Skip to content

Instantly share code, notes, and snippets.

@Jinmo
Created February 15, 2019 15:27
Show Gist options
  • Save Jinmo/48cea4e43f41f7e96032a79b97bc2a0a to your computer and use it in GitHub Desktop.
Save Jinmo/48cea4e43f41f7e96032a79b97bc2a0a to your computer and use it in GitHub Desktop.
A hard way to do memcpy
// The whole code below does container[2] = buf[0]
#include <stdio.h>
#include <stdlib.h>
#define SIZE 0x100
__attribute__((aligned(0x10)))
long container[] = {0, 0x100 + 0x11, 0};
int main() {
long buf[] = {0x41414141};
// Prevent tcache_count being -1
void *a = malloc(SIZE);
void *b = malloc(SIZE);
free(a);
free(b);
// Modify tcache fd
long *x = (long *)malloc(SIZE);
free(x);
*x = (long)buf;
malloc(SIZE);
malloc(SIZE);
free(container + 2);
fprintf(stderr, "Now the container[2]'s value is: 0x%lx\n", container[2]);
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment