设为首页收藏本站
切换到窄版

 找回密码
 立即注册
搜索
热搜: 活动 交友 discuz
Nmaps Club»论坛 Pentests Wiki Wiki 系统 [28315] 2020-05-24_pwn的艺术浅谈(二):linux堆相关 ...
返回列表 发新帖
查看: 1|回复: 0

[28315] 2020-05-24_pwn的艺术浅谈(二):linux堆相关

[复制链接]
s7ckTeam

6万

主题

-6万

回帖

-58

积分

管理员

积分
-58
发表于 4 天前 | 显示全部楼层 |阅读模式
2020-05-24_pwn的艺术浅谈(二):linux堆相关 p w n l i n u x   O t s   2 0 2 0 - 0 5 - 2 4 l i n u x   p w n s h e l l p h i s h h o w 2 h e a p l i n u x 0 . 0 . 0   + p a t c h h o w 2 h e a p h t t p s : / / g i t h u b . c o m / s h e l l p h i s h / h o w 2 h e a p 便 使 g c c   - g   - f n o - p i e   x x . c   o   x x l i n u x p a t c h l i b c p a t c h e l f   s e t - i n t e r p r e t e r   < l i b c _ l d >   < e l f _ n a m e > e l f 使 l d . s o e l f l d . s o l i b c l i b c h t t p s : / / g i t h u b . c o m / 5 N 1 p 3 R 0 0 1 0 / l i b c - l d . s o p a t c h e l f   s e t - r p a t h   < l i b c _ p a r e n t _ f o l d e r > : / < l i b c _ n a m e >   < e l f _ n a m e > e l f l i b c + p a t c h 0 . 1   l i n u x L i n u x   p t m a l l o c t c a c h e I   i s   s o   v e g e t a b l e h t t p s : / / g i t h u b . c o m / 5 N 1 p 3 R 0 0 1 0 / m y _ p w n / b l o b / m a s t e r / h e a p . p n g l i n u x   m a l l o c . c h t t p s : / / c o d e . w o b o q . o r g / u s e r s p a c e / g l i b c / m a l l o c / m a l l o c . c . h t m l 0 . 2   l i n u x 0 . 2 . 1 l i n u x
0 . m c h u n k _ p r e v _ s i z e m c h u n k _ p r e v _ s i z e m c h u n k _ p r e v _ s i z e 1 . m c h u n k _ s i z e 2 * s i z e _ t s i z e _ t m c h u n k _ s i z e p t m a l l o c N O N _ M A I N _ A R E N A 线 1   0   I S _ M A P P E D   m m a p   P R E V _ I N U S E 2 . f d b k f d f d b k 3 . f d _ n e x t s i z e b k _ n e x t s i z e l a r g e   c h u n k 使 0 . 2 . 2   p t m a l l o c b i n 便 使 P t m a l l o c 使 b i n f a s t b i n s a m l l b i n l a r g e b i n u n s o r t e d b i n   使 b i n
p t m a l l o c c u r _ c h u n k c u r _ c h u n k p r e v _ i n u s e c u r _ c h u n k t o p _ c h u n k p r e v _ i n u s e c u r _ c h u n k p r e v _ i n u s e 0 c u r _ c h u n k p r e v _ i n u s e 0 c u r _ c h u n k c u r _ c h u n k t o p _ c h u n k c u r _ c h u n k t o p _ c h u n k c u r _ c h u n k t o p _ c h u n k
P t m a l l o c 0   f a s t b i n f a s t b i n 3 2 6 4 6 4 1 2 8 f a s t b i n i n d e x p t m a l l o c f a s t b i n 使 l i f o f a s t b i n f a s t b i n f a s t b i n e x a c t   f i t f a s t b i n 1   s m a l l b i n s m a l l b i n 6 2 c h u n k i n d e x 2 *   s i z e _ t *   i n d e x s m a l l b i n f i f o s m a l l b i n e x a c t   f i t
