Note
Search…
UAF_overflow_check
根据fuzz工具asan源码,对于UAF和堆溢出漏洞,这个工具对malloc与free做了如下HOOK:
UAF
1
#include <stdio.h>
2
#include <memory.h>
3
#include <stdlib.h>
4
#include <execinfo.h>
5
#include <signal.h>
6
#define STORESIZE sizeof(size_t)
7
8
void show_stack()
9
{
10
int i;
11
void *buffer[1024];
12
int n = backtrace(buffer, 1024);
13
char **symbols = backtrace_symbols(buffer, n);
14
for (i = 0; i < n; i++) {
15
printf("%s\n", symbols[i]);
16
}
17
}
18
void signal_handler(int sig) {
19
if(SIGSEGV==sig)
20
{
21
show_stack();
22
exit(-1);
23
}
24
else{
25
printf("signal with %d\n",sig);
26
}
27
}
28
void my_free(void* addr){
29
printf("free addr:%p size:%d append_size:%d\n",addr,*(size_t*)((size_t)addr-STORESIZE),STORESIZE);
30
memset(addr,0xFF,*(size_t*)((size_t)addr-STORESIZE));
31
free((void*)((size_t)addr-STORESIZE));
32
}
33
void* my_malloc(size_t len){
34
void* addr=malloc(len+STORESIZE);
35
printf("malloc addr:%p size:%d app_size:%d\n",(void*)((size_t)addr+STORESIZE),len,STORESIZE);
36
*(size_t*)addr=len;
37
return (void*)((size_t)addr+STORESIZE);
38
}
39
40
void main()
41
42
{
43
signal(SIGSEGV, signal_handler);
44
do();
45
}
Copied!
在malloc的时候多分配一个size_t大小用于存储malloc的buffer大小,并放置在buffer前。
在free的时候获取存储的buffer大小进行memset,后在释放。
如果有重用 释放堆块里面的指针行为,程序崩溃Segmentation fault: 的时候打印堆栈。(为测试代码添加了signal处理函数)
overflow
1
#include <stdio.h>
2
#include <memory.h>
3
#include <stdlib.h>
4
#include <execinfo.h>
5
#include <signal.h>
6
#define STORESIZE sizeof(size_t)
7
8
void my_free(void* addr){
9
printf("free addr:%p size:%d append_size:%d\n",addr,*(size_t*)((size_t)addr-STORESIZE),2*STORESIZE);
10
memset(addr,0xFF,*(size_t*)((size_t)addr-STORESIZE));
11
if(*(size_t*)((size_t)addr-STORESIZE)!=((size_t)addr+*(size_t*)((size_t)addr-STORESIZE)))
12
{
13
printf("heap over_flow!\n");
14
show_stack();
15
exit(-1);
16
}
17
free((void*)((size_t)addr-STORESIZE));
18
}
19
void* my_malloc(size_t len){
20
void* addr=malloc(len+2*STORESIZE);
21
printf("malloc addr:%p size:%d app_size:%d\n",(void*)((size_t)addr+STORESIZE),len,2*STORESIZE);
22
*(size_t*)addr=len;
23
*(size_t*)((size_t)addr+len+STORESIZE)=len;
24
return (void*)((size_t)addr+STORESIZE);
25
}
Copied!
溢出的检测是在malloc的buffer前后分别添加一个buffer的size 类似[len][buffer][len],在free的时候检测头尾的len是否相等。如不相等则溢出。
Last modified 2yr ago