Chunk Extend & Overlapping

参考资料:https://ctf-wiki.org/pwn/linux/user-mode/heap/ptmalloc2/chunk-extend-overlapping/

             [https://blog.csdn.net/weixin_43921239/article/details/107841328](https://blog.csdn.net/weixin_43921239/article/details/107841328)

tip) 一开始程序运行没有及时更换 libc,可能导致 bin 类型有一点点出入,但是对于示例没有太大的影响

什么是chunk extend

在日常的比赛中,常常会需要我们构造一个overlapping chunk,即一个重叠的chunk使chunk重叠

作用是泄露地址(libc/heap)泄露数据(泄露已经释放的堆中的数据/泄露chunk中的内容),覆盖指针

利用条件:1.程序中存在堆的漏洞 2.漏洞可以控制chunk header中的数据

chunk extend原理

chunk extend技术能够产生的原因在于** ptmalloc(glibc 的内存分配器)的堆块管理机制在设计上存在漏洞**

核心原因是通过修改chunk的size段,使得内存分配器对该堆块的大小认知与实际物理布局产生不一致。攻击者利用这种不一致,让一个堆块”扩展”到相邻堆块的空间,从而实现对相邻堆块内容的越界读写。

ptmalloc 通过 chunk header 的数据判断 chunk 的使用情况和对 chunk 的前后块进行定位。简而言之,chunk extend 就是通过控制 size 和 pre_size 域来实现跨越块操作从而导致 overlapping 的

对inuse的fastbin进行extend

先看一下示例的源码

1
2
3
4
5
6
7
8
9
10
11
12
13
int main(void)
{
    void *ptr,*ptr1;

    ptr=malloc(0x10);   //分配第一个0x10的chunk
    malloc(0x10);       //分配第二个0x10的chunk

    *(long long *)((long long)ptr-0x8)=0x41;// 修改第一个块的size域
    
    free(ptr);        //ptr指向的值(内存地址)没有改变,但ptr指向的内存已被回收,可能被重新分配
    ptr1=malloc(0x30);// 实现 extend,控制了第二个块的内容
    return 0;
}
1
2
3
4
5
6
7
8
9
10
低地址                                                 高地址
+------------------+--------------------+------------------+
|   last_chunk     |      now_chunk     |   next_chunk     |
|                  |                    |                  |
+---------+--------+----------+---------+--------+---------+
|prev_size| size   | user_data|prev_size|  size  | userdata|
|  8byte  | 8byte  |          |  8byte  | 8byte  |         |
+---------+--------+----------+---------+--------+---------+
         ↑               ↑
       chunk头部      ptr指向这里(用户数据开始)
1
2
3
4
5
6
7
8
9
10
用户指针ptr指向用户数据区的开始
ptr - 8 正好指向 size字段
ptr - 16 则指向 prev_size字段
------------------------------------------------------------------------------------------
ptr-0x10       ptr-0x8         ptr
    ↓              ↓            ↓
+------------+------------+------------+
| prev_size  |    size    | user_data  |
| (8byte)    |  (8byte)   |            |
+------------+------------+------------+

