glibc-2.27
/* Forward declarations. */
static void *malloc_hook_ini (size_t sz,
const void *caller) __THROW;
static void *realloc_hook_ini (void *ptr, size_t sz,
const void *caller) __THROW;
static void *memalign_hook_ini (size_t alignment, size_t sz,
const void *caller) __THROW;
#if HAVE_MALLOC_INIT_HOOK
void weak_variable (*__malloc_initialize_hook) (void) = NULL;
compat_symbol (libc, __malloc_initialize_hook,
__malloc_initialize_hook, GLIBC_2_0);
#endif
void weak_variable (*__free_hook) (void *__ptr,
const void *) = NULL;
void *weak_variable (*__malloc_hook)
(size_t __size, const void *) = malloc_hook_ini;
void *weak_variable (*__realloc_hook)
(void *__ptr, size_t __size, const void *)
= realloc_hook_ini;
void *weak_variable (*__memalign_hook)
(size_t __alignment, size_t __size, const void *)
= memalign_hook_ini;
void weak_variable (*__after_morecore_hook) (void) = NULL;
malloc执行时先检查malloc_hook,若不为NULL,调用它
free异常时会调用malloc_hook
malloc_hook初始为malloc_hook_ini
如果能控制malloc_hook,就可以任意地址执行
malloc_hook在main_arena上方
pwndbg> x/64gx 0x7fffff3ebc00
0x7fffff3ebc00 <_IO_wide_data_0+288>: 0x0000000000000000 0x0000000000000000
0x7fffff3ebc10 <_IO_wide_data_0+304>: 0x00007fffff3e7d60 0x0000000000000000
0x7fffff3ebc20 <__memalign_hook>: 0x00007fffff097410 0x00007fffff098790
0x7fffff3ebc30 <__malloc_hook>: 0x00007fffff096a40 0x0000000000000000
0x7fffff3ebc40 <main_arena>: 0x0000000000000000 0x0000000000000000
tcache attack可以直接打过来
fastbin attack需要满足size验证,可以利用上方的数据,字节错位造一个7f当size,把堆分配到malloc_hook上方
realloc执行时先检查realloc_hook,若不为NULL,调用它
realloc_hook初始为realloc_hook_ini realloc_hook与malloc相邻
pwndbg> x/64gx 0x7fffff3ebc08
0x7fffff3ebc08 <_IO_wide_data_0+296>: 0x0000000000000000 0x00007fffff3e7d60
0x7fffff3ebc18: 0x0000000000000000 0x00007fffff097410
0x7fffff3ebc28 <__realloc_hook>: 0x00007fffff098790 0x00007fffff096a40
0x7fffff3ebc38: 0x0000000000000000 0x0000000000000000
0x7fffff3ebc48 <main_arena+8>: 0x0000000000000000 0x0000000000000000
one_gadget条件不满足全不可用时,可以通过利用realloc_hook调整栈状态使one_gadge可用
根据需求,把realloc+x的地址写入malloc_hook,把one_gadget写入realloc_hook
这样在malloc时,跳malloc_hook也就是执行realloc+x,通过realloc中的push和pop调整栈,然后跳realloc_hook使one_gadget可用
free执行时先检查free_hook,若不为NULL,调用它
free_hook初始为NULL
pwndbg> x/64gx 0x7fffff3ed8a8
0x7fffff3ed8a8 <list_all_lock+8>: 0x0000000000000000 0x0000000000000000
0x7fffff3ed8b8 <_IO_stdfile_2_lock+8>: 0x0000000000000000 0x0000000000000000
0x7fffff3ed8c8 <_IO_stdfile_1_lock+8>: 0x0000000000000000 0x0000000000000000
0x7fffff3ed8d8 <_IO_stdfile_0_lock+8>: 0x0000000000000000 0x0000000000000000
0x7fffff3ed8e8 <__free_hook>: 0x0000000000000000 0x0000000000000000
0x7fffff3ed8f8 <next_to_use.11802>: 0x0000000000000000 0x0000000000000000
0x7fffff3ed908 <disallow_malloc_check>: 0x0000000000000000 0x0000000000000000
tcache attack可以直接打过来
fastbin attack打不过来,因为free_hook上方都是0,无法伪造size
修改top,把top修改到free_hook上方,然后可以申请到free_hook
本作品采用知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议(CC BY-NC-ND 4.0)进行许可。
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY-NC-ND 4.0).