Excuse the ads! We need some help to keep our site up.
Unsorted bin attack
To understand the unsorted bin attack, you need to understand how malloc () removes the chunk from the list of unsorted bins when it reassigns the chunks registered in the unsorted bin.
Request to malloc() for memory allocation, the allocator checks if there are chunks available in fast, small, and large bins.
If the allocator does not find an available chunk in the bins, it checks to see if the value of unsorted_chunks (av)-> bk is different from the return value of unsorted_chunks (av).
If these values are different, it indicates that there is a free chunk in the Unsorted bin.
If there is a free chunk in the Unsorted bin, it stores the value of unsorted_chunks-> bk in the "victim".
And the data of victim-> bk is stored in "bck".
- unsorted_chunks(av) calls bin_at() and returns the value returned.
- bin_at () returns the address of main_arena.bin  minus 16.
- The allocator reallocates chunks placed in the unsorted list and then stores the data "bck" has in main_arena.bin->bk when the chunk is deleted from the unsorted list.
- The allocator stores the value returned by unsorted_chunks() in bck→fd.
For example, the value returned by unsorted_chunks (av) is 0x7ffff7dd1b78, and the value of unsorted_chunks (av)-> bk is 0x602000.
- Because the two values are different, the allocator stores the address (0x00007ffff7dd1b78) stored at "0x602000-> bk" in bck.
- The allocator then reallocates chunks from the unsorted list.
- To remove the chunk from the unsorted list, the allocator stores the address held in "bck" (0x00007ffff7dd1b78) in unsorted_chunks (av)-> bk.
- The value returned by unsorted_chunks (av) (0x7ffff7dd1b78) is stored in bck → fd.
Unsorted bin attack is a technique to save the main_arena's address("&main_arena.bin-16") in the desired area by overwriting the value in bk of the free chunk before the allocator deletes the chunk from the unsorted list.
If an attacker overwrites the stack address (0x7fffffffe248) to the "bk" of the chunk registered in the Unsorted list, the allocator stores the address returned by unsorted_chunks() in bck→fd(0x7fffffffe258) because the address stored in "bck" is 0x7fffffffe248.
- The following code stores 0 in "state", allocates two memories of 130 bytes in size, and frees the first allocated memory.
- After storing "((char *) & state)-16" in buf1 , request memory allocation of 130 bytes.
- And if "state" has a value, it prints a message.
- Check the address of the allocated memory at 0x4006ec, 0x4006fa.
- Check the data of the chunk fd, bk registered in the list of Unsorted bin at 0x40070a.
- Check the value overwritten to the bk of the free chunk At 0x40071a.
- At 0x400727, check that the address of the main_arena range is stored on the stack.
- The program was allocated two memory of the same size.
- Each memory address is 0x602010 and 0x6020a0.
When free() is requested to free the first allocated memory (0x602010), the chunk is placed in the unsorted list.
"(char *) & main_arena.bins -16" is stored in fd, bk of the chunk.
- Store the address of the stack area in bk of the free chunk for an unsorted bin attack.
Memory allocation is requested from malloc () to allocate chunks placed in the unsorted list.
"&Main_arena -16" was saved in the variable "state" (0x7fffffffe450) after memory allocation.
- Since the value of the variable "state" is not 0, a message is printed on the screen.
This code has the same basic behavior as "Unsorted_bin.c".
The other part is that we store the address of the Fake chunk in bck→fd.
Store the size of the fake chunk in stack_var and the address(fd) of the variable stack_var in stack_var.
Store the address of stack_var minus 8 in buf1 .
- buf1  is bck→fd.
- The program asks malloc () for a memory allocation that is the same size as the chunks placed in the list in the Unsorted bin.
- Then request malloc() to allocate memory again.
At 0x40071a, check the chunks registered in the Unsorted list and the fake chunks created in the stack.
Check the value that overwrites the bk of the free chunk at 0x40073a.
- At 0x400747, 0x400755, check the change in the Unsorted bin after the memory allocation and the pointer returned.
Check the change in the Unsorted bin and the returned pointer at 0x400747 and 0x400755.
At 0x40076a, check that the memory allocated from malloc () is available.
- The program asks malloc () two memory allocations and frees the first memory.
- Freed memory (0x602000) is placed in the Unsorted list.
- In order to be allocated a stack through an unsorted bin attack, a fake chunk like Free chunk must be on the stack.
- To create a fake chunk, store 0x90 in stack_var(0x7fffffffe430) and store the address of stack_var in stack_var(0x7fffffffe440).
- 0x7fffffffe430 is the size of the Fake chunk, and 0x7fffffffe440 is the bk of the Fake chunk.
- Store the fake chunk's address(0x7fffffffe428) in main_arena.bins -> bk (0x602018).
- This causes the data stored in main_arena.bins->bk to be the address of the fake chunk(0x7fffffffe428).
- When you ask malloc() for memory allocation of 130 bytes in size, the allocator reallocates chunks placed on the unsorted list.
- The allocator removes the chunk from the Unsorted list after reallocating memory and updates the list of Unsorted bins.
- This causes the fake chunk address to be stored in main_arena.bins .
- And once they request the same size memory allocation, it will return the memory of the stack memory(0x7fffffffe438).
- The address is from "Fake chunk→fd".
- You can store the value in the allocated stack memory.