源码
#include <stdio.h>
#include <stdlib.h>
int main()
{
printf("This file demonstrates a simple double-free attack with fastbins.\n");
printf("Allocating 3 buffers.\n");
int *a = malloc(8);
int *b = malloc(8);
int *c = malloc(8);
printf("1st malloc(8): %p\n", a);
printf("2nd malloc(8): %p\n", b);
printf("3rd malloc(8): %p\n", c);
printf("Freeing the first one...\n");
free(a);
printf("If we free %p again, things will crash because %p is at the top of the free list.\n", a, a);
// free(a);
printf("So, instead, we‘ll free %p.\n", b);
free(b);
printf("Now, we can free %p again, since it‘s not the head of the free list.\n", a);
free(a);
printf("Now the free list has [ %p, %p, %p ]. If we malloc 3 times, we‘ll get %p twice!\n", a, b, a, a);
printf("1st malloc(8): %p\n", malloc(8));
printf("2nd malloc(8): %p\n", malloc(8));
printf("3rd malloc(8): %p\n", malloc(8));
}
执行输出:
[email protected]:~/pwn/how2heap$ ./fastbin_dup This file demonstrates a simple double-free attack with fastbins. Allocating 3 buffers. 1st malloc(8): 0x2509420 2nd malloc(8): 0x2509440 3rd malloc(8): 0x2509460 Freeing the first one... If we free 0x2509420 again, things will crash because 0x2509420 is at the top of the free list. So, instead, we‘ll free 0x2509440. Now, we can free 0x2509420 again, since it‘s not the head of the free list. Now the free list has [ 0x2509420, 0x2509440, 0x2509420 ]. If we malloc 3 times, we‘ll get 0x2509420 twice! 1st malloc(8): 0x2509420 2nd malloc(8): 0x2509440 3rd malloc(8): 0x2509420
这一节也只是阐述了double free的概念和基本条件,没什么好说的,下一节进行利用double free技术的实战
时间: 2024-08-03 15:19:30