当前位置：首页 > news >正文

没有域名的网站需要备案吗网络商城建设费用

news 2025/12/3 9:18:09

没有域名的网站需要备案吗,网络商城建设费用,3d 网站设计,怎么用阿里云服务器做淘客网站pwn学习笔记#xff08;12#xff09;–Chunk Extend and Overlapping chunk extend 是堆漏洞的一种常见利用手法#xff0c;通过 extend 可以实现 chunk overlapping#xff08;块重叠#xff09; 的效果。这种利用方法需要以下的时机和条件#xff1a; 程序中存在…pwn学习笔记12–Chunk Extend and Overlapping chunk extend 是堆漏洞的一种常见利用手法通过 extend 可以实现 chunk overlapping块重叠的效果。这种利用方法需要以下的时机和条件程序中存在基于堆的漏洞漏洞可以控制 chunk header 中的数据 1、对inuse的fastbin进行extend int main(void) {void *ptr,*ptr1;ptrmalloc(0x10);//分配第一个0x10的chunkmalloc(0x10);//分配第二个0x10的chunk*(long long *)((long long)ptr-0x8)0x41;// 修改第一个块的size域free(ptr);ptr1malloc(0x30);// 实现 extend控制了第二个块的内容return 0; } 首先进行两次malloc之后看看heap的状态 In file: /mnt/hgfs/sharedict/ChunkExtend/extend.c3 void *ptr,*ptr1;4 5 ptrmalloc(0x10);//分配第一个0x10的chunk6 malloc(0x10);//分配第二个0x10的chunk7 ► 8 *(long long *)((long long)ptr-0x8)0x41;// 修改第一个块的size域9 10 free(ptr);11 ptr1malloc(0x30);// 实现 extend控制了第二个块的内容12 return 0;13 } ─────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────── 00:0000│ rsp 0x7fffffffde30 —▸ 0x555555758010 ◂— 0x0 01:0008│ 0x7fffffffde38 ◂— 0x0 02:0010│ rbp 0x7fffffffde40 —▸ 0x5555555546e0 (__libc_csu_init) ◂— push r15 03:0018│ 0x7fffffffde48 —▸ 0x7ffff7a2d840 (__libc_start_main240) ◂— mov edi, eax 04:0020│ 0x7fffffffde50 ◂— 0x1 05:0028│ 0x7fffffffde58 —▸ 0x7fffffffdf28 —▸ 0x7fffffffe2ac ◂— /mnt/hgfs/sharedict/ChunkExtend/test 06:0030│ 0x7fffffffde60 ◂— 0x1f7ffcca0 07:0038│ 0x7fffffffde68 —▸ 0x55555555468a (main) ◂— push rbp ───────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────► f 0 0x5555555546aa main32f 1 0x7ffff7a2d840 __libc_start_main240 ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── pwndbg heap Allocated chunk | PREV_INUSE Addr: 0x555555758000 Size: 0x21Allocated chunk | PREV_INUSE Addr: 0x555555758020 Size: 0x21Top chunk | PREV_INUSE Addr: 0x555555758040 Size: 0x20fc1pwndbg bins fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x0 smallbins empty largebins empty 有地址的话就去读一下两个堆的内容 pwndbg x/30gx 0x555555758000 0x555555758000: 0x0000000000000000 0x0000000000000021 Chunk1 0x555555758010: 0x0000000000000000 0x0000000000000000 0x555555758020: 0x0000000000000000 0x0000000000000021 Chunk2 0x555555758030: 0x0000000000000000 0x0000000000000000 0x555555758040: 0x0000000000000000 0x0000000000020fc1 Top Chunk 0x555555758050: 0x0000000000000000 0x0000000000000000 0x555555758060: 0x0000000000000000 0x0000000000000000 0x555555758070: 0x0000000000000000 0x0000000000000000 0x555555758080: 0x0000000000000000 0x0000000000000000 0x555555758090: 0x0000000000000000 0x0000000000000000 0x5555557580a0: 0x0000000000000000 0x0000000000000000 0x5555557580b0: 0x0000000000000000 0x0000000000000000 0x5555557580c0: 0x0000000000000000 0x0000000000000000 0x5555557580d0: 0x0000000000000000 0x0000000000000000 0x5555557580e0: 0x0000000000000000 0x0000000000000000 下一步开始释放看一看修改chunk1的size域大小 pwndbg heap Allocated chunk | PREV_INUSE Addr: 0x555555758000 Size: 0x41Top chunk | PREV_INUSE Addr: 0x555555758040 Size: 0x20fc1pwndbg bins fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x0 smallbins empty largebins empty 发现chunk2被修改后增大了的chunk1给那占了heap里就只有一个Chunk了看看内存 pwndbg x/30gx 0x555555758000 0x555555758000: 0x0000000000000000 0x0000000000000041 原Chunk1 0x555555758010: 0x0000000000000000 0x0000000000000000 0x555555758020: 0x0000000000000000 0x0000000000000021 原Chunk2 0x555555758030: 0x0000000000000000 0x0000000000000000 0x555555758040: 0x0000000000000000 0x0000000000020fc1 Top Chunk 0x555555758050: 0x0000000000000000 0x0000000000000000 0x555555758060: 0x0000000000000000 0x0000000000000000 0x555555758070: 0x0000000000000000 0x0000000000000000 0x555555758080: 0x0000000000000000 0x0000000000000000 0x555555758090: 0x0000000000000000 0x0000000000000000 0x5555557580a0: 0x0000000000000000 0x0000000000000000 0x5555557580b0: 0x0000000000000000 0x0000000000000000 0x5555557580c0: 0x0000000000000000 0x0000000000000000 0x5555557580d0: 0x0000000000000000 0x0000000000000000 0x5555557580e0: 0x0000000000000000 0x0000000000000000 除去chunk1的size域变化了以外似乎没有其他变化但是逻辑上来说现在的堆里只有一个chunk了之后free掉chunk1看看 pwndbg heap Free chunk (fastbins) | PREV_INUSE Addr: 0x555555758000 Size: 0x41 fd: 0x00Top chunk | PREV_INUSE Addr: 0x555555758040 Size: 0x20fc1pwndbg bins fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x555555758000 ◂— 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x0 smallbins empty largebins empty 之后读取下内存 pwndbg x/30gx 0x555555758000 0x555555758000: 0x0000000000000000 0x0000000000000041 0x555555758010: 0x0000000000000000 0x0000000000000000 0x555555758020: 0x0000000000000000 0x0000000000000021 0x555555758030: 0x0000000000000000 0x0000000000000000 0x555555758040: 0x0000000000000000 0x0000000000020fc1 0x555555758050: 0x0000000000000000 0x0000000000000000 0x555555758060: 0x0000000000000000 0x0000000000000000 0x555555758070: 0x0000000000000000 0x0000000000000000 0x555555758080: 0x0000000000000000 0x0000000000000000 0x555555758090: 0x0000000000000000 0x0000000000000000 0x5555557580a0: 0x0000000000000000 0x0000000000000000 0x5555557580b0: 0x0000000000000000 0x0000000000000000 0x5555557580c0: 0x0000000000000000 0x0000000000000000 0x5555557580d0: 0x0000000000000000 0x0000000000000000 0x5555557580e0: 0x0000000000000000 0x0000000000000000 下一步是重头戏试想如果原chunk1的size域没有真正变化那么我们进行malloc一个0x30大小的堆块的时候就不会分配到这个地址上而是从Top Chunk里拆分那么事实上是怎么样的呢实践出真知看一下吧 pwndbg heap Allocated chunk | PREV_INUSE Addr: 0x555555758000 Size: 0x41Top chunk | PREV_INUSE Addr: 0x555555758040 Size: 0x20fc1pwndbg bins fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x0 smallbins empty largebins empty pwndbg x/30gx 0x555555758000 0x555555758000: 0x0000000000000000 0x0000000000000041 0x555555758010: 0x0000000000000000 0x0000000000000000 0x555555758020: 0x0000000000000000 0x0000000000000021 0x555555758030: 0x0000000000000000 0x0000000000000000 0x555555758040: 0x0000000000000000 0x0000000000020fc1 Top Chunk 0x555555758050: 0x0000000000000000 0x0000000000000000 0x555555758060: 0x0000000000000000 0x0000000000000000 0x555555758070: 0x0000000000000000 0x0000000000000000 0x555555758080: 0x0000000000000000 0x0000000000000000 0x555555758090: 0x0000000000000000 0x0000000000000000 0x5555557580a0: 0x0000000000000000 0x0000000000000000 0x5555557580b0: 0x0000000000000000 0x0000000000000000 0x5555557580c0: 0x0000000000000000 0x0000000000000000 0x5555557580d0: 0x0000000000000000 0x0000000000000000 0x5555557580e0: 0x0000000000000000 0x0000000000000000 显然Top Chunk并未被拆分这里确定了似乎malloc(0x30)得到的堆块是原Chunk1的地址这里说明了这里的原chunk1因为size域被修改了之后成为了一个新的更大的堆块这里也就造成了所谓的堆重叠了chunk1因为修改了size域后生成的那个新的chunk和chunk2部分重叠了这也就导致了有的对原chunk1的修改可以修改到chunk2的地方如果chunk2保留了指针那就可以对chunk2进行伪造可以结合类似off by one和UAF形成很多种利用方式。 2、对inuse的smallbin进行extend //gcc -g 2.c //注意把之前那个a.out给删掉 int main() {void *ptr,*ptr1;ptrmalloc(0x80);//分配第一个 0x80 的chunk1malloc(0x10); //分配第二个 0x10 的chunk2malloc(0x10); //防止与top chunk合并*(long *)((long)ptr-0x8)0xb1;free(ptr);ptr1malloc(0xa0); } 首先进行三次分配其中第三次分配是防止extend后chunk与topchunk进行合并无需关注。先看看经过三次malloc之后的堆空间是啥样的 pwndbg heap Allocated chunk | PREV_INUSE Addr: 0x555555758000 Size: 0x91Allocated chunk | PREV_INUSE Addr: 0x555555758090 Size: 0x21Allocated chunk | PREV_INUSE Addr: 0x5555557580b0 Size: 0x21Top chunk | PREV_INUSE Addr: 0x5555557580d0 Size: 0x20f31pwndbg bin fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x0 smallbins empty largebins empty pwndbg x/40gx 0x555555758000 0x555555758000: 0x0000000000000000 0x0000000000000091 Chunk1 0x555555758010: 0x0000000000000000 0x0000000000000000 0x555555758020: 0x0000000000000000 0x0000000000000000 0x555555758030: 0x0000000000000000 0x0000000000000000 0x555555758040: 0x0000000000000000 0x0000000000000000 0x555555758050: 0x0000000000000000 0x0000000000000000 0x555555758060: 0x0000000000000000 0x0000000000000000 0x555555758070: 0x0000000000000000 0x0000000000000000 0x555555758080: 0x0000000000000000 0x0000000000000000 0x555555758090: 0x0000000000000000 0x0000000000000021 Chunk2 0x5555557580a0: 0x0000000000000000 0x0000000000000000 0x5555557580b0: 0x0000000000000000 0x0000000000000021 Chunk3 0x5555557580c0: 0x0000000000000000 0x0000000000000000 0x5555557580d0: 0x0000000000000000 0x0000000000020f31 Top Chunk 0x5555557580e0: 0x0000000000000000 0x0000000000000000 0x5555557580f0: 0x0000000000000000 0x0000000000000000 0x555555758100: 0x0000000000000000 0x0000000000000000 0x555555758110: 0x0000000000000000 0x0000000000000000 0x555555758120: 0x0000000000000000 0x0000000000000000 0x555555758130: 0x0000000000000000 0x0000000000000000 估摸一下chunk1的大小似乎有点大导致free掉的chunk1并不会进入fastbin而是进入smallbin那么修改了size域后原本三个chunk在gdb里的heap指令下依旧少了一个: pwndbg heap Allocated chunk | PREV_INUSE Addr: 0x555555758000 Size: 0xb1Allocated chunk | PREV_INUSE Addr: 0x5555557580b0 Size: 0x21Top chunk | PREV_INUSE Addr: 0x5555557580d0 Size: 0x20f31pwndbg bins fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x0 smallbins empty largebins empty pwndbg x/40gx 0x555555758000 0x555555758000: 0x0000000000000000 0x00000000000000b1 Chunk1 0x555555758010: 0x0000000000000000 0x0000000000000000 0x555555758020: 0x0000000000000000 0x0000000000000000 0x555555758030: 0x0000000000000000 0x0000000000000000 0x555555758040: 0x0000000000000000 0x0000000000000000 0x555555758050: 0x0000000000000000 0x0000000000000000 0x555555758060: 0x0000000000000000 0x0000000000000000 0x555555758070: 0x0000000000000000 0x0000000000000000 0x555555758080: 0x0000000000000000 0x0000000000000000 0x555555758090: 0x0000000000000000 0x0000000000000021 Chunk2 0x5555557580a0: 0x0000000000000000 0x0000000000000000 0x5555557580b0: 0x0000000000000000 0x0000000000000021 Chunk3 0x5555557580c0: 0x0000000000000000 0x0000000000000000 0x5555557580d0: 0x0000000000000000 0x0000000000020f31 Top Chunk 0x5555557580e0: 0x0000000000000000 0x0000000000000000 0x5555557580f0: 0x0000000000000000 0x0000000000000000 0x555555758100: 0x0000000000000000 0x0000000000000000 0x555555758110: 0x0000000000000000 0x0000000000000000 0x555555758120: 0x0000000000000000 0x0000000000000000 0x555555758130: 0x0000000000000000 0x0000000000000000 下一步free掉chunk1 pwndbg heap Free chunk (unsortedbin) | PREV_INUSE Addr: 0x555555758000 Size: 0xb1 fd: 0x7ffff7dd1b78 bk: 0x7ffff7dd1b78Allocated chunk Addr: 0x5555557580b0 Size: 0x20Top chunk | PREV_INUSE Addr: 0x5555557580d0 Size: 0x20f31pwndbg bin fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x555555758000 —▸ 0x7ffff7dd1b78 (main_arena88) ◂— 0x555555758000 smallbins empty largebins empty pwndbg x/40gx 0x555555758000 0x555555758000: 0x0000000000000000 0x00000000000000b1 Chunk1 0x555555758010: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 0x555555758020: 0x0000000000000000 0x0000000000000000 0x555555758030: 0x0000000000000000 0x0000000000000000 0x555555758040: 0x0000000000000000 0x0000000000000000 0x555555758050: 0x0000000000000000 0x0000000000000000 0x555555758060: 0x0000000000000000 0x0000000000000000 0x555555758070: 0x0000000000000000 0x0000000000000000 0x555555758080: 0x0000000000000000 0x0000000000000000 0x555555758090: 0x0000000000000000 0x0000000000000021 Chunk2 0x5555557580a0: 0x0000000000000000 0x0000000000000000 0x5555557580b0: 0x00000000000000b0 0x0000000000000020 Chunk3 0x5555557580c0: 0x0000000000000000 0x0000000000000000 0x5555557580d0: 0x0000000000000000 0x0000000000020f31 Top Chunk 0x5555557580e0: 0x0000000000000000 0x0000000000000000 0x5555557580f0: 0x0000000000000000 0x0000000000000000 0x555555758100: 0x0000000000000000 0x0000000000000000 0x555555758110: 0x0000000000000000 0x0000000000000000 0x555555758120: 0x0000000000000000 0x0000000000000000 0x555555758130: 0x0000000000000000 0x0000000000000000 这里发现了一个点需要注意就是free掉size域修改了之后的那个chunk1之后chunk3的size域的最低为也就是p位变成了0这也就说明chunk1没有放在fastbin里上面也看到了被放在了unsortedbin里。那么为啥会被放入unsortedbin内而不是smallbin呢估计有一下几种可能当一个较大的chunk被分割成两半后如果剩下的部分大于MINSIZE就会被放到unsortedbin中。释放一个不属于fastbin的chunk并且该chunk不和top chunk紧邻时该chunk就会被放到unsorted bin 中当第二次分配的时候没有在unsortedbin中找到合适的才会被放入到其对应的bin中。之后进行分配分配0xa0大小的堆块就会发现原chunk1的地址依旧拿去用了 pwndbg heap Allocated chunk | PREV_INUSE Addr: 0x555555758000 Size: 0xb1Allocated chunk | PREV_INUSE Addr: 0x5555557580b0 Size: 0x21Top chunk | PREV_INUSE Addr: 0x5555557580d0 Size: 0x20f31pwndbg bin fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x0 smallbins empty largebins empty pwndbg x/40gx 0x555555758000 0x555555758000: 0x0000000000000000 0x00000000000000b1 0x555555758010: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 0x555555758020: 0x0000000000000000 0x0000000000000000 0x555555758030: 0x0000000000000000 0x0000000000000000 0x555555758040: 0x0000000000000000 0x0000000000000000 0x555555758050: 0x0000000000000000 0x0000000000000000 0x555555758060: 0x0000000000000000 0x0000000000000000 0x555555758070: 0x0000000000000000 0x0000000000000000 0x555555758080: 0x0000000000000000 0x0000000000000000 0x555555758090: 0x0000000000000000 0x0000000000000021 0x5555557580a0: 0x0000000000000000 0x0000000000000000 0x5555557580b0: 0x00000000000000b0 0x0000000000000021 0x5555557580c0: 0x0000000000000000 0x0000000000000000 0x5555557580d0: 0x0000000000000000 0x0000000000020f31 0x5555557580e0: 0x0000000000000000 0x0000000000000000 0x5555557580f0: 0x0000000000000000 0x0000000000000000 0x555555758100: 0x0000000000000000 0x0000000000000000 0x555555758110: 0x0000000000000000 0x0000000000000000 