Excuse the ads! We need some help to keep our site up.
Poison null byte
This exploit technique is if can store a null byte in the "size" of the free chunk and which can be used if the changed size becomes a valid size.
For example as follows allocate memory of size 0x80, 0x200, 0x80.
Store 0x200 in 0x602290 and free the second memory.
Overwrite a null byte to "size" of this chunk.
The chunk will then be 0x200 in size.
Request to malloc() the fourth and fifth(size is 0x80) memory allocations.
The allocator checks the size of the free chunks and ensures that the chunks are large enough to allocate the memory requested.
Because the chunk is 0x200 in size, it is large enough to allocate the requested memory.
Since the value stored in the "size" of that chunk is 0x200, it is large enough to allocate the requested memory.
If you release the fourth memory and release the third memory, the allocator sets the next chunk of the third chunk to the top chunk.
And since the value of prev_size is 0x210, the address of the top chunk is 0x602090.
This puts the Top chunk in front of the fifth memory.
The memory returned by requesting a memory allocation of size 0x280 overlaps with the 5th memory.
- When an allocator removes a chunk from the list, it checks to see if the value stored in the chunk's "size" and the next chunk's "prev_size" are the same.
- In the previous example, we also saved the prev_size (0x200) value at 0x602290 to bypass the code.
- If the two values are not the same, an error is output as shown below.
This code requests malloc () the three (0x80,0x200,0x80) memory allocations.
- Store the Fake prev_size value in *(buf2 + 0x1f0).
- buf2 Frees the area and overwrite the last 1 byte to null in the data stored in the chunk "size".(0x211 → 0x200)
- Request malloc() for two memory allocations.
- The size is the size (0x80) that can be created in the area of the changed free chunk.
- Free buf4, also free buf3.
- Request a memory allocation of size 0x280 to malloc ().
- Fill the character 'B' to the memory pointed to by buf6.
- Then print the data in the memory pointed to by buf3.
- Check the address of the allocated memory at 0x400658, 0x400666, 0x400674.
- Check for fake prev_size at 0x400682.
- Check for chunks freed at 0x400695 and see the change in the value stored at "size" for that chunk at 0x40069f.
- Check the address of the additional memory allocated at 0x4006ac, 0x4006ba.
- Check the data populated in the last allocated area at 0x4006d4.
- Check the changes after freeing memory at 0x4006e0 and 0x4006e7.
- Check the address of the last allocated memory at 0x4006f6.
- The pointer returned in buf1 is 0x602010, the pointer returned in buf2 is 0x6020a0, and the pointer returned in buf3 is 0x6022b0.
- Store the fake prev_size (0x200) at 0x602290.
- 0x602290 is 0x200bytes away from mchunkprt in buf2.
- When the memory pointed to by buf2 is freed, the chunk is placed in the Unsorted bin.
- Overwrites the last 1 byte of 0x00 (null) in the data stored in the "size" of that chunk.
- This causes the chunk to be 0x200 in size.
The memory address assigned to buf4 is 0x6020a0 and the address assigned to buf5 is 0x602130.
The memory is allocated by dividing the chunk of freed buf2.
- The letter 'A' has been filled in area 0x602130.
- After freeing the memory allocated for buf4, the top chunk becomes 0x602330.
- And if we release the memory allocated to buf3, the top chunk becomes 0x602090.
- This is where the size of the free chunk(buf4 → size) was stored.
- Request malloc() the memory allocation of size 0x280, it will return 0x6020a0.
- The memory size is 0x290, and the memory area and the memory area pointed to by buf5 overlap.
The character 'B' is filled in the memory pointed to by buf6, and these characters are also filled in the memory pointed to by buf5.