源码
#include <stdio.h>
#include <stdlib.h>
int main()
{
printf("This file demonstrates a simple double-free attack with fastbins.\n");
printf("Allocating 3 buffers.\n");
);
);
);
printf("1st malloc(8): %p\n", a);
printf("2nd malloc(8): %p\n", b);
printf("3rd malloc(8): %p\n", c);
printf("Freeing the first one...\n");
free(a);
printf("If we free %p again, things will crash because %p is at the top of the free list.\n", a, a);
// free(a);
printf("So, instead, we'll free %p.\n", b);
free(b);
printf("Now, we can free %p again, since it's not the head of the free list.\n", a);
free(a);
printf("Now the free list has [ %p, %p, %p ]. If we malloc 3 times, we'll get %p twice!\n", a, b, a, a);
printf());
printf());
printf());
}
执行输出:
junmoxiao@ubuntu:~/pwn/how2heap$ ./fastbin_dup This file demonstrates a simple double-free attack with fastbins. Allocating buffers. 1st ): 0x2509420 2nd ): 0x2509440 3rd ): 0x2509460 Freeing the first one... If we free 0x2509420 again, things will crash because 0x2509420 is at the top of the free list. So, instead, we'll free 0x2509440. Now, we can free 0x2509420 again, since it's not the head of the free list. Now the times, we'll get 0x2509420 twice! 1st ): 0x2509420 2nd ): 0x2509440 3rd ): 0x2509420
这一节也只是阐述了double free的概念和基本条件,没什么好说的,下一节进行利用double free技术的实战