当前位置：首页 > article >正文

pwn学习笔记（12）--Chunk Extend and Overlapping

article 2024/11/14 12:01:16

pwn学习笔记（12）–Chunk Extend and Overlapping

chunk extend 是堆漏洞的一种常见利用手法，通过 extend 可以实现 chunk overlapping（块重叠）的效果。这种利用方法需要以下的时机和条件：

程序中存在基于堆的漏洞
漏洞可以控制 chunk header 中的数据

1、对inuse的fastbin进行extend：

 int main(void)
{
    void *ptr,*ptr1;

    ptr=malloc(0x10);//分配第一个0x10的chunk
    malloc(0x10);//分配第二个0x10的chunk

    *(long long *)((long long)ptr-0x8)=0x41;// 修改第一个块的size域

    free(ptr);
    ptr1=malloc(0x30);// 实现 extend，控制了第二个块的内容
    return 0;
}

首先进行两次malloc，之后看看heap的状态：

In file: /mnt/hgfs/sharedict/ChunkExtend/extend.c
    3     void *ptr,*ptr1;
    4 
    5     ptr=malloc(0x10);//分配第一个0x10的chunk
    6     malloc(0x10);//分配第二个0x10的chunk
    7 
 ►  8     *(long long *)((long long)ptr-0x8)=0x41;// 修改第一个块的size域
    9 
   10     free(ptr);
   11     ptr1=malloc(0x30);// 实现 extend，控制了第二个块的内容
   12     return 0;
   13 }
─────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffde30 —▸ 0x555555758010 ◂— 0x0
01:0008│     0x7fffffffde38 ◂— 0x0
02:0010│ rbp 0x7fffffffde40 —▸ 0x5555555546e0 (__libc_csu_init) ◂— push   r15
03:0018│     0x7fffffffde48 —▸ 0x7ffff7a2d840 (__libc_start_main+240) ◂— mov    edi, eax
04:0020│     0x7fffffffde50 ◂— 0x1
05:0028│     0x7fffffffde58 —▸ 0x7fffffffdf28 —▸ 0x7fffffffe2ac ◂— '/mnt/hgfs/sharedict/ChunkExtend/test'
06:0030│     0x7fffffffde60 ◂— 0x1f7ffcca0
07:0038│     0x7fffffffde68 —▸ 0x55555555468a (main) ◂— push   rbp
───────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────
 ► f 0   0x5555555546aa main+32
   f 1   0x7ffff7a2d840 __libc_start_main+240
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x21

Allocated chunk | PREV_INUSE
Addr: 0x555555758020
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x555555758040
Size: 0x20fc1

pwndbg> bins
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty

有地址的话，就去读一下两个堆的内容：

pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000021		<======Chunk1
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000021		<======Chunk2
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000020fc1		<======Top Chunk
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000000  0x0000000000000000
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000000
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

下一步开始释放，看一看修改chunk1的size域大小：

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x41

Top chunk | PREV_INUSE
Addr: 0x555555758040
Size: 0x20fc1

pwndbg> bins
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty

发现chunk2被修改后增大了的chunk1给那占了，heap里就只有一个Chunk了，看看内存：

pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000041			<======原Chunk1
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000021			<======原Chunk2
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000020fc1			<======Top Chunk
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000000  0x0000000000000000
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000000
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

除去chunk1的size域变化了以外，似乎没有其他变化，但是，逻辑上来说，现在的堆里只有一个chunk了，之后free掉chunk1看看：

pwndbg> heap
Free chunk (fastbins) | PREV_INUSE
Addr: 0x555555758000
Size: 0x41
fd: 0x00

Top chunk | PREV_INUSE
Addr: 0x555555758040
Size: 0x20fc1

pwndbg> bins
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x555555758000 ◂— 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty

之后读取下内存：

pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000041
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000021
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000020fc1
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000000  0x0000000000000000
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000000
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

