解决》本文主要介绍了pip无法安装osgeo失败的问题解决,文中通过示例代码介绍的非常详细,对大家的学习或者工作具有一定的参考学习价值,需要的朋友们下面随着小编来一... 进入官方提供的扩展包下载网站寻找版本适配的whl文件注意:要选择cp(python版本)和你py
阅读更多...
解决Java中基于GeoTools的Shapefile读取乱码的问题

解决Java中基于GeoTools的Shapefile读取乱码的问题

《解决Java中基于GeoTools的Shapefile读取乱码的问题》本文主要讨论了在使用Java编程语言进行地理信息数据解析时遇到的Shapefile属性信息乱码问题,以及根据不同的编码设置进行属... 目录前言1、Shapefile属性字段编码的情况:一、Shp文件常见的字符集编码1、System编码
阅读更多...
Spring MVC使用视图解析的问题解读

Spring MVC使用视图解析的问题解读

《SpringMVC使用视图解析的问题解读》:本文主要介绍SpringMVC使用视图解析的问题解读,具有很好的参考价值,希望对大家有所帮助,如有错误或未考虑完全的地方,望不吝赐教... 目录Spring MVC使用视图解析1. 会使用视图解析的情况2. 不会使用视图解析的情况总结Spring MVC使用视图
阅读更多...
Redis解决缓存击穿问题的两种方法

Redis解决缓存击穿问题的两种方法

《Redis解决缓存击穿问题的两种方法》缓存击穿问题也叫热点Key问题,就是⼀个被高并发访问并且缓存重建业务较复杂的key突然失效了,无数的请求访问会在瞬间给数据库带来巨大的冲击,本文给大家介绍了Re... 目录引言解决办法互斥锁(强一致,性能差)逻辑过期(高可用,性能优)设计逻辑过期时间引言缓存击穿:给
阅读更多...
Java程序运行时出现乱码问题的排查与解决方法

Java程序运行时出现乱码问题的排查与解决方法

《Java程序运行时出现乱码问题的排查与解决方法》本文主要介绍了Java程序运行时出现乱码问题的排查与解决方法,包括检查Java源文件编码、检查编译时的编码设置、检查运行时的编码设置、检查命令提示符的... 目录一、检查 Java 源文件编码二、检查编译时的编码设置三、检查运行时的编码设置四、检查命令提示符
阅读更多...

Copyright China编程 23002807@qq.com

沪ICP备2023033072号-2