0x555555758120: 0x0000000000000000 0x0000000000000000 0x555555758130: 0x0000000000000000 0x00000000000000003、对free的smallbin进行extend //gcc -g 3.c int main() {void *ptr,*ptr1;ptrmalloc(0x80);//分配第一个0x80的chunk1malloc(0x10);//分配第二个0x10的chunk2free(ptr);//首先进行释放使得chunk1进入unsorted bin*(long *)((long)ptr-0x8)0xb1;ptr1malloc(0xa0); } 首先是两次malloc pwndbg heap Allocated chunk | PREV_INUSE Addr: 0x555555758000 Size: 0x91Allocated chunk | PREV_INUSE Addr: 0x555555758090 Size: 0x21Top chunk | PREV_INUSE Addr: 0x5555557580b0 Size: 0x20f51pwndbg bins fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x0 smallbins empty largebins empty pwndbg x/30gx 0x555555758000 0x555555758000: 0x0000000000000000 0x0000000000000091 Chunk1 0x555555758010: 0x0000000000000000 0x0000000000000000 0x555555758020: 0x0000000000000000 0x0000000000000000 0x555555758030: 0x0000000000000000 0x0000000000000000 0x555555758040: 0x0000000000000000 0x0000000000000000 0x555555758050: 0x0000000000000000 0x0000000000000000 0x555555758060: 0x0000000000000000 0x0000000000000000 0x555555758070: 0x0000000000000000 0x0000000000000000 0x555555758080: 0x0000000000000000 0x0000000000000000 0x555555758090: 0x0000000000000000 0x0000000000000021 Chunk2 0x5555557580a0: 0x0000000000000000 0x0000000000000000 0x5555557580b0: 0x0000000000000000 0x0000000000020f51 Top Chunk 0x5555557580c0: 0x0000000000000000 0x0000000000000000 0x5555557580d0: 0x0000000000000000 0x0000000000000000 0x5555557580e0: 0x0000000000000000 0x0000000000000000 之后直接free掉chunk1 pwndbg heap Free chunk (unsortedbin) | PREV_INUSE Addr: 0x555555758000 Size: 0x91 fd: 0x7ffff7dd1b78 bk: 0x7ffff7dd1b78Allocated chunk Addr: 0x555555758090 Size: 0x20Top chunk | PREV_INUSE Addr: 0x5555557580b0 Size: 0x20f51pwndbg bin fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x555555758000 —▸ 0x7ffff7dd1b78 (main_arena88) ◂— 0x555555758000 smallbins empty largebins empty pwndbg x/30gx 0x555555758000 0x555555758000: 0x0000000000000000 0x0000000000000091 Chunk1 0x555555758010: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 0x555555758020: 0x0000000000000000 0x0000000000000000 0x555555758030: 0x0000000000000000 0x0000000000000000 0x555555758040: 0x0000000000000000 0x0000000000000000 0x555555758050: 0x0000000000000000 0x0000000000000000 0x555555758060: 0x0000000000000000 0x0000000000000000 0x555555758070: 0x0000000000000000 0x0000000000000000 0x555555758080: 0x0000000000000000 0x0000000000000000 0x555555758090: 0x0000000000000090 0x0000000000000020 Chunk2 0x5555557580a0: 0x0000000000000000 0x0000000000000000 0x5555557580b0: 0x0000000000000000 0x0000000000020f51 Top Chunk 0x5555557580c0: 0x0000000000000000 0x0000000000000000 0x5555557580d0: 0x0000000000000000 0x0000000000000000 0x5555557580e0: 0x0000000000000000 0x0000000000000000 这里还是能看出来存在两个chunk的当修改了size域大小后 pwndbg heap Free chunk (unsortedbin) | PREV_INUSE Addr: 0x555555758000 Size: 0xb1 fd: 0x7ffff7dd1b78 bk: 0x7ffff7dd1b78Top chunk | PREV_INUSE Addr: 0x5555557580b0 Size: 0x20f51pwndbg bin fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x555555758000 —▸ 0x7ffff7dd1b78 (main_arena88) ◂— 0x555555758000 smallbins empty largebins empty pwndbg x/30gx 0x555555758000 0x555555758000: 0x0000000000000000 0x00000000000000b1 0x555555758010: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 0x555555758020: 0x0000000000000000 0x0000000000000000 0x555555758030: 0x0000000000000000 0x0000000000000000 0x555555758040: 0x0000000000000000 0x0000000000000000 0x555555758050: 0x0000000000000000 0x0000000000000000 0x555555758060: 0x0000000000000000 0x0000000000000000 0x555555758070: 0x0000000000000000 0x0000000000000000 0x555555758080: 0x0000000000000000 0x0000000000000000 0x555555758090: 0x0000000000000090 0x0000000000000020 0x5555557580a0: 0x0000000000000000 0x0000000000000000 0x5555557580b0: 0x0000000000000000 0x0000000000020f51 0x5555557580c0: 0x0000000000000000 0x0000000000000000 0x5555557580d0: 0x0000000000000000 0x0000000000000000 0x5555557580e0: 0x0000000000000000 0x0000000000000000 原本的三个chunk变成了两个并且chunk2还是allocated状态重叠之后chunk1是free状态所以整个chunk依旧是free状态。