![double nightmare double nightmare](https://i.ytimg.com/vi/g6kv3EUkh6w/maxresdefault.jpg)
So you can see that we have freed ptr3 (Chunk 3) and discarded it's pointer. Let's see it in action by freeing Chunk3 and setting the pointer equal to 0x0 (which is what's supposed to happen to prevent UAFs).
#Double nightmare free
We will still have a pointer remaining to the same memory chunk, which will now be freed.Īs a result we can use the double free to edit a freed chunk. Now we can free one of the pointers to either Chunk 3 or 5 (ptr3 or ptr5), and clear out the pointer. So you can see that we allocated the same pointer twice, as a result of freeing the same pointer twice (since malloc will reuse freed chunks of similar sizes for performance boosts). Next up we will allocate three new chunks of the same size that we freed, and write some data to them. To bypass this, we can just free something in between the two frees to the same pointer. It will check if the pointer being free is the same as the last chunk freed, and if it is the program will cease execution. (however in libc-2.27 it will hit the tcache and this will be fine). This is because in several different versions of malloc, there is a double free check In between the two frees, we will free a different pointer. We will free the same pointer twice (the first chunk pointed to by ptr0). So we start off by allocating three chunks of memory. However a bug to edit the heap metadata is often just one piece of the exploitation process. The goal of this is to show how we can edit a freed chunk using a Double Free bug.Įditing freed chunks will allow us to overwrite heap metadata, which is crucial to a lot of heap attacks. Printf("Just like that, we were able to use a double free to edit a free chunk!\n") Using that we can edit the freed chunk.\n\n") Printf("So you can see that we have freed ptr3 (Chunk 3) and discarded it's pointer. Let's see it in action by freeing Chunk3 and setting the pointer equal to 0x0 (which is what's supposed to happen to prevent UAFs).\n\n")
![double nightmare double nightmare](https://imgs.dvdempire.com/product/500/1751686/new-nightmare-freddy-vs-jason-double-feature-cover-art.jpg)
Printf("As a result we can use the double free to edit a freed chunk.
![double nightmare double nightmare](https://i.ebayimg.com/images/g/CysAAOSwmgteUtUH/s-l640.jpg)
We will still have a pointer remaining to the same memory chunk, which will now be freed.\n") Printf("Now we can free one of the pointers to either Chunk 3 or 5 (ptr3 or ptr5), and clear out the pointer. Printf("So you can see that we allocated the same pointer twice, as a result of freeing the same pointer twice (since malloc will reuse freed chunks of similar sizes for performance boosts).\n") Printf("Chunk5: %p\t contains: %s\n\n", ptr5, ptr5) Printf("Chunk4: %p\t contains: %s\n", ptr4, ptr4) Printf("Chunk3: %p\t contains: %s\n", ptr3, ptr3) This will give us the three chunks we freed.\n\n") Printf("Next up we will allocate three new chunks of the same size that we freed, and write some data to them. Printf("To bypass this, we can just free something in between the two frees to the same pointer.\n\n") Printf("It will check if the pointer being free is the same as the last chunk freed, and if it is the program will cease execution.\n") This is because in several different versions of malloc, there is a double free check \n(however in libc-2.27 it will hit the tcache and this will be fine).\n") Printf("In between the two frees, we will free a different pointer. We will free the same pointer twice (the first chunk pointed to by ptr0).\n") Printf("Chunk2: %p\t contains: %s\n\n", ptr2, ptr2) Printf("Chunk1: %p\t contains: %s\n", ptr1, ptr1) Printf("Chunk0: %p\t contains: %s\n", ptr0, ptr0) Let's also write some data to them.\n\n")
![double nightmare double nightmare](https://d3u67r7pp2lrq5.cloudfront.net/product_photos/84870937/file_9b15470cbb_original.jpg)
Printf("So we start off by allocating three chunks of memory. Puts("However a bug to edit the heap metadata is often just one piece of the exploitation process.\n") Puts("Editing freed chunks will allow us to overwrite heap metadata, which is crucial to a lot of heap attacks.") Puts("The goal of this is to show how we can edit a freed chunk using a Double Free bug.")
#Double nightmare code
Checkout the well documented source code or binary to see the explanation. This can be very useuful for other attacks. It can be used to edit freed chunks, and heap metadata among other things. This module essentially explains what a Double Free bug is.