I am so amazed with such kind of attack when I first time heared it, it is a kind of attack that we deceive the glibc!
What?Deceive the allocator?! I will explain it in the following.
Malloc More Memory
We should know that when malloc(nb) find there is no anymore chunk can be used in the bin, it will call TOP chunk for help!
First, we will check the size header of TOP.
If top_size - nb - 0x10(size of header) > 0, then we can get nb from the top chunk.
How do we Exploit
When we get our requested memory, we should also have the new address of top chunk.
new_top = old_top + nb + size_of_chunk_header //In other hands > nb = new_top - old_top - size_of_chunk_header
So in fact, we can control our address of top chunk through the rule!
Steps of Force
The keypoint of this attack is to make sure where you want to move your top and how much is your nb.
- Override TOP side to Big Value
When the program has the vulnerability of heap overflow, we can override the header of the next chunk.
In this case, we need to make sure that we can malloc() again from TOP chunk, so I would override the size of chunk with 0xffffffffffffffff.
(Why we need to make sure the fact above? Because only malloc we can change again the address of top chunk
- malloc(new_top - old_top - size_of_chunk_header)
We always want to hijack the function, so I can try to move our top close to the function ptr, then I can override the RIP.
So, we may decide the new_top by ourselves.
However, you must be confused that the value of nb is negative!
In fact, nb can be a negative number because size-t in malloc() function is also a signed number.
Then, we move our top chunk to our target site ><
- malloc() again
In the end, when you malloc again, you can gain control over the target!
So, what are our requirements?
- We can overflow the size header of TOP chunk.
- We can control the size of our malloc()
- When you want to count nb, be sure that the target area is also placed in heap, just same as top chunk. Or, you would need to leak the heap base to get top chunk address first!
Practice helps me a lot