bjrjk/pwn-learning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update OtherBin/unsorted_bin

Browse Source
This commit is contained in:
Jack Ren
2022-02-17 15:47:26 +08:00
parent f25ec1b572
commit 6f47f1afc2
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
OtherBin/unsorted_bin/answer.py
View File

@@ -57,6 +57,7 @@ aka `(char *)&main_arena.bins[0] - offset(fd, struct malloc_chunk)`, aka `main_a
Reference: https://code.woboq.org/userspace/glibc/malloc/malloc.c.html Reference: https://code.woboq.org/userspace/glibc/malloc/malloc.c.html
At malloc.c:3740, `(victim = unsorted_chunks (av)->bk)` as the first free unsorted bin; At malloc.c:3740, `(victim = unsorted_chunks (av)->bk)` as the first free unsorted bin;
At malloc.c:3742, `bck = victim->bk` as the second free unsorted bin which can be controlled via UAF; At malloc.c:3742, `bck = victim->bk` as the second free unsorted bin which can be controlled via UAF;
At malloc.c:3797, the condition `bck->fd != victim` just magically satisfied.
At malloc.c:3799, `unsorted_chunks (av)->bk = bck` lead a next allocate from unsorted bin crashing the program At malloc.c:3799, `unsorted_chunks (av)->bk = bck` lead a next allocate from unsorted bin crashing the program
because of invalid size 0 at offset of bck->mchunk_size on `(char *)&data_bss - 0x8`; because of invalid size 0 at offset of bck->mchunk_size on `(char *)&data_bss - 0x8`;
At malloc.c:3800, ` bck->fd = unsorted_chunks (av)` write exactly on `&data_bss` with value `unsorted_chunks (av)` At malloc.c:3800, ` bck->fd = unsorted_chunks (av)` write exactly on `&data_bss` with value `unsorted_chunks (av)`