s m a l l b i n c h u n k f a s t b i n f a s t b i n s m a l l b i n s m a l l b i n s m a l l b i n f a s t b i n p r e v _ i n u s e u n s o r t e d b i n s m a l l b i n l a r g e b i n 2   l a r g e b i n l a r g e b i n 6 3 f d _ n e x t s i z e b k _ n e x t s i z e l a r g e c h u n k f d _ n e x t s i z e b k _ n e x t s i z e b i n f d b k L a r g e b i n b e s t   f i t c h u n k c h u n k m i n s i z e c h u n k l a s t   r e m a i n d e r c h u n k m i n s i z e c h u n k 3   u n s o r t e d b i n u n s o r t e d b i n c h u n k b i n e x a c t   f i t u n s o r t e d b i n l a r g e b i n l a s t   r e m a i n d e r f a s t b i n t o p c h u n k u n s o r t e d b i n f a s t b i n u n s o r t e d b i n f a s t b i n f a s t b i n f a s t b i n s m a l l b i n s m a l l b i n l a r g e c h u n k 1 . H O W 2 H E A P 1 . 0   F i r s t _ f i t
h t t p s : / / g i t h u b . c o m / s h e l l p h i s h / h o w 2 h e a p / b l o b / m a s t e r / f i r s t _ f i t . c g l i b c f i r s t   f i t f a s t b i n s m a l l b i n e x a c t   f i t l a r g e b i n   b e s t   f i t S h e l l p h i s h 0 × 5 1 2 0 × 2 5 6 0 × 5 1 2 0 × 2 5 6 m m a p a t o p c h u n k 0 × 5 0 0 l a r g e b i n b e s t   f i t g l i b c a c a a c g l i b c f i r s t   f i t u s e   a f t e r   f r e e ( u a f , ) u a f u a f 使 1 . 1   f a s t b i n _ d u p h t t p s : / / g i t h u b . c o m / s h e l l p h i s h / h o w 2 h e a p / b l o b / m a s t e r / f a s t b i n _ d u p . c f a s t b i n d o u b l e f r e e t c a c h e S h e l l p h i s h 3 0 × 8 c t o p c h u n k a a d o u b l e f r e e g l i b c f a s t b i n f a s t b i n g l i b c b i n f r e e ( b ) f a s t b i n ( b = 0 × 6 0 2 0 2 0 , a = 0 × 6 0 2 0 0 0 f a s t b i n L I F O b ) f r e e ( a ) b i n b f r e e ( a )
f a s t b i n a 0 × 8 f a s t b i n a b a 1 . 2   f a s t b i n _ d u p _ i n t o _ s t a c k h t t p s : / / g i t h u b . c o m / s h e l l p h i s h / h o w 2 h e a p / b l o b / m a s t e r / g l i b c _ 2 . 2 5 / f a s t b i n _ d u p _ i n t o _ s t a c k . c f a s t b i n d o u b l e f r e e t c a c h e d o u b l e f r e e f a s t b i n 使 f a s t b i n 3 0 × 8 f r e e ( a ) f r e e ( b ) f r e e ( a ) d o u b l e f r e e f a s t b i n _ d u p f a s t b i n a - > b - > a 0 × 8 f a s t b i n l i f o f a s t b i n a a f a s t b i n f a s t b i n f a s t b i n 0 × 2 0 a = 0 × 4 0 5 0 0 0 & s t a c k _ v a r = 0 x 0 0 0 0 7 f f f f f f f d f b 0 a f d & s t a c k _ v a r f a s t b i n : a - > s t a c k _ v a r 0 × 1 8 6 4 2 * s i z e _ s z 0 × 1 0 + 8 8 p r e v _ s i z e 1 . 3   f a s t b i n _ d u p _ c o n s o l i d a t e h t t p s : / / g i t h u b . c o m / s h e l l p h i s h / h o w 2 h e a p / b l o b / m a s t e r / g l i b c _ 2 . 2 5 / f a s t b i n _ d u p _ c o n s o l i d a t e . c f a s t b i n   a t t a c k d o u b l e f r e e l a r g e b i n f a s t b i n u n s o r t e d b i n f r e e   f a s t b i n f r e e f a s t b i n d o u b l e f r e e
