Fake heap block bypass unlink check (Ctf-qiangwangcup-2015-shellman)

Directory

Heap Overflow Point

Forge free Heap Blocks

Override pointer to fake heap block on release

How to use

Resources

Heap Overflow Point

Figure 1 Heap Overflow point

In the edit function, the length of the input and the length of the original are not judged.

Forge free Heap Blocks normal heap block layout

Figure 2 Normal heap block layout

Memory Layout after overflow

Figure 3 heap block layout after overflow

Override pointer to fake heap block on release

    FD = p->fd;                                           = p->bk;                                           if 0 ) )                    "corrupted double-linked list", P, AV);       Else {                                              FD->BK = bk;                                          BK->fd = FD;

This makes string_ptr1=&string_ptr1-0x18

How to make use of editing string1 content

Figure 4 Modifying the contents of STRING_PTR1

As you can see, because string_ptr1 points to & string_ptr1-0x18, when we modify the content, we change the value of the STRING_PTR1 pointer again. Modify the Got table entry to point to free.

View string1 Content

At this point, you can print out the address of the free function by looking at the contents of STRING_PTR1.

Edit the contents of the string1 once again

What does compiling string1 mean at this time? means to modify the address in the free got table entry. Then the free call, which starts with the function we write, is called. We write to the system address

Release String3

What does free (STRING_PTR3) mean?

System ("/BIN/SH;")

Resources

[1] Linux heap Overflow instance analysis

http://tyrande000.how/2016/03/21/linux%E5%A0%86%E6%BA%A2%E5%87%BA%E5%AE%9E%E4%BE%8B%E5%88%86%E6%9E%90/

Fake heap block bypass unlink check (Ctf-qiangwangcup-2015-shellman)