Malloc Maleficarum复盘

1.hos复盘

hos即伪造堆块,free栈上地址,然后下一个malloc去分配一个fastbin(栈上),包含返回地址。

代码来源
他这个我直接复现有问题,咨询了joker师傅,应该是gcc版本问题,导致局部变量位置不同。所以我直接gdb里暴力set去搞,反正就是个demo,学习下原理就好。

# muhe @ ubuntu in ~/Desktop/study [2:54:31] 
$ ls
hos  hos.c

# muhe @ ubuntu in ~/Desktop/study [2:54:33] 
$ cat hos.c 
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

void fvuln(char *str1, int age)
{
  char *ptr1;
  int local_age;
  char name[32];
  char *ptr2;

  local_age = age;

  ptr1 = (char *) malloc(256);
  printf("\nPTR1 = [ %p ]", ptr1);
  strcpy(name, str1);
  printf("\nPTR1 = [ %p ]\n", ptr1);

  free(ptr1);

  ptr2 = (char *) malloc(40);

  snprintf(ptr2, 40-1, "%s is %d years old", name, local_age);
  printf("\n%s\n", ptr2);
}

int main(int argc, char *argv[])
{
  int pad[10] = {0, 0, 0, 0, 0, 0, 0, 10, 0, 0};

  if (argc == 3)
    fvuln(argv[1], atoi(argv[2]));

  return 0;
}                                                                                                                                                                                                      
# muhe @ ubuntu in ~/Desktop/study [2:54:35] 
$ gcc hos.c -m32 -fno-stack-protector -mpreferred-stack-boundary=2 -mno-accumulate-outgoing-args -z execstack -o hos -g

# muhe @ ubuntu in ~/Desktop/study [2:54:45] 
$ gdb ./hos -q
Reading symbols from ./hos...done.
gdb-peda$ pdisass fvuln
Dump of assembler code for function fvuln:
   0x080484fb <+0>:	push   ebp
   0x080484fc <+1>:	mov    ebp,esp
   0x080484fe <+3>:	sub    esp,0x2c
   0x08048501 <+6>:	mov    eax,DWORD PTR [ebp+0xc]
   0x08048504 <+9>:	mov    DWORD PTR [ebp-0x4],eax
   0x08048507 <+12>:	push   0x100
   0x0804850c <+17>:	call   0x80483b0 <malloc@plt>
   0x08048511 <+22>:	add    esp,0x4
   0x08048514 <+25>:	mov    DWORD PTR [ebp-0x8],eax
   0x08048517 <+28>:	push   DWORD PTR [ebp-0x8]
   0x0804851a <+31>:	push   0x8048660
   0x0804851f <+36>:	call   0x8048380 <printf@plt>
   0x08048524 <+41>:	add    esp,0x8
   0x08048527 <+44>:	push   DWORD PTR [ebp+0x8]
   0x0804852a <+47>:	lea    eax,[ebp-0x2c]
   0x0804852d <+50>:	push   eax
   0x0804852e <+51>:	call   0x80483a0 <strcpy@plt>
   0x08048533 <+56>:	add    esp,0x8
   0x08048536 <+59>:	push   DWORD PTR [ebp-0x8]
   0x08048539 <+62>:	push   0x804866f
   0x0804853e <+67>:	call   0x8048380 <printf@plt>
   0x08048543 <+72>:	add    esp,0x8
   0x08048546 <+75>:	push   DWORD PTR [ebp-0x8]
   0x08048549 <+78>:	call   0x8048390 <free@plt>
   0x0804854e <+83>:	add    esp,0x4
   0x08048551 <+86>:	push   0x28
   0x08048553 <+88>:	call   0x80483b0 <malloc@plt>
   0x08048558 <+93>:	add    esp,0x4
   0x0804855b <+96>:	mov    DWORD PTR [ebp-0xc],eax
   0x0804855e <+99>:	push   DWORD PTR [ebp-0x4]
   0x08048561 <+102>:	lea    eax,[ebp-0x2c]
   0x08048564 <+105>:	push   eax
   0x08048565 <+106>:	push   0x804867f
   0x0804856a <+111>:	push   0x27
   0x0804856c <+113>:	push   DWORD PTR [ebp-0xc]
   0x0804856f <+116>:	call   0x80483d0 <snprintf@plt>
   0x08048574 <+121>:	add    esp,0x14
   0x08048577 <+124>:	push   DWORD PTR [ebp-0xc]
   0x0804857a <+127>:	push   0x8048692
   0x0804857f <+132>:	call   0x8048380 <printf@plt>
   0x08048584 <+137>:	add    esp,0x8
   0x08048587 <+140>:	nop
   0x08048588 <+141>:	leave  
   0x08048589 <+142>:	ret    
End of assembler dump.
gdb-peda$ b *0x0804850c
Breakpoint 1 at 0x804850c: file hos.c, line 14.
gdb-peda$ b *0x0804852e
Breakpoint 2 at 0x804852e: file hos.c, line 16.
gdb-peda$ b *0x08048549
Breakpoint 3 at 0x8048549: file hos.c, line 19.
gdb-peda$ b *0x08048553
Breakpoint 4 at 0x8048553: file hos.c, line 21.
gdb-peda$ r aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbcccc 20
Starting program: /home/muhe/Desktop/study/hos aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbcccc 20