图标实例

先用图表的形式来清晰地展示堆扩展,这样有助于去gdb的调试和理解

1767965933716-0aceef91-d48a-441b-9a35-d9e99992709b.png

1767964324618-c5d70ffb-8f2c-4a2f-b9df-b2c4476c80aa.png

gdb调试查看程序运行过程

尽管图标已经把程序过程说的很清晰了,但是自己用gdb去动手调试是必不可少的,这样我们可以更清晰地理解堆的变化情况。下面我们用gdb进行调试并在第8行下断点运行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
------- tip of the day (disable with set show-tips off) -------
Use the telescope command to dereference a given address/pointer multiple times (if the dereferenced value is a valid ptr; see config telescope to configure its behavior)
pwndbg> b 8
Breakpoint 1 at 0x400586: file test1.c, line 8.
pwndbg> r
Starting program: /home/pwn/Desktop/test1 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, main () at test1.c:8
8	test1.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
──[ REGISTERS / show-flags off / show-compact-regs off ]──
 RAX  0x6022c0 ◂— 0
 RBX  0
 RCX  0x21
 RDX  0
 RDI  0
 RSI  0x6022d0 ◂— 0
 R8   0x21001
 R9   0x6022c0 ◂— 0
 R10  0xfffffffffffff000
 R11  0x7ffff7e1ace0 (main_arena+96) —▸ 0x6022d0 ◂— 0
 R12  0x7fffffffe038 —▸ 0x7fffffffe3a4 ◂— '/home/pwn/Desktop/test1'
 R13  0x400566 (main) ◂— push rbp
 R14  0
 R15  0x7ffff7ffd040 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0
 RBP  0x7fffffffdf20 ◂— 1
 RSP  0x7fffffffdf10 —▸ 0x6022a0 ◂— 0
 RIP  0x400586 (main+32) ◂— mov rax, qword ptr [rbp - 0x10]
───────────[ DISASM / x86-64 / set emulate on ]───────────
0x400586 <main+32>    mov    rax, qword ptr [rbp - 0x10]     RAX, [0x7fffffffdf10] => 0x6022a0 ◂— 0
   0x40058a <main+36>    sub    rax, 8                          RAX => 0x602298 (0x6022a0 - 0x8)
   0x40058e <main+40>    mov    qword ptr [rax], 0x41           [0x602298] <= 0x41
   0x400595 <main+47>    mov    rax, qword ptr [rbp - 0x10]     RAX, [0x7fffffffdf10] => 0x6022a0 ◂— 0
   0x400599 <main+51>    mov    rdi, rax                        RDI => 0x6022a0 ◂— 0
   0x40059c <main+54>    call   free@plt                    <free@plt>
 
   0x4005a1 <main+59>    mov    edi, 0x30                       EDI => 0x30
   0x4005a6 <main+64>    call   malloc@plt                  <malloc@plt>
 
   0x4005ab <main+69>    mov    qword ptr [rbp - 8], rax
   0x4005af <main+73>    mov    eax, 0                          EAX => 0
   0x4005b4 <main+78>    leave  
────────────────────────[ STACK ]─────────────────────────
00:0000│ rsp 0x7fffffffdf10 —▸ 0x6022a0 ◂— 0
01:0008│-008 0x7fffffffdf18 —▸ 0x400470 (_start) ◂— xor ebp, ebp
02:0010│ rbp 0x7fffffffdf20 ◂— 1
03:0018│+008 0x7fffffffdf28 —▸ 0x7ffff7c29d90 (__libc_start_call_main+128) ◂— mov edi, eax
04:0020│+010 0x7fffffffdf30 ◂— 0
05:0028│+018 0x7fffffffdf38 —▸ 0x400566 (main) ◂— push rbp
06:0030│+020 0x7fffffffdf40 ◂— 0x1ffffe020
07:0038│+028 0x7fffffffdf48 —▸ 0x7fffffffe038 —▸ 0x7fffffffe3a4 ◂— '/home/pwn/Desktop/test1'
──────────────────────[ BACKTRACE ]───────────────────────
0         0x400586 main+32
   1   0x7ffff7c29d90 __libc_start_call_main+128
   2   0x7ffff7c29e40 __libc_start_main+128
   3         0x400499 _start+41
──────────────────────────────────────────────────────────
pwndbg>

查看一下新创建的heap的起始地址,我们可以看到0x62290是新创建的堆起始地址,接下来查看堆段的内存地址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x602000
Size: 0x290 (with flag bits: 0x291)

Allocated chunk | PREV_INUSE
Addr: 0x602290
Size: 0x20 (with flag bits: 0x21)

Allocated chunk | PREV_INUSE
Addr: 0x6022b0
Size: 0x20 (with flag bits: 0x21)

Top chunk | PREV_INUSE
Addr: 0x6022d0
Size: 0x20d30 (with flag bits: 0x20d31)

我们可以直接来看一下heap,找到我们新分配的两个堆

1767976998169-ae491a10-5141-49e5-83e2-7248ca851e86.png

1
2
3
4
5
6
7
8
9
10
11
12
pwndbg> x/20gx 0x602290
0x602290:	0x0000000000000000	0x0000000000000021 |<==chunk1
            prev_size---------  size--------------
0x6022a0:	0x0000000000000000	0x0000000000000000 |
0x6022b0:	0x0000000000000000	0x0000000000000021 |<==chunk2
0x6022c0:	0x0000000000000000	0x0000000000000000 |
0x6022d0:	0x0000000000000000	0x0000000000020d31 <==top_chunk
0x6022e0:	0x0000000000000000	0x0000000000000000
0x6022f0:	0x0000000000000000	0x0000000000000000
0x602300:	0x0000000000000000	0x0000000000000000
0x602310:	0x0000000000000000	0x0000000000000000
0x602320:	0x0000000000000000	0x0000000000000000

程序执行力malloc(0x10),并且prev_size和size部分各占8个字节,而size记录整个堆块大小,size最后一位用来记录前一个堆的状态,所以堆块的总大小为:

SIZE=0x08(prev_size)+0x08(size)+0x10(malloc-user_data)+0x1(标志位)=0x21

查看P指针指向的地址,执行info local可以看到p指针指向user_data的起始位置,这里和我们上面图标内容也是相符合的,即定义的指针是指向chunk的user_data的

1
2
3
pwndbg> info local
p = 0x6022a0
q = 0x400470 <_start>

我们继续查看情况,我们在第九行下断点,continue执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
pwndbg> b 9
Breakpoint 3 at 0x400595: file test1.c, line 9.
pwndbg> c
Continuing.

Breakpoint 3, main () at test1.c:9
9	in test1.c
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
────────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────────
*RAX  0x602298 ◂— 0x41 /* 'A' */
 RBX  0
 RCX  0x21
 RDX  0
 RDI  0
 RSI  0x6022d0 ◂— 0
 R8   0x21001
 R9   0x6022c0 ◂— 0
 R10  0xfffffffffffff000
 R11  0x7ffff7e1ace0 (main_arena+96) —▸ 0x6022d0 ◂— 0
 R12  0x7fffffffe038 —▸ 0x7fffffffe3a3 ◂— '/home/pwn/Desktop/test1'
 R13  0x400566 (main) ◂— push rbp
 R14  0
 R15  0x7ffff7ffd040 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0
 RBP  0x7fffffffdf20 ◂— 1
 RSP  0x7fffffffdf10 —▸ 0x6022a0 ◂— 0
*RIP  0x400595 (main+47) ◂— mov rax, qword ptr [rbp - 0x10]
─────────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────────
b+ 0x40057c <main+22>    mov    edi, 0x10     EDI => 0x10
   0x400581 <main+27>    call   malloc@plt                  <malloc@plt>
 
b+ 0x400586 <main+32>    mov    rax, qword ptr [rbp - 0x10]     RAX, [0x7fffffffdf10] => 0x6022a0 ◂— 0
   0x40058a <main+36>    sub    rax, 8                          RAX => 0x602298 (0x6022a0 - 0x8)
   0x40058e <main+40>    mov    qword ptr [rax], 0x41           [0x602298] <= 0x41
0x400595 <main+47>    mov    rax, qword ptr [rbp - 0x10]     RAX, [0x7fffffffdf10] => 0x6022a0 ◂— 0
   0x400599 <main+51>    mov    rdi, rax                        RDI => 0x6022a0 ◂— 0
   0x40059c <main+54>    call   free@plt                    <free@plt>
 
   0x4005a1 <main+59>    mov    edi, 0x30                       EDI => 0x30
   0x4005a6 <main+64>    call   malloc@plt                  <malloc@plt>
 
   0x4005ab <main+69>    mov    qword ptr [rbp - 8], rax
───────────────────────────────────────[ STACK ]───────────────────────────────────────
00:0000│ rsp 0x7fffffffdf10 —▸ 0x6022a0 ◂— 0
01:0008│-008 0x7fffffffdf18 —▸ 0x400470 (_start) ◂— xor ebp, ebp
02:0010│ rbp 0x7fffffffdf20 ◂— 1
03:0018│+008 0x7fffffffdf28 —▸ 0x7ffff7c29d90 (__libc_start_call_main+128) ◂— mov edi, eax
04:0020│+010 0x7fffffffdf30 ◂— 0
05:0028│+018 0x7fffffffdf38 —▸ 0x400566 (main) ◂— push rbp
06:0030│+020 0x7fffffffdf40 ◂— 0x1ffffe020
07:0038│+028 0x7fffffffdf48 —▸ 0x7fffffffe038 —▸ 0x7fffffffe3a3 ◂— '/home/pwn/Desktop/test1'
─────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────
0         0x400595 main+47
   1   0x7ffff7c29d90 __libc_start_call_main+128
   2   0x7ffff7c29e40 __libc_start_main+128
   3         0x400499 _start+41
───────────────────────────────────────────────────────────────────────────────────────
pwndbg>

这个时候程序已经执行过了 *(long long *)((long long)ptr-0x8)=0x41;代码,我们可以看一下堆内容

1
2
3
4
5
6
7
8
9
10
11
pwndbg> x/20gx 0x602290
0x602290:	0x0000000000000000	0x0000000000000041|<==chunk1 |<==chunk1实际覆盖范围
0x6022a0:	0x0000000000000000	0x0000000000000000|          |
0x6022b0:	0x0000000000000000	0x0000000000000021|<==chunk2 |
0x6022c0:	0x0000000000000000	0x0000000000000000|          |
0x6022d0:	0x0000000000000000	0x0000000000020d31
0x6022e0:	0x0000000000000000	0x0000000000000000
0x6022f0:	0x0000000000000000	0x0000000000000000
0x602300:	0x0000000000000000	0x0000000000000000
0x602310:	0x0000000000000000	0x0000000000000000
0x602320:	0x0000000000000000	0x0000000000000000

此时我们可以发现,size段已经被修改为41了,这就意味着除去prev_size和size段一共0x10个字节外剩下的全部都是user_data段,也就是0x30个字节,覆盖到0x6022c0处,也急速hi说chunk2被chunk1包含,造成了堆重叠

我们再在第十行设置断点,单步ni执行到free(p)之后

1
2
3
4
5
6
7
8
9
10
11
12
13
14
   0x40058a <main+36>    sub    rax, 8                          RAX => 0x602298 (0x6022a0 - 0x8)
   0x40058e <main+40>    mov    qword ptr [rax], 0x41           [0x602298] <= 0x41
b+ 0x400595 <main+47>    mov    rax, qword ptr [rbp - 0x10]     RAX, [0x7fffffffdf10] => 0x6022a0 ◂— 0
   0x400599 <main+51>    mov    rdi, rax                        RDI => 0x6022a0 ◂— 0
   0x40059c <main+54>    call   free@plt                    <free@plt>
 
0x4005a1 <main+59>    mov    edi, 0x30                       EDI => 0x30
   0x4005a6 <main+64>    call   malloc@plt                  <malloc@plt>
 
   0x4005ab <main+69>    mov    qword ptr [rbp - 8], rax
   0x4005af <main+73>    mov    eax, 0                          EAX => 0
   0x4005b4 <main+78>    leave  
   0x4005b5 <main+79>    ret

这个时候已经执行过了free(p),查看bin内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x602000
Size: 0x290 (with flag bits: 0x291)

Free chunk (fastbins) | PREV_INUSE
Addr: 0x602290
Size: 0x40 (with flag bits: 0x41)
fd: 0x602

Top chunk | PREV_INUSE
Addr: 0x6022d0
Size: 0x20d30 (with flag bits: 0x20d31)

pwndbg> x/20gx 0x602290
0x602290:	0x0000000000000000	0x0000000000000041
0x6022a0:	0x0000000000000602	0x55ef496a4a6f7a77
0x6022b0:	0x0000000000000000	0x0000000000000021
0x6022c0:	0x0000000000000000	0x0000000000000000
0x6022d0:	0x0000000000000000	0x0000000000020d31
0x6022e0:	0x0000000000000000	0x0000000000000000
0x6022f0:	0x0000000000000000	0x0000000000000000
0x602300:	0x0000000000000000	0x0000000000000000
0x602310:	0x0000000000000000	0x0000000000000000
0x602320:	0x0000000000000000	0x0000000000000000

这个时候我们可以看到堆中的内容并没有被清空,free(p)只是将目标的堆内存标记为释放状态,其内容并没有被清空,这个和我们在UAF中所学的知识是一样的,我们接下来可以看看第十一行执行后的情况,继续单步执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
b+ 0x400595       <main+47>                       mov    rax, qword ptr [rbp - 0x10]     RAX, [0x7fffffffdf10] => 0x6022a0 ◂— 0
   0x400599       <main+51>                       mov    rdi, rax                        RDI => 0x6022a0 ◂— 0
   0x40059c       <main+54>                       call   free@plt                    <free@plt>
 
b+ 0x4005a1       <main+59>                       mov    edi, 0x30                       EDI => 0x30
   0x4005a6       <main+64>                       call   malloc@plt                  <malloc@plt>
 
0x4005ab       <main+69>                       mov    qword ptr [rbp - 8], rax        [0x7fffffffdf18] <= 0x6022a0 ◂— 0x602
   0x4005af       <main+73>                       mov    eax, 0                          EAX => 0
   0x4005b4       <main+78>                       leave  
   0x4005b5       <main+79>                       ret                                <__libc_start_call_main+128>

   0x7ffff7c29d90 <__libc_start_call_main+128>    mov    edi, eax     EDI => 0
   0x7ffff7c29d92 <__libc_start_call_main+130>    call   exit                        <exit>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
pwndbg> bins
tcachebins
empty
fastbins
empty
unsortedbin
empty
smallbins
empty
largebins
empty

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x602000
Size: 0x290 (with flag bits: 0x291)

Allocated chunk | PREV_INUSE
Addr: 0x602290
Size: 0x40 (with flag bits: 0x41)

Top chunk | PREV_INUSE
Addr: 0x6022d0
Size: 0x20d30 (with flag bits: 0x20d31)

pwndbg> x/20gx 0x602290
0x602290:	0x0000000000000000	0x0000000000000041
0x6022a0:	0x0000000000000602	0x0000000000000000
0x6022b0:	0x0000000000000000	0x0000000000000021
0x6022c0:	0x0000000000000000	0x0000000000000000
0x6022d0:	0x0000000000000000	0x0000000000020d31
0x6022e0:	0x0000000000000000	0x0000000000000000
0x6022f0:	0x0000000000000000	0x0000000000000000
0x602300:	0x0000000000000000	0x0000000000000000
0x602310:	0x0000000000000000	0x0000000000000000
0x602320:	0x0000000000000000	0x0000000000000000

当我们重新申请一个大小为0x30的chunk时,bin中刚好有大小合适的chunk,这时候chunk1与chunk2合并的新chunk1就会被重新启用,启用的同时chunk2中原有的数据也会连带着被启用,然后就可以直接通过这个新申请的块对chunk2中的内容进行操作了。

对 free 的 smallbin 进行操作

1
2
3
4
5
6
7
8
9
10
11
12
int main()
{
    void *ptr,*ptr1;

    ptr=malloc(0x80);//分配第一个0x80的chunk1
    malloc(0x10);//分配第二个0x10的chunk2

    free(ptr);//首先进行释放,使得chunk1进入unsorted bin

    *(int *)((int)ptr-0x8)=0xb1;
    ptr1=malloc(0xa0);
}

1768015720052-ac9cce41-1a7a-47a0-87f5-2c830ab9fd70.png

我们先在第一行下断点,然后单步执行到两次 malloc 执行之后

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
──────────────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────────────
   0x400573 <main+13>    call   malloc@plt                  <malloc@plt>
 
   0x400578 <main+18>    mov    qword ptr [rbp - 0x10], rax     [0x7fffffffdf10] <= 0x6022a0 ◂— 0
   0x40057c <main+22>    mov    edi, 0x10                       EDI => 0x10
   0x400581 <main+27>    call   malloc@plt                  <malloc@plt>
 
   0x400586 <main+32>    mov    rax, qword ptr [rbp - 0x10]     RAX, [0x7fffffffdf10] => 0x6022a0 ◂— 0
0x40058a <main+36>    mov    rdi, rax                        RDI => 0x6022a0 ◂— 0
   0x40058d <main+39>    call   free@plt                    <free@plt>
 
   0x400592 <main+44>    mov    rax, qword ptr [rbp - 0x10]
   0x400596 <main+48>    sub    rax, 8
   0x40059a <main+52>    mov    qword ptr [rax], 0xb1
   0x4005a1 <main+59>    mov    edi, 0xa0                       EDI => 0xa0

────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x602000
Size: 0x290 (with flag bits: 0x291)

Allocated chunk | PREV_INUSE
Addr: 0x602290
Size: 0x90 (with flag bits: 0x91)

Allocated chunk | PREV_INUSE
Addr: 0x602320
Size: 0x20 (with flag bits: 0x21)

Top chunk | PREV_INUSE
Addr: 0x602340
Size: 0x20cc0 (with flag bits: 0x20cc1)
pwndbg> x/30gx 0x602290
0x602290:	0x0000000000000000	0x0000000000000091<==chunk1
0x6022a0:	0x0000000000000000	0x0000000000000000|
0x6022b0:	0x0000000000000000	0x0000000000000000|
0x6022c0:	0x0000000000000000	0x0000000000000000|
0x6022d0:	0x0000000000000000	0x0000000000000000|
0x6022e0:	0x0000000000000000	0x0000000000000000|
0x6022f0:	0x0000000000000000	0x0000000000000000|
0x602300:	0x0000000000000000	0x0000000000000000|
0x602310:	0x0000000000000000	0x0000000000000000|
0x602320:	0x0000000000000000	0x0000000000000021|<==chunk2
0x602330:	0x0000000000000000	0x0000000000000000|
0x602340:	0x0000000000000000	0x0000000000020cc1|<==topchunk
0x602350:	0x0000000000000000	0x0000000000000000
0x602360:	0x0000000000000000	0x0000000000000000
0x602370:	0x0000000000000000	0x0000000000000000

我们继续单步执行到 free 执行之后看一看堆空间的分布情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
───────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────────────────────
   0x40057c <main+22>    mov    edi, 0x10                       EDI => 0x10
   0x400581 <main+27>    call   malloc@plt                  <malloc@plt>
 
   0x400586 <main+32>    mov    rax, qword ptr [rbp - 0x10]     RAX, [0x7fffffffdf10] => 0x6022a0 ◂— 0
   0x40058a <main+36>    mov    rdi, rax                        RDI => 0x6022a0 ◂— 0
   0x40058d <main+39>    call   free@plt                    <free@plt>
 
