c0wb3ll's 5tudy B109

Unsafe_unlink

Reference https://github.com/shellphish/how2heap https://dreamhack.io/learn/2/16#44 http://lazenca.net/pages/viewpage.action?pageId=1148137 https://koharinn.tistory.com/142 https://code1018.tistory.com/195?category=981925 https://rninche01.tistory.com/entry/heap-exploit-Unsafe-Unlink https://wogh8732.tistory.com/195 https://midascopp.tistory.com/66 Unsafe_unlink Unsafe_unlink는 헤더 값이 조작된 Fake chu..

fastbin_dup_consolidate

소스코드 #include #include #include int main() { void* p1 = malloc(0x40); void* p2 = malloc(0x40); fprintf(stderr, "Allocated two fastbins: p1=%p p2=%p\n", p1, p2); fprintf(stderr, "Now free p1!\n"); free(p1); void* p3 = malloc(0x400); fprintf(stderr, "Allocated large bin to trigger malloc_consolidate(): p3=%p\n", p3); fprintf(stderr, "In malloc_consolidate(), p1 is moved to the unsorted bin.\n"); f..

fastbin_dup_into_stack

fastbin_dup_into_stack.c 소스코드 #include #include int main() { fprintf(stderr, "This file extends on fastbin_dup.c by tricking malloc into\n" "returning a pointer to a controlled location (in this case, the stack).\n"); unsigned long long stack_var; fprintf(stderr, "The address we want malloc() to return is %p.\n", 8+(char *)&stack_var); fprintf(stderr, "Allocating 3 buffers.\n"); int *a = malloc(..

fastbin_dup

fastbin_dup.c 소스코드 #include #include #include int main() { fprintf(stderr, "This file demonstrates a simple double-free attack with fastbins.\n"); fprintf(stderr, "Allocating 3 buffers.\n"); int *a = malloc(8); int *b = malloc(8); int *c = malloc(8); fprintf(stderr, "1st malloc(8): %p\n", a); fprintf(stderr, "2nd malloc(8): %p\n", b); fprintf(stderr, "3rd malloc(8): %p\n", c); fprintf(stderr, "F..

how2heap 준비

git clone https://github.com/shellphish/how2heap cd how2heap && make