반응형
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main()
{
printf("This file doesn't demonstrate an attack, but shows the nature of glibc's allocator.\n");
printf("glibc uses a first-fit algorithm to select a free chunk.\n");
printf("If a chunk is free and large enough, malloc will select this chunk.\n");
printf("This can be exploited in a use-after-free situation.\n");
printf("Allocating 2 buffers. They can be large, don't have to be fastbin.\n");
char* a = malloc(512);
char* b = malloc(256);
char* c;
printf("1st malloc(512): %p\n", a);
printf("2nd malloc(256): %p\n", b);
printf("we could continue mallocing here...\n");
printf("now let's put a string at a that we can read later \"this is A!\"\n");
strcpy(a, "this is A!");
printf("first allocation %p points to %s\n", a, a);
printf("Freeing the first one...\n");
free(a);
printf("We don't need to free anything again. As long as we allocate less than 512, it will end up at %p\n", a);
printf("So, let's allocate 500 bytes\n");
c = malloc(500);
printf("3rd malloc(500): %p\n", c);
printf("And put a different string here, \"this is C!\"\n");
strcpy(c, "this is C!");
printf("3rd allocation %p points to %s\n", c, c);
printf("first allocation %p points to %s\n", a, a);
printf("If we reuse the first allocation, it now holds the data from the third allocation.");
}정리.
청크가 free가 되있고 충분히 크다면 원래 크기보다 작은 크기가 할당이 됐을 때
first_fit 알고리즘을 사용해서 free된 청크의 동일한 주소에 할당이 된다. (UAF)
'공부' 카테고리의 다른 글
| [how2heap] fast bin dup into stack (0) | 2016.12.25 |
|---|---|
| [how2heap] fastbin dup (0) | 2016.12.25 |
| libc randomization disable (7) | 2016.12.10 |
| SigReturn Oriented Programming (SROP) (0) | 2016.08.13 |
| gs 베이스 주소 구하기 (0) | 2016.05.09 |
KuroNeko_
KuroNeko