Directory
Heap Overflow Point
Forge free Heap Blocks
Override pointer to fake heap block on release
How to use
Resources
Heap Overflow Point
Figure 1 Heap Overflow point
In the edit function, the length of the input and the length of the original are not judged.
Forge free Heap Blocks normal heap block layout
Figure 2 Normal heap block layout
Memory Layout after overflow
Figure 3 heap block layout after overflow
Override pointer to fake heap block on release
FD = p->fd; = p->bk; if 0 ) ) "corrupted double-linked list", P, AV); Else { FD->BK = bk; BK->fd = FD;
This makes string_ptr1=&string_ptr1-0x18
How to make use of editing string1 content
Figure 4 Modifying the contents of STRING_PTR1
As you can see, because string_ptr1 points to & string_ptr1-0x18, when we modify the content, we change the value of the STRING_PTR1 pointer again. Modify the Got table entry to point to free.
View string1 Content
At this point, you can print out the address of the free function by looking at the contents of STRING_PTR1.
Edit the contents of the string1 once again
What does compiling string1 mean at this time? means to modify the address in the free got table entry. Then the free call, which starts with the function we write, is called. We write to the system address
Release String3
What does free (STRING_PTR3) mean?
System ("/BIN/SH;")
Resources
[1] Linux heap Overflow instance analysis
http://tyrande000.how/2016/03/21/linux%E5%A0%86%E6%BA%A2%E5%87%BA%E5%AE%9E%E4%BE%8B%E5%88%86%E6%9E%90/
Fake heap block bypass unlink check (Ctf-qiangwangcup-2015-shellman)