how2heap分析系列:2_fastbin_dup
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了how2heap分析系列:2_fastbin_dup相关的知识,希望对你有一定的参考价值。
源码
#include <stdio.h> #include <stdlib.h> int main() { printf("This file demonstrates a simple double-free attack with fastbins.\n"); printf("Allocating 3 buffers.\n"); int *a = malloc(8); int *b = malloc(8); int *c = malloc(8); printf("1st malloc(8): %p\n", a); printf("2nd malloc(8): %p\n", b); printf("3rd malloc(8): %p\n", c); printf("Freeing the first one...\n"); free(a); printf("If we free %p again, things will crash because %p is at the top of the free list.\n", a, a); // free(a); printf("So, instead, we‘ll free %p.\n", b); free(b); printf("Now, we can free %p again, since it‘s not the head of the free list.\n", a); free(a); printf("Now the free list has [ %p, %p, %p ]. If we malloc 3 times, we‘ll get %p twice!\n", a, b, a, a); printf("1st malloc(8): %p\n", malloc(8)); printf("2nd malloc(8): %p\n", malloc(8)); printf("3rd malloc(8): %p\n", malloc(8)); }
执行输出:
[email protected]:~/pwn/how2heap$ ./fastbin_dup This file demonstrates a simple double-free attack with fastbins. Allocating 3 buffers. 1st malloc(8): 0x2509420 2nd malloc(8): 0x2509440 3rd malloc(8): 0x2509460 Freeing the first one... If we free 0x2509420 again, things will crash because 0x2509420 is at the top of the free list. So, instead, we‘ll free 0x2509440. Now, we can free 0x2509420 again, since it‘s not the head of the free list. Now the free list has [ 0x2509420, 0x2509440, 0x2509420 ]. If we malloc 3 times, we‘ll get 0x2509420 twice! 1st malloc(8): 0x2509420 2nd malloc(8): 0x2509440 3rd malloc(8): 0x2509420
这一节也只是阐述了double free的概念和基本条件,没什么好说的,下一节进行利用double free技术的实战
以上是关于how2heap分析系列:2_fastbin_dup的主要内容,如果未能解决你的问题,请参考以下文章