下一步是重头戏，试想，如果原chunk1的size域没有真正变化，那么我们进行malloc一个0x30大小的堆块的时候，就不会分配到这个地址上，而是从Top Chunk里拆分，那么事实上是怎么样的呢？实践出真知，看一下吧：

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x41

Top chunk | PREV_INUSE
Addr: 0x555555758040
Size: 0x20fc1

pwndbg> bins
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000041
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000021
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000020fc1			<======Top Chunk
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000000  0x0000000000000000
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000000
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

显然，Top Chunk并未被拆分，这里确定了，似乎malloc(0x30)得到的堆块是原Chunk1的地址，这里说明了，这里的原chunk1因为size域被修改了之后成为了一个新的更大的堆块，这里也就造成了所谓的堆重叠了，chunk1因为修改了size域后，生成的那个新的chunk和chunk2部分重叠了，这也就导致了，有的对原chunk1的修改可以修改到chunk2的地方，如果chunk2保留了指针，那就可以对chunk2进行伪造，可以结合类似off by one和UAF形成很多种利用方式。

2、对inuse的smallbin进行extend：

//gcc -g 2.c
//注意把之前那个a.out给删掉
int main()
{
    void *ptr,*ptr1;

    ptr=malloc(0x80);//分配第一个 0x80 的chunk1
    malloc(0x10); //分配第二个 0x10 的chunk2
    malloc(0x10); //防止与top chunk合并

    *(long *)((long)ptr-0x8)=0xb1;
    free(ptr);
    ptr1=malloc(0xa0);
}

首先进行三次分配，其中，第三次分配是防止extend后，chunk与topchunk进行合并，无需关注。先看看经过三次malloc之后的堆空间是啥样的：

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x91

Allocated chunk | PREV_INUSE
Addr: 0x555555758090
Size: 0x21

Allocated chunk | PREV_INUSE
Addr: 0x5555557580b0
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x5555557580d0
Size: 0x20f31

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/40gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000091			<======Chunk1
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000000  0x0000000000000021			<======Chunk2
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000021			<======Chunk3
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000020f31			<======Top Chunk
0x5555557580e0: 0x0000000000000000  0x0000000000000000
0x5555557580f0: 0x0000000000000000  0x0000000000000000
0x555555758100: 0x0000000000000000  0x0000000000000000
0x555555758110: 0x0000000000000000  0x0000000000000000
0x555555758120: 0x0000000000000000  0x0000000000000000
0x555555758130: 0x0000000000000000  0x0000000000000000

估摸一下，chunk1的大小似乎有点大，导致free掉的chunk1并不会进入fastbin，而是进入smallbin，那么修改了size域后，原本三个chunk在gdb里的heap指令下依旧少了一个:

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0xb1

Allocated chunk | PREV_INUSE
Addr: 0x5555557580b0
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x5555557580d0
Size: 0x20f31

pwndbg> bins
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/40gx 0x555555758000
0x555555758000: 0x0000000000000000  0x00000000000000b1			<======Chunk1
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000000  0x0000000000000021			<======Chunk2
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000021			<======Chunk3
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000020f31			<======Top Chunk
0x5555557580e0: 0x0000000000000000  0x0000000000000000
0x5555557580f0: 0x0000000000000000  0x0000000000000000
0x555555758100: 0x0000000000000000  0x0000000000000000
0x555555758110: 0x0000000000000000  0x0000000000000000
0x555555758120: 0x0000000000000000  0x0000000000000000
0x555555758130: 0x0000000000000000  0x0000000000000000

下一步，free掉chunk1：

pwndbg> heap
Free chunk (unsortedbin) | PREV_INUSE
Addr: 0x555555758000
Size: 0xb1
fd: 0x7ffff7dd1b78
bk: 0x7ffff7dd1b78

Allocated chunk
Addr: 0x5555557580b0
Size: 0x20

Top chunk | PREV_INUSE
Addr: 0x5555557580d0
Size: 0x20f31

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x555555758000 —▸ 0x7ffff7dd1b78 (main_arena+88) ◂— 0x555555758000
smallbins
empty
largebins
empty
pwndbg> x/40gx 0x555555758000
0x555555758000: 0x0000000000000000  0x00000000000000b1			<======Chunk1
0x555555758010: 0x00007ffff7dd1b78  0x00007ffff7dd1b78
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000000  0x0000000000000021			<======Chunk2
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x00000000000000b0  0x0000000000000020			<======Chunk3
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000020f31			<======Top Chunk
0x5555557580e0: 0x0000000000000000  0x0000000000000000
0x5555557580f0: 0x0000000000000000  0x0000000000000000
0x555555758100: 0x0000000000000000  0x0000000000000000
0x555555758110: 0x0000000000000000  0x0000000000000000
0x555555758120: 0x0000000000000000  0x0000000000000000
0x555555758130: 0x0000000000000000  0x0000000000000000

这里发现了一个点需要注意，就是free掉size域修改了之后的那个chunk1之后，chunk3的size域的最低为，也就是p位，变成了0，这也就说明，chunk1没有放在fastbin里，上面也看到了，被放在了unsortedbin里。

那么为啥会被放入unsortedbin内而不是smallbin呢？估计有一下几种可能：

当一个较大的chunk被分割成两半后，如果剩下的部分大于MINSIZE，就会被放到unsortedbin中。
释放一个不属于fastbin的chunk，并且该chunk不和top chunk紧邻时，该chunk就会被放到unsorted bin 中，当第二次分配的时候，没有在unsortedbin中找到合适的，才会被放入到其对应的bin中。

之后进行分配，分配0xa0大小的堆块，就会发现，原chunk1的地址依旧拿去用了：

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0xb1

Allocated chunk | PREV_INUSE
Addr: 0x5555557580b0
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x5555557580d0
Size: 0x20f31

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/40gx 0x555555758000
0x555555758000: 0x0000000000000000  0x00000000000000b1
0x555555758010: 0x00007ffff7dd1b78  0x00007ffff7dd1b78
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000000  0x0000000000000021
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x00000000000000b0  0x0000000000000021
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000020f31
0x5555557580e0: 0x0000000000000000  0x0000000000000000
0x5555557580f0: 0x0000000000000000  0x0000000000000000
0x555555758100: 0x0000000000000000  0x0000000000000000
0x555555758110: 0x0000000000000000  0x0000000000000000
0x555555758120: 0x0000000000000000  0x0000000000000000
0x555555758130: 0x0000000000000000  0x0000000000000000

3、对free的smallbin进行extend：

//gcc -g 3.c
int main()
{
    void *ptr,*ptr1;

    ptr=malloc(0x80);//分配第一个0x80的chunk1
    malloc(0x10);//分配第二个0x10的chunk2

    free(ptr);//首先进行释放，使得chunk1进入unsorted bin

    *(long *)((long)ptr-0x8)=0xb1;
    ptr1=malloc(0xa0);
}

首先是两次malloc：

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x91

Allocated chunk | PREV_INUSE
Addr: 0x555555758090
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x5555557580b0
Size: 0x20f51

pwndbg> bins
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000091			<======Chunk1
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000000  0x0000000000000021			<======Chunk2
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000020f51			<======Top Chunk
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

之后直接free掉chunk1：

pwndbg> heap
Free chunk (unsortedbin) | PREV_INUSE
Addr: 0x555555758000
Size: 0x91
fd: 0x7ffff7dd1b78
bk: 0x7ffff7dd1b78

Allocated chunk
Addr: 0x555555758090
Size: 0x20

Top chunk | PREV_INUSE
Addr: 0x5555557580b0
Size: 0x20f51

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x555555758000 —▸ 0x7ffff7dd1b78 (main_arena+88) ◂— 0x555555758000
smallbins
empty
largebins
empty
pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000091			<======Chunk1
0x555555758010: 0x00007ffff7dd1b78  0x00007ffff7dd1b78
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000090  0x0000000000000020			<======Chunk2
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000020f51			<======Top Chunk
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

这里还是能看出来存在两个chunk的，当修改了size域大小后：

pwndbg> heap
Free chunk (unsortedbin) | PREV_INUSE
Addr: 0x555555758000
Size: 0xb1
fd: 0x7ffff7dd1b78
bk: 0x7ffff7dd1b78

Top chunk | PREV_INUSE
Addr: 0x5555557580b0
Size: 0x20f51

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x555555758000 —▸ 0x7ffff7dd1b78 (main_arena+88) ◂— 0x555555758000
smallbins
empty
largebins
empty
pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x00000000000000b1
0x555555758010: 0x00007ffff7dd1b78  0x00007ffff7dd1b78
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000090  0x0000000000000020
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000020f51
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

原本的三个chunk变成了两个，并且chunk2还是allocated状态，重叠之后，chunk1是free状态，所以整个chunk依旧是free状态。之后malloc(0xa0)试试：

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0xb1

Top chunk | PREV_INUSE
Addr: 0x5555557580b0
Size: 0x20f51

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x00000000000000b1
0x555555758010: 0x00007ffff7dd1b78  0x00007ffff7dd1b78
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000090  0x0000000000000020
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000020f51
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

4、extend前向overlapping：

//gcc -g 4.c
int main()
{
    void *ptr,*ptr1;

    ptr=malloc(0x10);//分配第1个 0x80 的chunk1
    malloc(0x10); //分配第2个 0x10 的chunk2
    malloc(0x10); //分配第3个 0x10 的chunk3
    malloc(0x10); //分配第4个 0x10 的chunk4    
    *(long *)((long)ptr-0x8)=0x61;
    free(ptr);
    ptr1=malloc(0x50);
}

还是老样子，进行4次malloc，看下heap和bin以及chunk的内容：

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x21

Allocated chunk | PREV_INUSE
Addr: 0x555555758020
Size: 0x21

Allocated chunk | PREV_INUSE
Addr: 0x555555758040
Size: 0x21

Allocated chunk | PREV_INUSE
Addr: 0x555555758060
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x555555758080
Size: 0x20f81

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000021			<======Chunk1
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000021			<======Chunk2
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000021			<======Chunk3
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000021			<======Chunk4
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000020f81			<======Top Chunk
0x555555758090: 0x0000000000000000  0x0000000000000000
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000000
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

之后修改size域：

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x61

Allocated chunk | PREV_INUSE
Addr: 0x555555758060
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x555555758080
Size: 0x20f81

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000061
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000021
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000021
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000021
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000020f81
0x555555758090: 0x0000000000000000  0x0000000000000000
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000000
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

之后free：

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x61

Allocated chunk | PREV_INUSE
Addr: 0x555555758060
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x555555758080
Size: 0x20f81

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000061
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000021
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000021
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000021
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000020f81
0x555555758090: 0x0000000000000000  0x0000000000000000
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000000
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

之后重新malloc：

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x61

Allocated chunk | PREV_INUSE
Addr: 0x555555758060
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x555555758080
Size: 0x20f81

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/30gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000061
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000021
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000021
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000021
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000020f81
0x555555758090: 0x0000000000000000  0x0000000000000000
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000000
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000000
0x5555557580e0: 0x0000000000000000  0x0000000000000000

5、通过extend前向overlapping：

//gcc -g 5.c
int main(void)
{
    void *ptr1,*ptr2,*ptr3,*ptr4;
    ptr1=malloc(128);//smallbin1
    ptr2=malloc(0x10);//fastbin1
    ptr3=malloc(0x10);//fastbin2
    ptr4=malloc(128);//smallbin2
    malloc(0x10);//防止与top合并
    free(ptr1);
    *(int *)((long long)ptr4-0x8)=0x90;//修改pre_inuse域
    *(int *)((long long)ptr4-0x10)=0xd0;//修改pre_size域
    free(ptr4);//unlink进行前向extend
    malloc(0x150);//占位块
}

经过五次malloc之后：

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x91

Allocated chunk | PREV_INUSE
Addr: 0x555555758090
Size: 0x21

Allocated chunk | PREV_INUSE
Addr: 0x5555557580b0
Size: 0x21

Allocated chunk | PREV_INUSE
Addr: 0x5555557580d0
Size: 0x91

Allocated chunk | PREV_INUSE
Addr: 0x555555758160
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x555555758180
Size: 0x20e81

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty
pwndbg> x/54gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000091
0x555555758010: 0x0000000000000000  0x0000000000000000
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000000  0x0000000000000021
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000021
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000091
0x5555557580e0: 0x0000000000000000  0x0000000000000000
0x5555557580f0: 0x0000000000000000  0x0000000000000000
0x555555758100: 0x0000000000000000  0x0000000000000000
0x555555758110: 0x0000000000000000  0x0000000000000000
0x555555758120: 0x0000000000000000  0x0000000000000000
0x555555758130: 0x0000000000000000  0x0000000000000000
0x555555758140: 0x0000000000000000  0x0000000000000000
0x555555758150: 0x0000000000000000  0x0000000000000000
0x555555758160: 0x0000000000000000  0x0000000000000021
0x555555758170: 0x0000000000000000  0x0000000000000000
0x555555758180: 0x0000000000000000  0x0000000000020e81
0x555555758190: 0x0000000000000000  0x0000000000000000
0x5555557581a0: 0x0000000000000000  0x0000000000000000

free了chunk1之后，chunk2的p位已经变成0了：

pwndbg> heap
Free chunk (unsortedbin) | PREV_INUSE
Addr: 0x555555758000
Size: 0x91
fd: 0x7ffff7dd1b78
bk: 0x7ffff7dd1b78

Allocated chunk
Addr: 0x555555758090
Size: 0x20

Allocated chunk | PREV_INUSE
Addr: 0x5555557580b0
Size: 0x21

Allocated chunk | PREV_INUSE
Addr: 0x5555557580d0
Size: 0x91

Allocated chunk | PREV_INUSE
Addr: 0x555555758160
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x555555758180
Size: 0x20e81

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x555555758000 —▸ 0x7ffff7dd1b78 (main_arena+88) ◂— 0x555555758000
smallbins
empty
largebins
empty
pwndbg> x/54gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000091			<======Chunk1
0x555555758010: 0x00007ffff7dd1b78  0x00007ffff7dd1b78
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000090  0x0000000000000020
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000021			<======Chunk2
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x0000000000000000  0x0000000000000091			<======Chunk3
0x5555557580e0: 0x0000000000000000  0x0000000000000000
0x5555557580f0: 0x0000000000000000  0x0000000000000000
0x555555758100: 0x0000000000000000  0x0000000000000000
0x555555758110: 0x0000000000000000  0x0000000000000000
0x555555758120: 0x0000000000000000  0x0000000000000000
0x555555758130: 0x0000000000000000  0x0000000000000000
0x555555758140: 0x0000000000000000  0x0000000000000000
0x555555758150: 0x0000000000000000  0x0000000000000000
0x555555758160: 0x0000000000000000  0x0000000000000021			<======Chunk4
0x555555758170: 0x0000000000000000  0x0000000000000000
0x555555758180: 0x0000000000000000  0x0000000000020e81			<======Top Chunk
0x555555758190: 0x0000000000000000  0x0000000000000000
0x5555557581a0: 0x0000000000000000  0x0000000000000000

之后修改了chunk3的pre_inuse，也就是size的最低为P位为0，然后修改pre_size位为0xd8，

pwndbg> heap
Free chunk (unsortedbin) | PREV_INUSE
Addr: 0x555555758000
Size: 0x91
fd: 0x7ffff7dd1b78
bk: 0x7ffff7dd1b78

