Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- int main()
- {
- fprintf(stderr, "This file doesn't demonstrate an attack, but shows the nature of glibc's allocator.\n");
- fprintf(stderr, "glibc uses a first-fit algorithm to select a free chunk.\n");
- fprintf(stderr, "If a chunk is free and large enough, malloc will select this chunk.\n");
- fprintf(stderr, "This can be exploited in a use-after-free situation.\n");
- fprintf(stderr, "Allocating 2 buffers. They can be large, don't have to be fastbin.\n");
- char* a = malloc(512);
- char* b = malloc(256);
- char* c;
- fprintf(stderr, "1st malloc(512): %p\n", a);
- fprintf(stderr, "2nd malloc(256): %p\n", b);
- fprintf(stderr, "we could continue mallocing here...\n");
- fprintf(stderr, "now let's put a string at a that we can read later \"this is A!\"\n");
- strcpy(a, "this is A!");
- fprintf(stderr, "first allocation %p points to %s\n", a, a);
- fprintf(stderr, "Freeing the first one...\n");
- free(a);
- fprintf(stderr, "We don't need to free anything again. As long as we allocate less than 512, it will end up at %p\n", a);
- fprintf(stderr, "So, let's allocate 500 bytes\n");
- c = malloc(500);
- fprintf(stderr, "3rd malloc(500): %p\n", c);
- fprintf(stderr, "And put a different string here, \"this is C!\"\n");
- strcpy(c, "this is C!");
- fprintf(stderr, "3rd allocation %p points to %s\n", c, c);
- fprintf(stderr, "first allocation %p points to %s\n", a, a);
- fprintf(stderr, "If we reuse the first allocation, it now holds the data from the third allocation.");
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement