-
Notifications
You must be signed in to change notification settings - Fork 7
fastbin attack
solei1 edited this page Mar 17, 2018
·
1 revision
参考: https://ctf-wiki.github.io/ctf-wiki/pwn/heap/fastbin_attack/
一:
利用步骤:
-
分配两个fastbin
-
修改fd指针 有两种方法: 堆溢出或者UAF. how2heap就是用的UAF.
-
构造伪chunk结构 会检查要分配的chunk的大小是否在fastbinY[idx]的范围内 (可以不用对齐). fastbin 64 位的范围为32字节到128字节(0x20-0x80)
-
分配到任意地址
参考:
- http://tacxingxing.com/2017/09/06/fastbinattack/
- http://blog.csdn.net/z231288/article/details/76299204
- https://github.com/shellphish/how2heap/blob/master/fastbin_dup_into_stack.c
二: house of spirit