mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-28 23:51:29 +00:00
139 lines
5.6 KiB
Markdown
139 lines
5.6 KiB
Markdown
|
# 双重释放
|
|||
|
|
|
|||
|
|
<details>
|
|||
|
|
|
|||
|
|
<summary><strong>从零开始学习AWS黑客技术,成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE(HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|||
|
|
|
|||
|
|
支持HackTricks的其他方式:
|
|||
|
|
|
|||
|
|
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
|||
|
|
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
|
|||
|
|
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
|
|||
|
|
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**。**
|
|||
|
|
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
|
|||
|
|
|
|||
|
|
</details>
|
|||
|
|
|
|||
|
|
## 基本信息
|
|||
|
|
|
|||
|
|
如果释放一块内存超过一次,可能会破坏分配器的数据并为攻击打开大门。事情是这样发生的:当您释放一块内存时,它会回到空闲块的列表中(例如“fastbin”)。如果连续两次释放相同的内存块,则分配器会检测到这一点并报错。但是,如果**在两次释放之间释放另一块内存块,则会绕过双重释放检查**,导致数据损坏。
|
|||
|
|
|
|||
|
|
现在,当您请求新的内存(使用`malloc`)时,分配器可能会给您一个**已经释放两次的块**。这可能导致两个不同的指针指向相同的内存位置。如果攻击者控制其中一个指针,他们可以更改该内存的内容,这可能会导致安全问题,甚至允许他们执行代码。
|
|||
|
|
|
|||
|
|
示例:
|
|||
|
|
```c
|
|||
|
|
#include <stdio.h>
|
|||
|
|
#include <stdlib.h>
|
|||
|
|
|
|||
|
|
int main() {
|
|||
|
|
// Allocate memory for three chunks
|
|||
|
|
char *a = (char *)malloc(10);
|
|||
|
|
char *b = (char *)malloc(10);
|
|||
|
|
char *c = (char *)malloc(10);
|
|||
|
|
char *d = (char *)malloc(10);
|
|||
|
|
char *e = (char *)malloc(10);
|
|||
|
|
char *f = (char *)malloc(10);
|
|||
|
|
char *g = (char *)malloc(10);
|
|||
|
|
char *h = (char *)malloc(10);
|
|||
|
|
char *i = (char *)malloc(10);
|
|||
|
|
|
|||
|
|
// Print initial memory addresses
|
|||
|
|
printf("Initial allocations:\n");
|
|||
|
|
printf("a: %p\n", (void *)a);
|
|||
|
|
printf("b: %p\n", (void *)b);
|
|||
|
|
printf("c: %p\n", (void *)c);
|
|||
|
|
printf("d: %p\n", (void *)d);
|
|||
|
|
printf("e: %p\n", (void *)e);
|
|||
|
|
printf("f: %p\n", (void *)f);
|
|||
|
|
printf("g: %p\n", (void *)g);
|
|||
|
|
printf("h: %p\n", (void *)h);
|
|||
|
|
printf("i: %p\n", (void *)i);
|
|||
|
|
|
|||
|
|
// Fill tcache
|
|||
|
|
free(a);
|
|||
|
|
free(b);
|
|||
|
|
free(c);
|
|||
|
|
free(d);
|
|||
|
|
free(e);
|
|||
|
|
free(f);
|
|||
|
|
free(g);
|
|||
|
|
|
|||
|
|
// Introduce double-free vulnerability in fast bin
|
|||
|
|
free(h);
|
|||
|
|
free(i);
|
|||
|
|
free(h);
|
|||
|
|
|
|||
|
|
|
|||
|
|
// Reallocate memory and print the addresses
|
|||
|
|
char *a1 = (char *)malloc(10);
|
|||
|
|
char *b1 = (char *)malloc(10);
|
|||
|
|
char *c1 = (char *)malloc(10);
|
|||
|
|
char *d1 = (char *)malloc(10);
|
|||
|
|
char *e1 = (char *)malloc(10);
|
|||
|
|
char *f1 = (char *)malloc(10);
|
|||
|
|
char *g1 = (char *)malloc(10);
|
|||
|
|
char *h1 = (char *)malloc(10);
|
|||
|
|
char *i1 = (char *)malloc(10);
|
|||
|
|
char *i2 = (char *)malloc(10);
|
|||
|
|
|
|||
|
|
// Print initial memory addresses
|
|||
|
|
printf("After reallocations:\n");
|
|||
|
|
printf("a1: %p\n", (void *)a1);
|
|||
|
|
printf("b1: %p\n", (void *)b1);
|
|||
|
|
printf("c1: %p\n", (void *)c1);
|
|||
|
|
printf("d1: %p\n", (void *)d1);
|
|||
|
|
printf("e1: %p\n", (void *)e1);
|
|||
|
|
printf("f1: %p\n", (void *)f1);
|
|||
|
|
printf("g1: %p\n", (void *)g1);
|
|||
|
|
printf("h1: %p\n", (void *)h1);
|
|||
|
|
printf("i1: %p\n", (void *)i1);
|
|||
|
|
printf("i2: %p\n", (void *)i1);
|
|||
|
|
|
|||
|
|
return 0;
|
|||
|
|
}
|
|||
|
|
```
|
|||
|
|
在这个例子中,填充了tcache与多个已释放的块后,代码**释放了块`h`,然后是块`i`,然后再次释放`h`,导致双重释放错误**。这打开了重新分配时接收重叠内存地址的可能性,意味着两个或更多指针可以指向相同的内存位置。通过一个指针操纵数据然后可以影响另一个,从而创建了严重的安全风险和潜在的利用可能。
|
|||
|
|
|
|||
|
|
执行后,注意**`i1`和`i2`获得了相同的地址**:
|
|||
|
|
|
|||
|
|
<pre><code>初始分配:
|
|||
|
|
a: 0xaaab0f0c22a0
|
|||
|
|
b: 0xaaab0f0c22c0
|
|||
|
|
c: 0xaaab0f0c22e0
|
|||
|
|
d: 0xaaab0f0c2300
|
|||
|
|
e: 0xaaab0f0c2320
|
|||
|
|
f: 0xaaab0f0c2340
|
|||
|
|
g: 0xaaab0f0c2360
|
|||
|
|
h: 0xaaab0f0c2380
|
|||
|
|
i: 0xaaab0f0c23a0
|
|||
|
|
重新分配后:
|
|||
|
|
a1: 0xaaab0f0c2360
|
|||
|
|
b1: 0xaaab0f0c2340
|
|||
|
|
c1: 0xaaab0f0c2320
|
|||
|
|
d1: 0xaaab0f0c2300
|
|||
|
|
e1: 0xaaab0f0c22e0
|
|||
|
|
f1: 0xaaab0f0c22c0
|
|||
|
|
g1: 0xaaab0f0c22a0
|
|||
|
|
h1: 0xaaab0f0c2380
|
|||
|
|
<strong>i1: 0xaaab0f0c23a0
|
|||
|
|
</strong><strong>i2: 0xaaab0f0c23a0
|
|||
|
|
</strong></code></pre>
|
|||
|
|
|
|||
|
|
## 参考
|
|||
|
|
|
|||
|
|
* [https://heap-exploitation.dhavalkapil.com/attacks/double\_free](https://heap-exploitation.dhavalkapil.com/attacks/double\_free)
|
|||
|
|
|
|||
|
|
<details>
|
|||
|
|
|
|||
|
|
<summary><strong>从零开始学习AWS黑客技术,成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|||
|
|
|
|||
|
|
支持HackTricks的其他方式:
|
|||
|
|
|
|||
|
|
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
|||
|
|
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
|
|||
|
|
* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们独家的[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品
|
|||
|
|
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**上**关注我们。
|
|||
|
|
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
|
|||
|
|
|
|||
|
|
</details>
|