#include <stdio.h>#include <stdlib.h>#include <string.h>int main(){

1. #include <stdio.h>
2. #include <stdlib.h>
3. #include <string.h>
4.  
5. int main()
6. {
7. fprintf(stderr, "This file doesn't demonstrate an attack, but shows the nature of glibc's allocator.\n");
8. fprintf(stderr, "glibc uses a first-fit algorithm to select a free chunk.\n");
9. fprintf(stderr, "If a chunk is free and large enough, malloc will select this chunk.\n");
10. fprintf(stderr, "This can be exploited in a use-after-free situation.\n");
11.  
12. fprintf(stderr, "Allocating 2 buffers. They can be large, don't have to be fastbin.\n");
13. char* a = malloc(512);
14. char* b = malloc(256);
15. char* c;
16.  
17. fprintf(stderr, "1st malloc(512): %p\n", a);
18. fprintf(stderr, "2nd malloc(256): %p\n", b);
19. fprintf(stderr, "we could continue mallocing here...\n");
20. fprintf(stderr, "now let's put a string at a that we can read later \"this is A!\"\n");
21. strcpy(a, "this is A!");
22. fprintf(stderr, "first allocation %p points to %s\n", a, a);
23.  
24. fprintf(stderr, "Freeing the first one...\n");
25. free(a);
26.  
27. fprintf(stderr, "We don't need to free anything again. As long as we allocate less than 512, it will end up at %p\n", a);
28.  
29. fprintf(stderr, "So, let's allocate 500 bytes\n");
30. c = malloc(500);
31. fprintf(stderr, "3rd malloc(500): %p\n", c);
32. fprintf(stderr, "And put a different string here, \"this is C!\"\n");
33. strcpy(c, "this is C!");
34. fprintf(stderr, "3rd allocation %p points to %s\n", c, c);
35. fprintf(stderr, "first allocation %p points to %s\n", a, a);
36. fprintf(stderr, "If we reuse the first allocation, it now holds the data from the third allocation.");
37. }