之后malloc(0xa0)试试 pwndbg heap Allocated chunk | PREV_INUSE Addr: 0x555555758000 Size: 0xb1Top chunk | PREV_INUSE Addr: 0x5555557580b0 Size: 0x20f51pwndbg bin fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x0 smallbins empty largebins empty pwndbg x/30gx 0x555555758000 0x555555758000: 0x0000000000000000 0x00000000000000b1 0x555555758010: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 0x555555758020: 0x0000000000000000 0x0000000000000000 0x555555758030: 0x0000000000000000 0x0000000000000000 0x555555758040: 0x0000000000000000 0x0000000000000000 0x555555758050: 0x0000000000000000 0x0000000000000000 0x555555758060: 0x0000000000000000 0x0000000000000000 0x555555758070: 0x0000000000000000 0x0000000000000000 0x555555758080: 0x0000000000000000 0x0000000000000000 0x555555758090: 0x0000000000000090 0x0000000000000020 0x5555557580a0: 0x0000000000000000 0x0000000000000000 0x5555557580b0: 0x0000000000000000 0x0000000000020f51 0x5555557580c0: 0x0000000000000000 0x0000000000000000 0x5555557580d0: 0x0000000000000000 0x0000000000000000 0x5555557580e0: 0x0000000000000000 0x00000000000000004、extend前向overlapping //gcc -g 4.c int main() {void *ptr,*ptr1;ptrmalloc(0x10);//分配第1个 0x80 的chunk1malloc(0x10); //分配第2个 0x10 的chunk2malloc(0x10); //分配第3个 0x10 的chunk3malloc(0x10); //分配第4个 0x10 的chunk4 *(long *)((long)ptr-0x8)0x61;free(ptr);ptr1malloc(0x50); } 还是老样子进行4次malloc看下heap和bin以及chunk的内容 pwndbg heap Allocated chunk | PREV_INUSE Addr: 0x555555758000 Size: 0x21Allocated chunk | PREV_INUSE Addr: 0x555555758020 Size: 0x21Allocated chunk | PREV_INUSE Addr: 0x555555758040 Size: 0x21Allocated chunk | PREV_INUSE Addr: 0x555555758060 Size: 0x21Top chunk | PREV_INUSE Addr: 0x555555758080 Size: 0x20f81pwndbg bin fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x0 smallbins empty largebins empty pwndbg x/30gx 0x555555758000 0x555555758000: 0x0000000000000000 0x0000000000000021 Chunk1 0x555555758010: 0x0000000000000000 0x0000000000000000 0x555555758020: 0x0000000000000000 0x0000000000000021 Chunk2 0x555555758030: 0x0000000000000000 0x0000000000000000 0x555555758040: 0x0000000000000000 0x0000000000000021 Chunk3 0x555555758050: 0x0000000000000000 0x0000000000000000 0x555555758060: 0x0000000000000000 0x0000000000000021 Chunk4 0x555555758070: 0x0000000000000000 0x0000000000000000 0x555555758080: 0x0000000000000000 0x0000000000020f81 Top Chunk 0x555555758090: 0x0000000000000000 0x0000000000000000 0x5555557580a0: 0x0000000000000000 0x0000000000000000 0x5555557580b0: 0x0000000000000000 0x0000000000000000 0x5555557580c0: 0x0000000000000000 0x0000000000000000 0x5555557580d0: 0x0000000000000000 0x0000000000000000 0x5555557580e0: 0x0000000000000000 0x0000000000000000 之后修改size域 pwndbg heap Allocated chunk | PREV_INUSE Addr: 0x555555758000 Size: 0x61Allocated chunk | PREV_INUSE Addr: 0x555555758060 Size: 0x21Top chunk | PREV_INUSE Addr: 0x555555758080 Size: 0x20f81pwndbg bin fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x0 smallbins empty largebins empty pwndbg x/30gx 0x555555758000 0x555555758000: 0x0000000000000000 0x0000000000000061 0x555555758010: 0x0000000000000000 0x0000000000000000 0x555555758020: 0x0000000000000000 0x0000000000000021 0x555555758030: 0x0000000000000000 0x0000000000000000 0x555555758040: 0x0000000000000000 0x0000000000000021 0x555555758050: 0x0000000000000000 0x0000000000000000 0x555555758060: 0x0000000000000000 0x0000000000000021 0x555555758070: 0x0000000000000000 0x0000000000000000 0x555555758080: 0x0000000000000000 0x0000000000020f81 0x555555758090: 0x0000000000000000 0x0000000000000000 0x5555557580a0: 0x0000000000000000 0x0000000000000000 0x5555557580b0: 0x0000000000000000 0x0000000000000000 0x5555557580c0: 0x0000000000000000 0x0000000000000000 0x5555557580d0: 0x0000000000000000 0x0000000000000000 0x5555557580e0: 0x0000000000000000 0x0000000000000000 之后free pwndbg heap Allocated chunk | PREV_INUSE Addr: 0x555555758000 Size: 0x61Allocated chunk | PREV_INUSE Addr: 0x555555758060 Size: 0x21Top chunk | PREV_INUSE Addr: 0x555555758080 Size: 0x20f81pwndbg bin fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x0 smallbins empty largebins empty pwndbg x/30gx 0x555555758000 0x555555758000: 0x0000000000000000 0x0000000000000061 0x555555758010: 0x0000000000000000 0x0000000000000000 0x555555758020: 0x0000000000000000 0x0000000000000021 0x555555758030: 0x0000000000000000 0x0000000000000000 0x555555758040: 0x0000000000000000 0x0000000000000021 0x555555758050: 0x0000000000000000 0x0000000000000000 0x555555758060: 0x0000000000000000 0x0000000000000021 0x555555758070: 0x0000000000000000 0x0000000000000000 0x555555758080: 0x0000000000000000 0x0000000000020f81 0x555555758090: 0x0000000000000000 0x0000000000000000 0x5555557580a0: 0x0000000000000000 0x0000000000000000 0x5555557580b0: 0x0000000000000000 0x0000000000000000 0x5555557580c0: 0x0000000000000000 0x0000000000000000 0x5555557580d0: 0x0000000000000000 0x0000000000000000 0x5555557580e0: 0x0000000000000000 0x0000000000000000 之后重新malloc pwndbg heap Allocated chunk | PREV_INUSE Addr: 0x555555758000 Size: 0x61Allocated chunk | PREV_INUSE Addr: 0x555555758060 Size: 0x21Top chunk | PREV_INUSE Addr: 0x555555758080 Size: 0x20f81pwndbg bin fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x0 smallbins empty largebins empty pwndbg x/30gx 0x555555758000 0x555555758000: 0x0000000000000000 0x0000000000000061 0x555555758010: 0x0000000000000000 0x0000000000000000 0x555555758020: 0x0000000000000000 0x0000000000000021 0x555555758030: 0x0000000000000000 0x0000000000000000 0x555555758040: 0x0000000000000000 0x0000000000000021 0x555555758050: 0x0000000000000000 0x0000000000000000 0x555555758060: 0x0000000000000000 0x0000000000000021 0x555555758070: 0x0000000000000000 0x0000000000000000 0x555555758080: 0x0000000000000000 0x0000000000020f81 0x555555758090: 0x0000000000000000 0x0000000000000000 0x5555557580a0: 0x0000000000000000 0x0000000000000000 0x5555557580b0: 0x0000000000000000 0x0000000000000000 0x5555557580c0: 0x0000000000000000 0x0000000000000000 0x5555557580d0: 0x0000000000000000 0x0000000000000000 0x5555557580e0: 0x0000000000000000 0x00000000000000005、通过extend前向overlapping //gcc -g 5.c int main(void) {void *ptr1,*ptr2,*ptr3,*ptr4;ptr1malloc(128);//smallbin1ptr2malloc(0x10);//fastbin1ptr3malloc(0x10);//fastbin2ptr4malloc(128);//smallbin2malloc(0x10);//防止与top合并free(ptr1);*(int *)((long long)ptr4-0x8)0x90;//修改pre_inuse域*(int *)((long long)ptr4-0x10)0xd0;//修改pre_size域free(ptr4);//unlink进行前向extendmalloc(0x150);//占位块 } 经过五次malloc之后 pwndbg heap Allocated chunk | PREV_INUSE Addr: 0x555555758000 Size: 0x91Allocated chunk | PREV_INUSE Addr: 0x555555758090 Size: 0x21Allocated chunk | PREV_INUSE Addr: 0x5555557580b0 Size: 0x21Allocated chunk | PREV_INUSE Addr: 0x5555557580d0 Size: 0x91Allocated chunk | PREV_INUSE Addr: 0x555555758160 Size: 0x21Top chunk | PREV_INUSE Addr: 0x555555758180 Size: 0x20e81pwndbg bin fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x0 smallbins empty largebins empty pwndbg x/54gx 0x555555758000 0x555555758000: 0x0000000000000000 0x0000000000000091 0x555555758010: 0x0000000000000000 0x0000000000000000 0x555555758020: 0x0000000000000000 0x0000000000000000 0x555555758030: 0x0000000000000000 0x0000000000000000 0x555555758040: 0x0000000000000000 0x0000000000000000 0x555555758050: 0x0000000000000000 0x0000000000000000 0x555555758060: 0x0000000000000000 0x0000000000000000 0x555555758070: 0x0000000000000000 0x0000000000000000 0x555555758080: 0x0000000000000000 0x0000000000000000 0x555555758090: 0x0000000000000000 0x0000000000000021 0x5555557580a0: 0x0000000000000000 0x0000000000000000 0x5555557580b0: 0x0000000000000000 0x0000000000000021 0x5555557580c0: 0x0000000000000000 0x0000000000000000 0x5555557580d0: 0x0000000000000000 0x0000000000000091 0x5555557580e0: 0x0000000000000000 0x0000000000000000 0x5555557580f0: 0x0000000000000000 0x0000000000000000 0x555555758100: 0x0000000000000000 0x0000000000000000 0x555555758110: 0x0000000000000000 0x0000000000000000 0x555555758120: 0x0000000000000000 0x0000000000000000 0x555555758130: 0x0000000000000000 0x0000000000000000 0x555555758140: 0x0000000000000000 0x0000000000000000 0x555555758150: 0x0000000000000000 0x0000000000000000 0x555555758160: 0x0000000000000000 0x0000000000000021 0x555555758170: 0x0000000000000000 0x0000000000000000 0x555555758180: 0x0000000000000000 0x0000000000020e81 0x555555758190: 0x0000000000000000 0x0000000000000000 0x5555557581a0: 0x0000000000000000 0x0000000000000000 free了chunk1之后chunk2的p位已经变成0了 pwndbg heap Free chunk (unsortedbin) | PREV_INUSE Addr: 0x555555758000 Size: 0x91 fd: 0x7ffff7dd1b78 bk: 0x7ffff7dd1b78Allocated chunk Addr: 0x555555758090 Size: 0x20Allocated chunk | PREV_INUSE Addr: 0x5555557580b0 Size: 0x21Allocated chunk | PREV_INUSE Addr: 0x5555557580d0 Size: 0x91Allocated chunk | PREV_INUSE Addr: 0x555555758160 Size: 0x21Top chunk | PREV_INUSE Addr: 0x555555758180 Size: 0x20e81pwndbg bin fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x555555758000 —▸ 0x7ffff7dd1b78 (main_arena88) ◂— 0x555555758000 smallbins empty largebins empty pwndbg x/54gx 0x555555758000 0x555555758000: 0x0000000000000000 0x0000000000000091 Chunk1 0x555555758010: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 