f r e e f r e e f a s t b i n f a s t b i n 0 × 4 0 0 l a r g e c h u n k f a s t b i n f a s t b i n u n s o r t e d b i n u n s o r t e d b i n f a s t b i n s m a l l b i n f r e e f a s t b i n f a s t b i n d o u b l e f r e e 1 . 4   u n s a f e _ u n l i n k h t t p s : / / g i t h u b . c o m / s h e l l p h i s h / h o w 2 h e a p / b l o b / m a s t e r / g l i b c _ 2 . 2 6 / u n s a f e _ u n l i n k . c s i z e U n s a f e   u n l i n k s i z e c h u n k 0 f a k e c h u n k f a k e c h u n k u n l i n k c h u n k 1 p r e _ s i z e 使 f a k e c h u n k c h u n k 1 s i z e p r e v   i n u s e 0 便 f r e e ( c h u n k 1 ) u n l i n k u n l i n k 0 × 8 0 c h u n k 0 c h u n k 1 f a s t b i n f a s t b i n p r e _ i n u s e 1 c h u n k 0 f a k e _ c h u n k
f a k e   c h u n k c h u n k 0 f d f a k e   c h u n k p r e v   s i z e s i z e l i b c c u r _ c h u n k s i z e = n e x t _ c h u n k s   p r e v _ s i z e f a k e   c h u n k f a k e   d a t a u n l i n k f d - > b k = p & & b k - > f d = p c h u n k ( f d - > b k = f d + 3 *   s i z e _ t ) = p ( b k - > f d = b k + 2 *   s i z e _ t ) = p f d = p - 3 *   s i z e _ t b k = p - 2 *   s i z e _ t f a k e c h u n k f d b k u n l i n k f a k e c h u n k c h u n k 1 p r e v s i z e s i z e p r e v s i z e f a k e c h u n k g l i b c s i z e c h u n k 1   s i z e i n u s e 0 u n l i n k 使 f a s t b i n f a s t b i n
i n u s e 1 f a k e c h u n k + c h u n k 1 c h u n k 0 0 × 4 0 5 0 0 0 f a k e c h u n k 0 × 4 0 5 0 1 0 c h u n k 1 0 × 4 0 5 0 9 0 f a k e c h u n k f a k e c h u n k f d 使 u n l i n k s t r u c t   m a l l o c _ c h u n k   *   p u n s a f e u n l i n k s m a l l b i n f a s t b i n u n l i n k f d - > b k = b k   ( f d - > b k = p ) = ( b k = p - 2 *   s i z e _ t ) b k - > f d = f d   ( b k - > f d = p ) = ( f d = p - 3 *   s i z e _ t ) p = p - 3 *   s i z e _ t s t r u c t   m a l l o c _ c h u n k   *   p ( ; p ) f a k e _ c h u n k [ 3 ] f a k e _ c h u n k [ 0 ] f a k e _ c h u n k [ 3 ] - 3 * s i z e _ t = f a k e _ c h u n k f a k e _ c h u n k f a k e _ c h u n k [ 0 ] 访 & f a k e _ c h u n k [ 0 ] ^ . ^ 1 . 5   h o u s e _ o f _ s p i r i t h t t p s : / / g i t h u b . c o m / s h e l l p h i s h / h o w 2 h e a p / b l o b / m a s t e r / g l i b c _ 2 . 2 5 / h o u s e _ o f _ s p i r i t . c f a s t b i n f a s t b i n f a k e c h u n k f a k e c h u n k f a s t b i n f a k e c h u n k f a k e c h u n k f a k e c h u n k f a k e c h u n k
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

使用Markdown编辑器编辑 使用富文本编辑器编辑

Archiver|手机版|小黑屋|Nmaps Club

GMT+8, 2025-1-23 07:11 , Processed in 0.577002 second(s), 29 queries .

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表