Skip to content

Instantly share code, notes, and snippets.

@inaz2
Created June 3, 2017 08:32
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save inaz2/f24f6d09cbf406d344debc649106fd89 to your computer and use it in GitHub Desktop.
use-after-free on glibc's ptmalloc (Ubuntu 16.04.2, Ubuntu GLIBC 2.23-0ubuntu7)
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial
$ /lib/x86_64-linux-gnu/libc.so.6
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu7) stable release version 2.23, by Roland McGrath et al.
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 5.4.0 20160609.
Available extensions:
crypt add-on version 2.1 by Michael Glad and others
GNU Libidn by Simon Josefsson
Native POSIX Threads Library by Ulrich Drepper et al
BIND-8.2.3-T5B
libc ABIs: UNIQUE IFUNC
For bug reporting instructions, please see:
<https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
$ g++ test.c
$ ./a.out
meow
[+] cat = 0x1451c20
boom!
#include <stdio.h>
#include <stdlib.h>
class Cat {
char name[0x20];
public:
virtual void cry() { puts("meow"); };
};
void boom()
{
puts("boom!");
system("sl");
exit(1);
}
int main()
{
Cat *cat = new Cat();
cat->cry();
printf("[+] cat = %p\n", cat);
delete cat;
char *p = new char[0x24];
// vtable overwrite
void (*ptr)() = boom;
*(void **)p = &ptr;
// use-after-free
cat->cry();
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment