Heap--1(未完) - ZhouYetao

Heap--1(未完)

Heap--1(fastbin)

heap overview

首先编译一个简单的程序,通过gdb查看heap的运作方式
heap.c

#include<stdio.h>
#include<stdlib.h>
void main()
{
    void *p,*q,*r,*s;
    p = malloc(128);
q = malloc(128);
r = malloc(128);
s = malloc(128);
    free(p);
    free(r);
}

makefile

heap:heap.c
        gcc -o heap heap.c -g

然后直接在terminal中“make”就可以编译出来了(在makefile中加入-g这个参数是为了可以在gdb调试的过程中查看到程序运行到了哪个语句,这是一个小技巧)。
然后开gdb开始调试

ZhouYetao@ubuntu:~/Desktop/Jason/test/heap/qiming/heap1/heap$ gdb -q
pwndbg: loaded 164 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
pwndbg> file heap
Reading symbols from heap...done.
pwndbg> b main
Breakpoint 1 at 0x40056e: file heap.c, line 6.
pwndbg> r
...
pwndbg> p main_arena 
$2 = {
  mutex = 0x0, 
  flags = 0x0, 
  fastbinsY = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  top = 0x0, 
  last_remainder = 0x0, 
  bins = {0x0 <repeats 254 times>}, 
  binmap = {0x0, 0x0, 0x0, 0x0}, 
  next = 0x7ffff7dd1b20 <main_arena>, 
  next_free = 0x0, 
  attached_threads = 0x1, 
  system_mem = 0x0, 
  max_system_mem = 0x0
}

我们可以通过这个命令来看到heap中的main_arena来看到heap的使用情况,输入“n”,单语句步入,知道四个malloc都执行完,

pwndbg> p/x p
$4 = 0x602010

这样可以看到chunk p的地址的0x602010,具体的chunk中的样子会在后面提到/
将四个malloc都跑完之后,

pwndbg> info locals 
p = 0x602010
q = 0x6020a0
r = 0x602130
s = 0x6021c0

heap命令查看heap的排布

pwndbg> heap
Top Chunk: 0x602240
Last Remainder: 0

0x602000 PREV_INUSE {
  prev_size = 0x0, 
  size = 0x91, 
  fd = 0x0, 
  bk = 0x0, 
  fd_nextsize = 0x0, 
  bk_nextsize = 0x0
}
0x602090 PREV_INUSE {
  prev_size = 0x0, 
  size = 0x91, 
  fd = 0x0, 
  bk = 0x0, 
  fd_nextsize = 0x0, 
  bk_nextsize = 0x0
}
0x602120 PREV_INUSE {
  prev_size = 0x0, 
  size = 0x91, 
  fd = 0x0, 
  bk = 0x0, 
  fd_nextsize = 0x0, 
  bk_nextsize = 0x0
}
0x6021b0 PREV_INUSE {
  prev_size = 0x0, 
  size = 0x91, 
  fd = 0x0, 
  bk = 0x0, 
  fd_nextsize = 0x0, 
  bk_nextsize = 0x0
}
0x602240 PREV_INUSE {
  prev_size = 0x0, 
  size = 0x20dc1, 
  fd = 0x0, 
  bk = 0x0, 
  fd_nextsize = 0x0, 
  bk_nextsize = 0x0
}
pwndbg> info locals 
p = 0x602010
q = 0x6020a0
r = 0x602130
s = 0x6021c0

可以发现具体的heap的排布是top_chunk --> s --> r --> q --> p

heap的常见的漏洞

use after free

double free

heap overflow

Leave a Comment

@author:ZhouYetao
© 2020 Copyright.  | Power by Mijiu                                                                                               
本站已安全运行 792 天