|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
  1576,  1/79 |
  |
 |
 |
 |
 |
vngkv123 | ||||||
 |
|||||||
 |
unlink¸ÅÅ©·Î¿¡¼ P.... | ||||||
|
|||||||
|
http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=1875 [º¹»ç]
Hit : 2938 Date : 2017/05/12 10:26
|
|||||||
 |
|||||||
|  |
| |
| zer0water | P->fd->bk = P->bk P->bk->fd = P->fd ÀÌÁÒ ¿©±â¼ Heap overflow°¡ »ý±â°ÔµÇ¾î PÀÇ fd,bk¸¦ º¯Á¶ÇÒ ¼ö ÀÖ´Ù¸é, ƯÁ¤ ¸Þ¸ð¸®¿¡ °ªÀ» ¾²´Â°Ô °¡´ÉÇØÁö´Âµ¥¿ä. Á˼ÛÇѵ¥ Àú´Â unlinkµÇ´Â chunk P°¡ ¾î¶»°Ô Á¤ÀǵdzĴ Áú¹®ÀÌ ¹ºÁö ÀÌÇØ°¡ µÇÁö ¾Ê³×¿ä |
2017/05/12 | |
| vngkv123 | unlink °ËÁõ ·çƾ¿¡¼ if(__builtin_expect(FD->bk != P | BK->fd != P, 0)ÀÌ ÂÊ ¸»Çϴ°ſ¡¿µ. ÀϹÝÀûÀÎ binlist¿¡¼ÀÇ chunk°¡ freeµÉ ¶©, P°¡ chunkÀÇ ½ÃÀۺκÐÀ» °¡¸®Å°±â ¶§¹®¿¡ ÀÌÇØÇϱ⠽¬¿îµ¥ unsafe unlink¿¡¼ fake chunk¸¦ ±¸¼ºÇØÁÙ ¶§, ÀÌ fake chunkÀÇ Pµµ ¾Æ¸¶ heap¿µ¿ªÀÏÅÙµ¥, ÀÌ ·çƾÀ» ¿ìȸÇϱâ À§ÇØ bss¿µ¿ª¿¡ ÀúÀåµÇÀÖ´Â ÁÖ¼Ò·Î fake chunkÀÇ fd¿Í bk¸¦ ¼³Á¤ÇØÁØ´Ù´Â°Ô ÀÌÇØ°¡ ¾ÈµÇ³×¿ë. |
2017/05/12 | |
| vngkv123 | À§ÀÇ 2¹ø° ÁÙ¿¡¼ freeµÉ¶§°¡ ¾Æ´Ï¶ó unlinkµÉ ¶§¿ë ¤Ì¤Ð | 2017/05/12 | |
| ÇØÄð·¯ | unlink¿¡¼ p´Â /* consolidate backward */ if (!prev_inuse(p)) { prevsize = prev_size (p); size += prevsize; p = chunk_at_offset(p, -((long) prevsize)); unlink(av, p, bck, fwd); } ÀÌ·¸°Ô Á¤Àǵ˴ϴ٠p - p->prev_size |
2017/05/14 | |
| vngkv123 | °¨»çÇÕ´Ï´Ù ¤¾¤¾ | 2017/05/14 | |
|
|