0x555555758020: 0x0000000000000000 0x0000000000000000 0x555555758030: 0x0000000000000000 0x0000000000000000 0x555555758040: 0x0000000000000000 0x0000000000000000 0x555555758050: 0x0000000000000000 0x0000000000000000 0x555555758060: 0x0000000000000000 0x0000000000000000 0x555555758070: 0x0000000000000000 0x0000000000000000 0x555555758080: 0x0000000000000000 0x0000000000000000 0x555555758090: 0x0000000000000090 0x0000000000000020 0x5555557580a0: 0x0000000000000000 0x0000000000000000 0x5555557580b0: 0x0000000000000000 0x0000000000000021 Chunk2 0x5555557580c0: 0x0000000000000000 0x0000000000000000 0x5555557580d0: 0x0000000000000000 0x0000000000000091 Chunk3 0x5555557580e0: 0x0000000000000000 0x0000000000000000 0x5555557580f0: 0x0000000000000000 0x0000000000000000 0x555555758100: 0x0000000000000000 0x0000000000000000 0x555555758110: 0x0000000000000000 0x0000000000000000 0x555555758120: 0x0000000000000000 0x0000000000000000 0x555555758130: 0x0000000000000000 0x0000000000000000 0x555555758140: 0x0000000000000000 0x0000000000000000 0x555555758150: 0x0000000000000000 0x0000000000000000 0x555555758160: 0x0000000000000000 0x0000000000000021 Chunk4 0x555555758170: 0x0000000000000000 0x0000000000000000 0x555555758180: 0x0000000000000000 0x0000000000020e81 Top Chunk 0x555555758190: 0x0000000000000000 0x0000000000000000 0x5555557581a0: 0x0000000000000000 0x0000000000000000 之后修改了chunk3的pre_inuse也就是size的最低为P位为0然后修改pre_size位为0xd8 pwndbg heap Free chunk (unsortedbin) | PREV_INUSE Addr: 0x555555758000 Size: 0x91 fd: 0x7ffff7dd1b78 bk: 0x7ffff7dd1b78Allocated chunk Addr: 0x555555758090 Size: 0x20Allocated chunk | PREV_INUSE Addr: 0x5555557580b0 Size: 0x21Allocated chunk Addr: 0x5555557580d0 Size: 0x90Allocated chunk | PREV_INUSE Addr: 0x555555758160 Size: 0x21Top chunk | PREV_INUSE Addr: 0x555555758180 Size: 0x20e81pwndbg bin fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x555555758000 —▸ 0x7ffff7dd1b78 (main_arena88) ◂— 0x555555758000 smallbins empty largebins empty pwndbg x/54gx 0x555555758000 0x555555758000: 0x0000000000000000 0x0000000000000091 Chunk1 0x555555758010: 0x00007ffff7dd1b78 0x00007ffff7dd1b78 0x555555758020: 0x0000000000000000 0x0000000000000000 0x555555758030: 0x0000000000000000 0x0000000000000000 0x555555758040: 0x0000000000000000 0x0000000000000000 0x555555758050: 0x0000000000000000 0x0000000000000000 0x555555758060: 0x0000000000000000 0x0000000000000000 0x555555758070: 0x0000000000000000 0x0000000000000000 0x555555758080: 0x0000000000000000 0x0000000000000000 0x555555758090: 0x0000000000000090 0x0000000000000020 0x5555557580a0: 0x0000000000000000 0x0000000000000000 0x5555557580b0: 0x0000000000000000 0x0000000000000021 Chunk2 0x5555557580c0: 0x0000000000000000 0x0000000000000000 0x5555557580d0: 0x00000000000000d0 0x0000000000000090 Chunk3 0x5555557580e0: 0x0000000000000000 0x0000000000000000 0x5555557580f0: 0x0000000000000000 0x0000000000000000 0x555555758100: 0x0000000000000000 0x0000000000000000 0x555555758110: 0x0000000000000000 0x0000000000000000 0x555555758120: 0x0000000000000000 0x0000000000000000 0x555555758130: 0x0000000000000000 0x0000000000000000 0x555555758140: 0x0000000000000000 0x0000000000000000 0x555555758150: 0x0000000000000000 0x0000000000000000 0x555555758160: 0x0000000000000000 0x0000000000000021 Chunk4 0x555555758170: 0x0000000000000000 0x0000000000000000 0x555555758180: 0x0000000000000000 0x0000000000020e81 Top Chunk 0x555555758190: 0x0000000000000000 0x0000000000000000 0x5555557581a0: 0x0000000000000000 0x0000000000000000 可以看出来chunk3的pre_size域的大小刚好能够包含到完chunk1和chunk2。之后free掉了chunk3 pwndbg heap Free chunk (unsortedbin) | PREV_INUSE Addr: 0x555555758000 Size: 0x161 fd: 0x7ffff7dd1b78 bk: 0x7ffff7dd1b78Allocated chunk Addr: 0x555555758160 Size: 0x20Top chunk | PREV_INUSE Addr: 0x555555758180 Size: 0x20e81pwndbg bin fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x555555758000 —▸ 0x7ffff7dd1b78 (main_arena88) ◂— 0x555555758000 smallbins empty largebins empty会发现前面的三个chunk都被合并成了一个这里主要是因为unlink的原因导致了chunk3和前面的两个主要是pre_size指定的大小范围内的chunk发生了合并。之后再进行malloc会分配走新的那个chunk1 pwndbg heap Allocated chunk | PREV_INUSE Addr: 0x555555758000 Size: 0x161Allocated chunk | PREV_INUSE Addr: 0x555555758160 Size: 0x21Top chunk | PREV_INUSE Addr: 0x555555758180 Size: 0x20e81pwndbg bin fastbins 0x20: 0x0 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x0 smallbins empty largebins empty

