Source code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

#include<stdio.h>
#include<stdlib.h>

int main()
{
        size_t * ptr[12];
        for(int i=0;i<12;i++)
        {
                ptr[i]=malloc(0x30);
        }
        int a=10;
        free(ptr[0]);
        free(ptr[1]);
        free(ptr[2]);
        free(ptr[3]);
        free(ptr[4]);
        free(ptr[5]);
        free(ptr[6]);
        free(ptr[7]);
        free(ptr[8]);
        free(ptr[9]);
        free(ptr[10]);
        free(ptr[9]);

        for(int i=0;i<7;i++)
        {
                ptr[i]=malloc(0x30);
        }
        ptr[7]=malloc(0x30);//9
        *(ptr[7])=&a;
        ptr[8]=malloc(0x30);//10
        ptr[9]=malloc(0x30);//9
        ptr[10]=malloc(0x30);
        ptr[11]=malloc(0x30);
}

compile

debug

Plus -g ensures that we can see the source code

Check the bins when all the freeings done.
We can figure out that the first seven chunks were sent to the suitable place of tcache while the last were sent to fast bin.
And here we have made the double free. There formed a loop in fast bin.

Check the bins again when the fist seven chunks were malloced. We can see that the rest chunks in fast bin were then sent to tcache.

Check the bins when the 9th chunk had been freed and exploited, we made it point to an address on stack, successfully.

Done.

review

This can be a image of tcache after double free:

Both the upside and down can be correct.

After malloc again and redirect.

Here comes the vulnerability: if we double free and redirect the chunk to some dangerous function like system and set the parameter as “/bin/sh” then we got the shell.

• ← Previous Post
• Next Post →