0x400592 <main+44>    mov    rax, qword ptr [rbp - 0x10]     RAX, [0x7fffffffdf10] => 0x6022a0 ◂— 0x602
   0x400596 <main+48>    sub    rax, 8                          RAX => 0x602298 (0x6022a0 - 0x8)
   0x40059a <main+52>    mov    qword ptr [rax], 0xb1           [0x602298] <= 0xb1
   0x4005a1 <main+59>    mov    edi, 0xa0                       EDI => 0xa0
   0x4005a6 <main+64>    call   malloc@plt                  <malloc@plt>
 
   0x4005ab <main+69>    mov    qword ptr [rbp - 8], rax
─────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bins
fastbins
empty
unsortedbin
all: 0x602000 —▸ 0x7ffff7bc4b78 ◂— 0x602000
smallbins
empty
largebins
empty
pwndbg> heap
Free chunk (unsortedbin) | PREV_INUSE
Addr: 0x602000
Size: 0xb0 (with flag bits: 0xb1)
fd: 0x7ffff7bc4b78
bk: 0x7ffff7bc4b78

Allocated chunk
Addr: 0x6020b0
Size: 0x20 (with flag bits: 0x20)

Top chunk | PREV_INUSE
Addr: 0x6020d0
Size: 0x20f30 (with flag bits: 0x20f31)

pwndbg> x/30gx 0x602290
0x602290:	0x0000000000000000	0x0000000000000091|<==tcachebins
0x6022a0:	0x0000000000000602	0x83b366d8bd637ac2|
0x6022b0:	0x0000000000000000	0x0000000000000000|
0x6022c0:	0x0000000000000000	0x0000000000000000|
0x6022d0:	0x0000000000000000	0x0000000000000000|
0x6022e0:	0x0000000000000000	0x0000000000000000|
0x6022f0:	0x0000000000000000	0x0000000000000000|
0x602300:	0x0000000000000000	0x0000000000000000|
0x602310:	0x0000000000000000	0x0000000000000000|
0x602320:	0x0000000000000000	0x0000000000000021|<==chunk2
0x602330:	0x0000000000000000	0x0000000000000000
0x602340:	0x0000000000000000	0x0000000000020cc1|<==top chunk
0x602350:	0x0000000000000000	0x0000000000000000
0x602360:	0x0000000000000000	0x0000000000000000
0x602370:	0x0000000000000000	0x0000000000000000

释放后的 chunk1 进入了 tcachebins,我们看一看执行完 *(int *)((int)ptr-0x8)=0xb1;之后的堆内存,单步执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
──────────────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────────────
   0x40058d <main+39>    call   free@plt                    <free@plt>
 
   0x400592 <main+44>    mov    rax, qword ptr [rbp - 0x10]     RAX, [0x7fffffffdf10] => 0x6022a0 ◂— 0x602
   0x400596 <main+48>    sub    rax, 8                          RAX => 0x602298 (0x6022a0 - 0x8)
   0x40059a <main+52>    mov    qword ptr [rax], 0xb1           [0x602298] <= 0xb1
   0x4005a1 <main+59>    mov    edi, 0xa0                       EDI => 0xa0
0x4005a6 <main+64>    call   malloc@plt                  <malloc@plt>
        size: 0xa0
 
   0x4005ab <main+69>    mov    qword ptr [rbp - 8], rax
   0x4005af <main+73>    mov    eax, 0                       EAX => 0
   0x4005b4 <main+78>    leave  
   0x4005b5 <main+79>    ret    
 
   0x4005b6              nop    word ptr cs:[rax + rax]
────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> x/30gx 0x602290
0x602290:	0x0000000000000000	0x00000000000000b1
0x6022a0:	0x0000000000000602	0x83b366d8bd637ac2
0x6022b0:	0x0000000000000000	0x0000000000000000
0x6022c0:	0x0000000000000000	0x0000000000000000
0x6022d0:	0x0000000000000000	0x0000000000000000
0x6022e0:	0x0000000000000000	0x0000000000000000
0x6022f0:	0x0000000000000000	0x0000000000000000
0x602300:	0x0000000000000000	0x0000000000000000
0x602310:	0x0000000000000000	0x0000000000000000
0x602320:	0x0000000000000000	0x0000000000000021
0x602330:	0x0000000000000000	0x0000000000000000
0x602340:	0x0000000000000000	0x0000000000020cc1
0x602350:	0x0000000000000000	0x0000000000000000
0x602360:	0x0000000000000000	0x0000000000000000
0x602370:	0x0000000000000000	0x0000000000000000
pwndbg>

执行完修改 size 如上,此时再进行 malloc 分配就可以得到 chunk1+chunk2 的堆块,从而控制 chunk2 的内容

Chunk Extend 可以做什么?

当你可以控制 chunk 中的内容时,加入该 chunk 中存在字符串指针,函数指针等,就可以通过这些指针进行信息泄露和控制执行流程。此外 extend 可以实现 chunk overlapping,通过 overlapping 可以控制 chunk 的 fd/bk 指针,从而实现 fastbin attack 等利用

通过 extend 后向 overlapping

这里展示通过 extend 进行后向 overlapping,这也是在 CTF 中最常出现的情况,通过 overlapping 可以实现其它的一些利用。一下是示例源代码

1
2
3
4
5
6
7
8
9
10
11
12
int main()
{
    void *ptr,*ptr1;

    ptr=malloc(0x10);//分配第10x80 的chunk1
    malloc(0x10); //分配第20x10 的chunk2
    malloc(0x10); //分配第30x10 的chunk3
    malloc(0x10); //分配第40x10 的chunk4    
    *(int *)((int)ptr-0x8)=0x61;
    free(ptr);
    ptr1=malloc(0x50);
}

在 malloc(0x50) 对 extend 区域重新占位后,其中 0x10 的 fastbin 块依然可以正常的分配和释放,此时已经构成 overlapping,通过对 overlapping 的进行操作可以实现 fastbin attack。

通过 extend 前向 overlapping

这里展示通过修改 pre_inuse 域和 pre_size 域实现合并前面的块

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
int main(void)
{
    void *ptr1,*ptr2,*ptr3,*ptr4;
    ptr1=malloc(128);              //smallbin1
    ptr2=malloc(0x10);             //fastbin1
    ptr3=malloc(0x10);             //fastbin2
    ptr4=malloc(128);              //smallbin2
    malloc(0x10);                  //防止与top合并
    free(ptr1);
    *(int *)((long long)ptr4-0x8)=0x90;   //修改size的P(pre_inuse)域
    *(int *)((long long)ptr4-0x10)=0xd0;  //修改pre_size域
    free(ptr4);//unlink进行前向extend
    malloc(0x150);//占位块

}

前向 extend 利用了 smallbin 的 unlink 机制,通过修改 pre_size 域可以跨越多个 chunk 进行合并实现 overlapping。

pre_size, 如果该 chunk 的物理相邻的前一地址 chunk(两个指针的地址差值为前一chunk 大小)是空闲的话,那该字段记录的是前一个 chunk 的大小 (包括 chunk 头)。否则,该字段可以用来存储物理相邻的前一个 chunk 的数据。这里的前一chunk 指的是较低地址的 chunk 。前面一个堆块在使用时并且pre_size为储存前面chunk的数据时,他的值始终为 0

size字段中的P(PRE_INUSE):记录前一个 chunk 块是否被分配。一般来说,堆中第一个被分配的内存块的 size 字段的 P 位都会被设置为 1,以便于防止访问前面的非法内存。当一个 chunk 的 size 的 P 位为 0 时,我们能通过 prev_size 字段来获取上一个 chunk 的大小以及地址。这也方便进行空闲 chunk 之间的合并。

更新: 2026-01-11 17:49:55
原文: https://www.yuque.com/idcm/wnemg9/fii6vgn27lmxk5qp