 [----------------------------------registers-----------------------------------]
EAX: 0x14 
EBX: 0x0 
ECX: 0x0 
EDX: 0x14 
ESI: 0xf7fb9000 --> 0x1aedb0 
EDI: 0xffffd584 --> 0xf7fb9000 --> 0x1aedb0 
EBP: 0xffffd54c --> 0xffffd588 --> 0x0 
ESP: 0xffffd51c --> 0x100 
EIP: 0x804850c (<fvuln+17>:	call   0x80483b0 <malloc@plt>)
EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048501 <fvuln+6>:	mov    eax,DWORD PTR [ebp+0xc]
   0x8048504 <fvuln+9>:	mov    DWORD PTR [ebp-0x4],eax
   0x8048507 <fvuln+12>:	push   0x100
=> 0x804850c <fvuln+17>:	call   0x80483b0 <malloc@plt>
   0x8048511 <fvuln+22>:	add    esp,0x4
   0x8048514 <fvuln+25>:	mov    DWORD PTR [ebp-0x8],eax
   0x8048517 <fvuln+28>:	push   DWORD PTR [ebp-0x8]
   0x804851a <fvuln+31>:	push   0x8048660
Guessed arguments:
arg[0]: 0x100 
arg[1]: 0x0 
[------------------------------------stack-------------------------------------]
0000| 0xffffd51c --> 0x100 
0004| 0xffffd520 --> 0x0 
0008| 0xffffd524 --> 0xffffd5c4 --> 0x61b64d7e 
0012| 0xffffd528 --> 0xf7fe76db (add    esi,0x15925)
0016| 0xffffd52c --> 0x0 
0020| 0xffffd530 --> 0xf7e39c45 (<strtol+5>:	add    eax,0x17f3bb)
0024| 0xffffd534 --> 0xf7e37040 (<atoi+16>:	add    esp,0x1c)
0028| 0xffffd538 --> 0xffffd851 --> 0x58003032 ('20')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x0804850c in fvuln (str1=0xffffd828 'a' <repeats 32 times>, "bbbbcccc", age=0x14) at hos.c:14
14	  ptr1 = (char *) malloc(256);
gdb-peda$ c
Continuing.


 [----------------------------------registers-----------------------------------]
EAX: 0xffffd520 --> 0x0 
EBX: 0x0 
ECX: 0x7fffffec 
EDX: 0xf7fba870 --> 0x0 
ESI: 0xf7fb9000 --> 0x1aedb0 
EDI: 0xffffd584 --> 0xf7fb9000 --> 0x1aedb0 
EBP: 0xffffd54c --> 0xffffd588 --> 0x0 
ESP: 0xffffd518 --> 0xffffd520 --> 0x0 
EIP: 0x804852e (<fvuln+51>:	call   0x80483a0 <strcpy@plt>)
EFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048527 <fvuln+44>:	push   DWORD PTR [ebp+0x8]
   0x804852a <fvuln+47>:	lea    eax,[ebp-0x2c]
   0x804852d <fvuln+50>:	push   eax
=> 0x804852e <fvuln+51>:	call   0x80483a0 <strcpy@plt>
   0x8048533 <fvuln+56>:	add    esp,0x8
   0x8048536 <fvuln+59>:	push   DWORD PTR [ebp-0x8]
   0x8048539 <fvuln+62>:	push   0x804866f
   0x804853e <fvuln+67>:	call   0x8048380 <printf@plt>
Guessed arguments:
arg[0]: 0xffffd520 --> 0x0 
arg[1]: 0xffffd828 ('a' <repeats 32 times>, "bbbbcccc")
[------------------------------------stack-------------------------------------]
0000| 0xffffd518 --> 0xffffd520 --> 0x0 
0004| 0xffffd51c --> 0xffffd828 ('a' <repeats 32 times>, "bbbbcccc")
0008| 0xffffd520 --> 0x0 
0012| 0xffffd524 --> 0xffffd5c4 --> 0x61b64d7e 
0016| 0xffffd528 --> 0xf7fe76db (add    esi,0x15925)
0020| 0xffffd52c --> 0x0 
0024| 0xffffd530 --> 0xf7e39c45 (<strtol+5>:	add    eax,0x17f3bb)
0028| 0xffffd534 --> 0xf7e37040 (<atoi+16>:	add    esp,0x1c)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 2, 0x0804852e in fvuln (str1=0xffffd828 'a' <repeats 32 times>, "bbbbcccc", age=0x14) at hos.c:16
16	  strcpy(name, str1);
gdb-peda$ c
Continuing.
PTR1 = [ 0x804b008 ]
PTR1 = [ 0x63636363 ]