http://www.dnsts.com.cn/news/29461.html

相关文章：

一个网站大概多少页面只有后端可以做网站吗

上海迈诺网站建设专业生产佛山网站建设

高清素材网站无水印杭州公司注册地址租赁

苏州网站推广哪家好美食网站设计规划书

百度站点宁波网站seo报价

asp网站数据库扫描网上商城搭建

360云盘做网站图片服务器个人域名备案查询

响应式网站好还是自适应网站好海外推广

如何建设网站教程视屏哈尔滨专业网站制作

建设一个外贸网站需要多少钱简单静态网页制作代码

朝阳双桥网站建设什么是域名

绵阳网站建设工作室苗木企业网站建设源代码园林网站源码程序苗圃花卉网站制作源码

网站建设放什么会计科目网站推广怎么做知乎

wordpress修复数据库网络推广与seo的区别在哪里

海尔网站推广方法杭州淘宝代运营公司十大排名

青岛做视频的网站做公司网站合同

安卓毕业设计代做网站PS网站设计

做网站建设公司排名织梦cms通用蓝白简介大气企业网站环保科技公司源码

广东省路桥建设有限公司网站用手机可以做网站

哈尔滨市建设安全监察网站网站建设用php建设优点

什么软件可以做动画视频网站找马云做网站

太原制作网站的公司苏州网站seo

搭建自己的网站各大网站查重率比较

北京网站制作应用深圳网博网站建设

模板网站制作时间智能运维管理系统平台

哪个网站做照片书最好地产网站互动营销

广告网站模板汕头网站建设方案开发

网站被k是怎么回事网站开发是前端开发吗

建设银行网站查询密码设置cms源码下载

网站建设哪家好知道做pc端网站策划