Reference

https://sploitfun.wordpress.com/2015/06/09/off-by-one-vulnerability-heap-based/

https://sploitfun.wordpress.com/2015/06/07/off-by-one-vulnerability-stack-based-2/

https://sploitfun.wordpress.com/2015/02/26/heap-overflow-using-unlink/

https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/

Vuln

Off by one顾名思义就是控制一个字节的漏洞,一般是在字符串输入过程中,程序读取了字符串之后将字符结尾填个0x00造成的。

Exp

一般利用思路就是结合unlink。首先把chunk1盖满,使得chunk2的size的最低字节为0,此时chunk2就会认为chunk1为free状态,free(chunk2)之后就会向chunk1合并(bakcward),如下结构

fake_size fake_fd fake_bk pad fake_pre_size size(0x100)

保证fake_pre_size == size,这样向前合并,就使得unlink触发

results matching ""

    No results matching ""