# 利用main\_arena泄露libc基址

利用条件

* 有目标主机libc.so
* 可申请和释放 非Fastbin\_chunk

unsorted bin是双向链表结构，在unsorted bin的顶端 32位指向&#x20;

free和malloc操作时，最后free的chunk被链接到链表的头部，则申请chunk则是从链表的尾部开始

1 . 使用pwndbg调试，当unsorted bin中存在多个回收的chunk时，如图，先 free chunk2 及0x804a058 ，再 free chunk1 及0x804a160

![](/files/-LckmZ7UT1nM1SmLLbMW)

![](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LckC1dmB2Mb2F1Bgx_H%2Fuploads%2FOfnsTQClMxataA1U7BUh%2Ffile.png?alt=media)

此时unsorted bin的布局如图：

![](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LckC1dmB2Mb2F1Bgx_H%2Fuploads%2F8Bozb3KpNRz2BFRiWqZQ%2Ffile.png?alt=media)

2 . 当然更好的，当unsorted bin中只存在1个回收的chunk时：

![](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LckC1dmB2Mb2F1Bgx_H%2Fuploads%2FvZrrSpniGo7UQ2m6WMYB%2Ffile.png?alt=media)

![](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LckC1dmB2Mb2F1Bgx_H%2Fuploads%2FRdCIH4US6G2Qh8T5Wvsa%2Ffile.png?alt=media)

fd 与 bk 都指向&#x20;

3 . main\_arena存储在libc.so.6文件的.data段，通过这个偏移我们就可以获取libc的基址，这里我讲一下怎么找到main\_arena的地址，首先使用IDA打开libc文件，然后搜索函数malloc\_trim()，具体如下图所示。

![](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LckC1dmB2Mb2F1Bgx_H%2Fuploads%2FZ6W3d8ivahfQAao8i4G3%2Ffile.png?alt=media)

为什么是这个呢，我们可以对照一下malloc.c的源代码，源代码如下图。

![](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LckC1dmB2Mb2F1Bgx_H%2Fuploads%2F9VNwsE9HPZagctRQaeOY%2Ffile.png?alt=media)

bingo !

PS：之前演示的是32位程序，64位程序同理，但 64位指向&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://b0ldfrev.gitbook.io/note/pwn/li-yong-mainarena-xie-lou-libc-ji-zhi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.