Allocated chunk
Addr: 0x555555758090
Size: 0x20

Allocated chunk | PREV_INUSE
Addr: 0x5555557580b0
Size: 0x21

Allocated chunk
Addr: 0x5555557580d0
Size: 0x90

Allocated chunk | PREV_INUSE
Addr: 0x555555758160
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x555555758180
Size: 0x20e81

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x555555758000 —▸ 0x7ffff7dd1b78 (main_arena+88) ◂— 0x555555758000
smallbins
empty
largebins
empty
pwndbg> x/54gx 0x555555758000
0x555555758000: 0x0000000000000000  0x0000000000000091			<======Chunk1
0x555555758010: 0x00007ffff7dd1b78  0x00007ffff7dd1b78
0x555555758020: 0x0000000000000000  0x0000000000000000
0x555555758030: 0x0000000000000000  0x0000000000000000
0x555555758040: 0x0000000000000000  0x0000000000000000
0x555555758050: 0x0000000000000000  0x0000000000000000
0x555555758060: 0x0000000000000000  0x0000000000000000
0x555555758070: 0x0000000000000000  0x0000000000000000
0x555555758080: 0x0000000000000000  0x0000000000000000
0x555555758090: 0x0000000000000090  0x0000000000000020
0x5555557580a0: 0x0000000000000000  0x0000000000000000
0x5555557580b0: 0x0000000000000000  0x0000000000000021			<======Chunk2
0x5555557580c0: 0x0000000000000000  0x0000000000000000
0x5555557580d0: 0x00000000000000d0  0x0000000000000090			<======Chunk3
0x5555557580e0: 0x0000000000000000  0x0000000000000000
0x5555557580f0: 0x0000000000000000  0x0000000000000000
0x555555758100: 0x0000000000000000  0x0000000000000000
0x555555758110: 0x0000000000000000  0x0000000000000000
0x555555758120: 0x0000000000000000  0x0000000000000000
0x555555758130: 0x0000000000000000  0x0000000000000000
0x555555758140: 0x0000000000000000  0x0000000000000000
0x555555758150: 0x0000000000000000  0x0000000000000000
0x555555758160: 0x0000000000000000  0x0000000000000021			<======Chunk4
0x555555758170: 0x0000000000000000  0x0000000000000000
0x555555758180: 0x0000000000000000  0x0000000000020e81			<======Top Chunk
0x555555758190: 0x0000000000000000  0x0000000000000000
0x5555557581a0: 0x0000000000000000  0x0000000000000000

可以看出来，chunk3的pre_size域的大小刚好能够包含到完chunk1和chunk2。之后free掉了chunk3：

pwndbg> heap
Free chunk (unsortedbin) | PREV_INUSE
Addr: 0x555555758000
Size: 0x161
fd: 0x7ffff7dd1b78
bk: 0x7ffff7dd1b78

Allocated chunk
Addr: 0x555555758160
Size: 0x20

Top chunk | PREV_INUSE
Addr: 0x555555758180
Size: 0x20e81

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x555555758000 —▸ 0x7ffff7dd1b78 (main_arena+88) ◂— 0x555555758000
smallbins
empty
largebins
empty

会发现，前面的三个chunk都被合并成了一个，这里主要是因为unlink的原因，导致了chunk3和前面的两个（主要是pre_size指定的大小范围内的）chunk发生了合并。之后再进行malloc，会分配走新的那个chunk1：

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x555555758000
Size: 0x161

Allocated chunk | PREV_INUSE
Addr: 0x555555758160
Size: 0x21

Top chunk | PREV_INUSE
Addr: 0x555555758180
Size: 0x20e81

pwndbg> bin
fastbins
0x20: 0x0
0x30: 0x0
0x40: 0x0
0x50: 0x0
0x60: 0x0
0x70: 0x0
0x80: 0x0
unsortedbin
all: 0x0
smallbins
empty
largebins
empty

查看全文

http://www.kler.cn/a/390775.html