1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51
| #include <stdio.h> #include <stdlib.h> #include <stdint.h> #include <string.h> #include <unistd.h>
struct chunk { size_t prev_size; size_t size; struct chunk* fd; struct chunk* bk; };
void print_chunk(struct chunk* c, const char* name) { printf("%s chunk at %p:\n", name, c); printf(" prev_size: %zu\n", c->prev_size); printf(" size: %zu\n", c->size); printf(" fd: %p\n", c->fd); printf(" bk: %p\n", c->bk); }
int main() { struct chunk* A = (struct chunk*)malloc(0x100); struct chunk* B = (struct chunk*)malloc(0x100);
printf("Allocated chunks:\n"); print_chunk(A, "A"); print_chunk(B, "B");
A->fd = (struct chunk*)((uintptr_t)&A - 0x18); A->bk = (struct chunk*)((uintptr_t)&A - 0x10);
free(B);
printf("After unlink:\n"); print_chunk(A, "A");
return 0; } # gcc -o unlink_64 unlink_64.c -fno-stack-protector -z execstack
|