House of Force

原理:

House of Force是通过修改top chunksize从而通过分配内存达到任意地址写的目的。先看看glibc的源码:

      victim = av->top;   //取出top_chunk的地址
      size = chunksize (victim); //计算top_chunk的size

      if ((unsigned long) (size) >= (unsigned long) (nb + MINSIZE)) //此处nb为想要申请分配的堆的大小
        {
          remainder_size = size - nb;
          remainder = chunk_at_offset (victim, nb);  //获取分割后的top_chunk的地址
          av->top = remainder;
          set_head (victim, nb | PREV_INUSE |
                    (av != &main_arena ? NON_MAIN_ARENA : 0));
          set_head (remainder, remainder_size | PREV_INUSE);

          check_malloced_chunk (av, victim, nb);
          void *p = chunk2mem (victim);
          alloc_perturb (p, bytes);
          return p;
        }

 

posted @ 2020-02-27 20:12  countfatcode  阅读(138)  评论(0编辑  收藏  举报