今天是四月十九，想在五月份之前把how2heap中的高版本(2.31)的例子过一遍。所以这个系列目前还是在更新中。如果比较简单就几句话带过了，遇到难一点的会写的详细一点。

fastbin_dup

源代码：

1 #include
2 #include
3 #include
4
5 int main()
6 {
7 setbuf(stdout, NULL);
8
9 printf("This file demonstrates a simple double-free attack with fastbins.\n");
10
11 printf("Fill up tcache first.\n");
12 void *ptrs[8];
13 for (int i=0; i<8; i++) {
14 ptrs[i] = malloc(8);
15 }
16 for (int i=0; i<7; i++) {
17 free(ptrs[i]);
18 }
19
20 printf("Allocating 3 buffers.\n");
21 int *a = calloc(1, 8);
22 int *b = calloc(1, 8);
23 int *c = calloc(1, 8);
24
25 printf("1st calloc(1, 8): %p\n", a);
26 printf("2nd calloc(1, 8): %p\n", b);
27 printf("3rd calloc(1, 8): %p\n", c);
28
29 printf("Freeing the first one…\n");
30 free(a);
31
32 printf("If we free %p again, things will crash because %p is at the top of the free list.\n", a, a);
33 // free(a);
34
35 printf("So, instead, we'll free %p.\n", b);
36 free(b);
37
38 printf("Now, we can free %p again, since it's not the head of the free list.\n", a);
39 free(a);
40
41 printf("Now the free list has [ %p, %p, %p ]. If we malloc 3 times, we'll get %p twice!\n", a, b, a, a);
42 a = calloc(1, 8);
43 b = calloc(1, 8);
44 c = calloc(1, 8);
45 printf("1st calloc(1, 8): %p\n", a);
46 printf("2nd calloc(1, 8): %p\n", b);
47 printf("3rd calloc(1, 8): %p\n", c);
48
49 assert(a == c);
50 }

总结：

　　1.使用calloc申请chunk，并不会从tcache中拿chunk。

　　2.如果存在uaf漏洞，可以先将tcache填充满，再利用free(a)，free(b)，free(a)的操作实现double free，实现任意写。