unsortedbin

unsorted bin

是循环双向链表结构 而且是先进先出(先进入unsortedbin的先参与下次分配 相同大小情况)

参考Fastbin attack&&Double free和Unsortbin leak的综合使用 - CH13hh - 博客园 (cnblogs.com)

Unsorted Bin Attack - CTF Wiki (ctf-wiki.org)

获取libc基址

当只有一个unsortbin的时候，其fd和bk指向main_arena+0x60(unsorted bin 起始指针)处

如果有多个unsortbin

每次分配以unsorted bin 起始指针的bk为主

> graph BT;
subgraph LR B["free_2"];
head2["addr"]
fd2["fd"]
bk2["bk"]
end;
subgraph LR A["free_1"];
head1["addr"]
bk1["bk"]
fd1["fd"]
end;
subgraph LR C["unsorted bin pointer"];
head3["addr"]
fd3["fd"]
bk3["bk"]
end;
fd2-->head1
bk2-->head3
fd1-->head3
bk1-->head2
fd3-->head2
bk3-->head1

exp:

#第一次
tcachebins
0x30 [  1]: 0x55555555f260 ◂— 0
fastbins
empty
unsortedbin
all: 0x55555555f280 —▸ 0x7ffff7dcdca0 ◂— 0x55555555f280
smallbins
empty
largebins
empty
gdb-peda$ x/16x 0x55555555f280
0x55555555f280: 0x0000000000000000      0x0000000000000471
0x55555555f290: 0x00007ffff7dcdca0      0x00007ffff7dcdca0
0x55555555f2a0: 0x0000000000000000      0x0000000000000000
0x55555555f2b0: 0x0000000000000000      0x0000000000000000
0x55555555f2c0: 0x0000000000000000      0x0000000000000000
0x55555555f2d0: 0x0000000000000000      0x0000000000000000
0x55555555f2e0: 0x0000000000000000      0x0000000000000000
gdb-peda$ x/16x 0x7ffff7dcdca0
0x7ffff7dcdca0: 0x000055555555fbe0      0x0000000000000000
0x7ffff7dcdcb0: 0x000055555555f280      0x000055555555f280
0x7ffff7dcdcc0: 0x00007ffff7dcdcb0      0x00007ffff7dcdcb0
0x7ffff7dcdcd0: 0x00007ffff7dcdcc0      0x00007ffff7dcdcc0
0x7ffff7dcdce0: 0x00007ffff7dcdcd0      0x00007ffff7dcdcd0
0x7ffff7dcdcf0: 0x00007ffff7dcdce0      0x00007ffff7dcdce0
0x7ffff7dcdd00: 0x00007ffff7dcdcf0      0x00007ffff7dcdcf0
0x7ffff7dcdd10: 0x00007ffff7dcdd00      0x00007ffff7dcdd00
#第二次
gdb-peda$ bin
tcachebins
0x30 [  2]: 0x55555555f700 —▸ 0x55555555f260 ◂— 0
fastbins
empty
unsortedbin
all: 0x55555555f720 —▸ 0x55555555f280 —▸ 0x7ffff7dcdca0 ◂— 0x55555555f720
smallbins
empty
largebins
empty
gdb-peda$ x/16x 0x55555555f720
0x55555555f720: 0x0000000000000000      0x0000000000000471
0x55555555f730: 0x000055555555f280      0x00007ffff7dcdca0
0x55555555f740: 0x0000000000000000      0x0000000000000000
0x55555555f750: 0x0000000000000000      0x0000000000000000
0x55555555f760: 0x0000000000000000      0x0000000000000000
0x55555555f770: 0x0000000000000000      0x0000000000000000
0x55555555f780: 0x0000000000000000      0x0000000000000000
0x55555555f790: 0x0000000000000000      0x0000000000000000
gdb-peda$ x/16x 0x55555555f280
0x55555555f280: 0x0000000000000000      0x0000000000000471
0x55555555f290: 0x00007ffff7dcdca0      0x000055555555f720
0x55555555f2a0: 0x0000000000000000      0x0000000000000000
0x55555555f2b0: 0x0000000000000000      0x0000000000000000
0x55555555f2c0: 0x0000000000000000      0x0000000000000000
0x55555555f2d0: 0x0000000000000000      0x0000000000000000
0x55555555f2e0: 0x0000000000000000      0x0000000000000000
0x55555555f2f0: 0x0000000000000000      0x0000000000000000
gdb-peda$ x/16x 0x7ffff7dcdca0
0x7ffff7dcdca0: 0x000055555555fbe0      0x0000000000000000
0x7ffff7dcdcb0: 0x000055555555f720      0x000055555555f280
0x7ffff7dcdcc0: 0x00007ffff7dcdcb0      0x00007ffff7dcdcb0
0x7ffff7dcdcd0: 0x00007ffff7dcdcc0      0x00007ffff7dcdcc0
0x7ffff7dcdce0: 0x00007ffff7dcdcd0      0x00007ffff7dcdcd0
0x7ffff7dcdcf0: 0x00007ffff7dcdce0      0x00007ffff7dcdce0
0x7ffff7dcdd00: 0x00007ffff7dcdcf0      0x00007ffff7dcdcf0
0x7ffff7dcdd10: 0x00007ffff7dcdd00      0x00007ffff7dcdd00
#重新分配相同大小的
gdb-peda$ bin
tcachebins
0x30 [  1]: 0x55555555f260 ◂— 0
fastbins
empty
unsortedbin
all: 0x55555555f720 —▸ 0x7ffff7dcdca0 ◂— 0x55555555f720
smallbins
empty
largebins
empty

所以如果拿到一个unsortbin则可通过uaf获取对应基址

计算方法:

确认main_arena相对libc的偏移地址_如何计算unsorted bin到 main arena的偏移-CSDN博客