From 7d5fdff298244c89a78decd8d0d5948e3208e38d Mon Sep 17 00:00:00 2001 From: Eternal <67eternal@gmail.com> Date: Wed, 9 Dec 2020 10:24:56 +0100 Subject: [PATCH 1/2] tcache_dup fixed --- tcache_dup.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tcache_dup.c b/tcache_dup.c index 99687b2..77e03ba 100644 --- a/tcache_dup.c +++ b/tcache_dup.c @@ -1,6 +1,9 @@ #include #include #include + +char buf[0x20]; + int main(int argc,char **argv) { //this is tcache @@ -18,15 +21,16 @@ int main(int argc,char **argv) void *p,*q,*r,*d; p = malloc(0x10); q = malloc(0x10); + free(q); free(p); printf("now , we have a tcache which is already free\n"); printf("We can modify its next pointer!\n"); - *(uint64_t *)p = (uint64_t)q; + *(uint64_t *)p = (uint64_t)buf; printf("now p's next pointer = q\n"); - printf("p's next = %p ,q = %p\n",*(uint64_t *)p,q); + printf("p's next = %p ,buf = %p\n",*(uint64_t *)p,buf); printf("so,We can malloc twice to get a pointer to q,sure you can change this to what you want!\n"); r = malloc(0x10); d = malloc(0x10); - printf("OK!, we get we want!\n"); + printf("OK!, we get we want, d = %p\n",d); } From 12805969cf3c78d8791e3db63f922dfe71e6157b Mon Sep 17 00:00:00 2001 From: Eternal <67eternal@gmail.com> Date: Wed, 9 Dec 2020 10:28:19 +0100 Subject: [PATCH 2/2] some fix in text --- tcache_dup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tcache_dup.c b/tcache_dup.c index 77e03ba..bb5b16c 100644 --- a/tcache_dup.c +++ b/tcache_dup.c @@ -26,7 +26,7 @@ int main(int argc,char **argv) printf("now , we have a tcache which is already free\n"); printf("We can modify its next pointer!\n"); *(uint64_t *)p = (uint64_t)buf; - printf("now p's next pointer = q\n"); + printf("now p's next pointer = buf\n"); printf("p's next = %p ,buf = %p\n",*(uint64_t *)p,buf); printf("so,We can malloc twice to get a pointer to q,sure you can change this to what you want!\n"); r = malloc(0x10);