今天是四月十九,想在五月份之前把how2heap中的高版本(2.31)的例子过一遍。所以这个系列目前还是在更新中。如果比较简单就几句话带过了,遇到难一点的会写的详细一点。
fastbin_dup
源代码:
1 #include <stdio.h> 2 #include <stdlib.h> 3 #include <assert.h> 4 5 int main() 6 { 7 setbuf(stdout, NULL); 8 9 printf("This file demonstrates a simple double-free attack with fastbins. "); 10 11 printf("Fill up tcache first. "); 12 void *ptrs[8]; 13 for (int i=0; i<8; i++) { 14 ptrs[i] = malloc(8); 15 } 16 for (int i=0; i<7; i++) { 17 free(ptrs[i]); 18 } 19 20 printf("Allocating 3 buffers. "); 21 int *a = calloc(1, 8); 22 int *b = calloc(1, 8); 23 int *c = calloc(1, 8); 24 25 printf("1st calloc(1, 8): %p ", a); 26 printf("2nd calloc(1, 8): %p ", b); 27 printf("3rd calloc(1, 8): %p ", c); 28 29 printf("Freeing the first one... "); 30 free(a); 31 32 printf("If we free %p again, things will crash because %p is at the top of the free list. ", a, a); 33 // free(a); 34 35 printf("So, instead, we'll free %p. ", b); 36 free(b); 37 38 printf("Now, we can free %p again, since it's not the head of the free list. ", a); 39 free(a); 40 41 printf("Now the free list has [ %p, %p, %p ]. If we malloc 3 times, we'll get %p twice! ", a, b, a, a); 42 a = calloc(1, 8); 43 b = calloc(1, 8); 44 c = calloc(1, 8); 45 printf("1st calloc(1, 8): %p ", a); 46 printf("2nd calloc(1, 8): %p ", b); 47 printf("3rd calloc(1, 8): %p ", c); 48 49 assert(a == c); 50 }
总结:
1.使用calloc申请chunk,并不会从tcache中拿chunk。
2.如果存在uaf漏洞,可以先将tcache填充满,再利用free(a),free(b),free(a)的操作实现double free,实现任意写。