 [----------------------------------registers-----------------------------------]
EAX: 0x17 
EBX: 0x0 
ECX: 0x7fffffeb 
EDX: 0xf7fba870 --> 0x0 
ESI: 0xf7fb9000 --> 0x1aedb0 
EDI: 0xffffd584 --> 0xf7fb9000 --> 0x1aedb0 
EBP: 0xffffd54c --> 0xffffd588 --> 0x0 
ESP: 0xffffd51c ("cccc", 'a' <repeats 32 times>, "bbbbcccc")
EIP: 0x8048549 (<fvuln+78>:	call   0x8048390 <free@plt>)
EFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x804853e <fvuln+67>:	call   0x8048380 <printf@plt>
   0x8048543 <fvuln+72>:	add    esp,0x8
   0x8048546 <fvuln+75>:	push   DWORD PTR [ebp-0x8]
=> 0x8048549 <fvuln+78>:	call   0x8048390 <free@plt>
   0x804854e <fvuln+83>:	add    esp,0x4
   0x8048551 <fvuln+86>:	push   0x28
   0x8048553 <fvuln+88>:	call   0x80483b0 <malloc@plt>
   0x8048558 <fvuln+93>:	add    esp,0x4
Guessed arguments:
arg[0]: 0x63636363 ('cccc')
[------------------------------------stack-------------------------------------]
0000| 0xffffd51c ("cccc", 'a' <repeats 32 times>, "bbbbcccc")
0004| 0xffffd520 ('a' <repeats 32 times>, "bbbbcccc")
0008| 0xffffd524 ('a' <repeats 28 times>, "bbbbcccc")
0012| 0xffffd528 ('a' <repeats 24 times>, "bbbbcccc")
0016| 0xffffd52c ('a' <repeats 20 times>, "bbbbcccc")
0020| 0xffffd530 ('a' <repeats 16 times>, "bbbbcccc")
0024| 0xffffd534 ('a' <repeats 12 times>, "bbbbcccc")
0028| 0xffffd538 ("aaaaaaaabbbbcccc")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 3, 0x08048549 in fvuln (str1=0xffffd828 'a' <repeats 32 times>, "bbbbcccc", age=0x14) at hos.c:19
19	  free(ptr1);
gdb-peda$ x/10wx $esp
0xffffd51c:	0x63636363	0x61616161	0x61616161	0x61616161
0xffffd52c:	0x61616161	0x61616161	0x61616161	0x61616161
0xffffd53c:	0x61616161	0x62626262
gdb-peda$ set *(int*)0xffffd51c = 0xffffd530
gdb-peda$ x/10wx 0xffffd530 - 8
0xffffd528:	0x61616161	0x61616161	0x61616161	0x61616161
0xffffd538:	0x61616161	0x61616161	0x62626262	0x63636363
0xffffd548:	0x00000000	0xffffd588
gdb-peda$ set *(int*)0xffffd528=0x0
gdb-peda$ set *(int*)0xffffd52c=0x31
gdb-peda$ x/10wx 0xffffd530 - 8 + 0x30
0xffffd558:	0x00000014	0x00000000	0x00000000	0x00000000
0xffffd568:	0x00000000	0x00000000	0x00000000	0x00000000
0xffffd578:	0x0000000a	0x00000000
gdb-peda$ set *(int*)0xffffd558 = 0x31
gdb-peda$ set *(int*)0xffffd55c = 0x30
gdb-peda$ ni

 [----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0x0 
ECX: 0xf7fb9000 --> 0x1aedb0 
EDX: 0x0 
ESI: 0xf7fb9000 --> 0x1aedb0 
EDI: 0xffffd584 --> 0xf7fb9000 --> 0x1aedb0 
EBP: 0xffffd54c --> 0xffffd588 --> 0x0 
ESP: 0xffffd51c --> 0xffffd530 --> 0x0 
EIP: 0x804854e (<fvuln+83>:	add    esp,0x4)
EFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048543 <fvuln+72>:	add    esp,0x8
   0x8048546 <fvuln+75>:	push   DWORD PTR [ebp-0x8]
   0x8048549 <fvuln+78>:	call   0x8048390 <free@plt>
=> 0x804854e <fvuln+83>:	add    esp,0x4
   0x8048551 <fvuln+86>:	push   0x28
   0x8048553 <fvuln+88>:	call   0x80483b0 <malloc@plt>
   0x8048558 <fvuln+93>:	add    esp,0x4
   0x804855b <fvuln+96>:	mov    DWORD PTR [ebp-0xc],eax
[------------------------------------stack-------------------------------------]
0000| 0xffffd51c --> 0xffffd530 --> 0x0 
0004| 0xffffd520 ("aaaaaaaa")
0008| 0xffffd524 ("aaaa")
0012| 0xffffd528 --> 0x0 
0016| 0xffffd52c --> 0x31 ('1')
0020| 0xffffd530 --> 0x0 
0024| 0xffffd534 ('a' <repeats 12 times>, "bbbbcccc")
0028| 0xffffd538 ("aaaaaaaabbbbcccc")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x0804854e	19	  free(ptr1);
gdb-peda$ ni


 [----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0x0 
ECX: 0xf7fb9000 --> 0x1aedb0 
EDX: 0x0 
ESI: 0xf7fb9000 --> 0x1aedb0 
EDI: 0xffffd584 --> 0xf7fb9000 --> 0x1aedb0 
EBP: 0xffffd54c --> 0xffffd588 --> 0x0 
ESP: 0xffffd520 ("aaaaaaaa")
EIP: 0x8048551 (<fvuln+86>:	push   0x28)
EFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048546 <fvuln+75>:	push   DWORD PTR [ebp-0x8]
   0x8048549 <fvuln+78>:	call   0x8048390 <free@plt>
   0x804854e <fvuln+83>:	add    esp,0x4
=> 0x8048551 <fvuln+86>:	push   0x28
   0x8048553 <fvuln+88>:	call   0x80483b0 <malloc@plt>
   0x8048558 <fvuln+93>:	add    esp,0x4
   0x804855b <fvuln+96>:	mov    DWORD PTR [ebp-0xc],eax
   0x804855e <fvuln+99>:	push   DWORD PTR [ebp-0x4]
[------------------------------------stack-------------------------------------]
0000| 0xffffd520 ("aaaaaaaa")
0004| 0xffffd524 ("aaaa")
0008| 0xffffd528 --> 0x0 
0012| 0xffffd52c --> 0x31 ('1')
0016| 0xffffd530 --> 0x0 
0020| 0xffffd534 ('a' <repeats 12 times>, "bbbbcccc")
0024| 0xffffd538 ("aaaaaaaabbbbcccc")
0028| 0xffffd53c ("aaaabbbbcccc")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
21	  ptr2 = (char *) malloc(40);
gdb-peda$ ni


 [----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0x0 
ECX: 0xf7fb9000 --> 0x1aedb0 
EDX: 0x0 
ESI: 0xf7fb9000 --> 0x1aedb0 
EDI: 0xffffd584 --> 0xf7fb9000 --> 0x1aedb0 
EBP: 0xffffd54c --> 0xffffd588 --> 0x0 
ESP: 0xffffd51c --> 0x28 ('(')
EIP: 0x8048553 (<fvuln+88>:	call   0x80483b0 <malloc@plt>)
EFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048549 <fvuln+78>:	call   0x8048390 <free@plt>
   0x804854e <fvuln+83>:	add    esp,0x4
   0x8048551 <fvuln+86>:	push   0x28
=> 0x8048553 <fvuln+88>:	call   0x80483b0 <malloc@plt>
   0x8048558 <fvuln+93>:	add    esp,0x4
   0x804855b <fvuln+96>:	mov    DWORD PTR [ebp-0xc],eax
   0x804855e <fvuln+99>:	push   DWORD PTR [ebp-0x4]
   0x8048561 <fvuln+102>:	lea    eax,[ebp-0x2c]
Guessed arguments:
arg[0]: 0x28 ('(')
[------------------------------------stack-------------------------------------]
0000| 0xffffd51c --> 0x28 ('(')
0004| 0xffffd520 ("aaaaaaaa")
0008| 0xffffd524 ("aaaa")
0012| 0xffffd528 --> 0x0 
0016| 0xffffd52c --> 0x31 ('1')
0020| 0xffffd530 --> 0x0 
0024| 0xffffd534 ('a' <repeats 12 times>, "bbbbcccc")
0028| 0xffffd538 ("aaaaaaaabbbbcccc")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 4, 0x08048553 in fvuln (str1=0xffffd828 'a' <repeats 32 times>, "bbbbcccc", age=0x31) at hos.c:21
21	  ptr2 = (char *) malloc(40);
gdb-peda$ ni


 [----------------------------------registers-----------------------------------]
EAX: 0xffffd530 --> 0x0 
EBX: 0x0 
ECX: 0xf7fb9780 --> 0x0 
EDX: 0xffffd530 --> 0x0 
ESI: 0xf7fb9000 --> 0x1aedb0 
EDI: 0xffffd584 --> 0xf7fb9000 --> 0x1aedb0 
EBP: 0xffffd54c --> 0xffffd588 --> 0x0 
ESP: 0xffffd51c --> 0x28 ('(')
EIP: 0x8048558 (<fvuln+93>:	add    esp,0x4)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x804854e <fvuln+83>:	add    esp,0x4
   0x8048551 <fvuln+86>:	push   0x28
   0x8048553 <fvuln+88>:	call   0x80483b0 <malloc@plt>
=> 0x8048558 <fvuln+93>:	add    esp,0x4
   0x804855b <fvuln+96>:	mov    DWORD PTR [ebp-0xc],eax
   0x804855e <fvuln+99>:	push   DWORD PTR [ebp-0x4]
   0x8048561 <fvuln+102>:	lea    eax,[ebp-0x2c]
   0x8048564 <fvuln+105>:	push   eax
[------------------------------------stack-------------------------------------]
0000| 0xffffd51c --> 0x28 ('(')
0004| 0xffffd520 ("aaaaaaaa")
0008| 0xffffd524 ("aaaa")
0012| 0xffffd528 --> 0x0 
0016| 0xffffd52c --> 0x31 ('1')
0020| 0xffffd530 --> 0x0 
0024| 0xffffd534 ('a' <repeats 12 times>, "bbbbcccc")
0028| 0xffffd538 ("aaaaaaaabbbbcccc")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x08048558	21	  ptr2 = (char *) malloc(40);
gdb-peda$ ni


 [----------------------------------registers-----------------------------------]
EAX: 0xffffd530 --> 0x0 
EBX: 0x0 
ECX: 0xf7fb9780 --> 0x0 
EDX: 0xffffd530 --> 0x0 
ESI: 0xf7fb9000 --> 0x1aedb0 
EDI: 0xffffd584 --> 0xf7fb9000 --> 0x1aedb0 
EBP: 0xffffd54c --> 0xffffd588 --> 0x0 
ESP: 0xffffd520 ("aaaaaaaa")
EIP: 0x804855b (<fvuln+96>:	mov    DWORD PTR [ebp-0xc],eax)
EFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048551 <fvuln+86>:	push   0x28
   0x8048553 <fvuln+88>:	call   0x80483b0 <malloc@plt>
   0x8048558 <fvuln+93>:	add    esp,0x4
=> 0x804855b <fvuln+96>:	mov    DWORD PTR [ebp-0xc],eax
   0x804855e <fvuln+99>:	push   DWORD PTR [ebp-0x4]
   0x8048561 <fvuln+102>:	lea    eax,[ebp-0x2c]
   0x8048564 <fvuln+105>:	push   eax
   0x8048565 <fvuln+106>:	push   0x804867f
[------------------------------------stack-------------------------------------]
0000| 0xffffd520 ("aaaaaaaa")
0004| 0xffffd524 ("aaaa")
0008| 0xffffd528 --> 0x0 
0012| 0xffffd52c --> 0x31 ('1')
0016| 0xffffd530 --> 0x0 
0020| 0xffffd534 ('a' <repeats 12 times>, "bbbbcccc")
0024| 0xffffd538 ("aaaaaaaabbbbcccc")
0028| 0xffffd53c ("aaaabbbbcccc")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x0804855b	21	  ptr2 = (char *) malloc(40);
gdb-peda$ 


2.hop TBU


3.hom TBU


4.hof TBU


5.hol TBU


6.hoc TBU

posted @ 2016-09-15 18:06  何沐  阅读(331)  评论(0编辑  收藏  举报