How to Exploit Double-Free Vulnerability to Overwrite a Specific Variable in C?
I'm working on a CTF challenge that involves exploiting a double-free vulnerability to modify the value of a specific global variable, PASSWORD, in a C program. The program allows for custom memory allocation and deallocation within a predefined ARENA. Here's a simplified overview of the relevant parts:
typedef struct CHUNK {
struct CHUNK *prev;
struct CHUNK *next;
long size;
} CHUNK;
long PASSWORD = 12345;
void my_free(void* ptr) {
if (ptr == NULL) return;
CHUNK *chunk = (CHUNK*)((char*)ptr - sizeof(CHUNK));
if (chunk->next != NULL) {
chunk->next->prev = chunk->prev;
}
if (chunk->prev != NULL) {
chunk->prev->next = chunk->next;
}
else {
list_head = chunk->next;
}
}
int main() {
char* buf1 = my_malloc(8);
char* buf2 = my_malloc(32);
my_free(buf1);
my_free(buf2);
char* buf3 = my_malloc(64);
parse_hex_from_stdin(buf3, 64);
my_free(buf2);
my_free(buf3);
}
The exploit I'm attempting involves manipulating the prev and next pointers of CHUNK structures such that when my_free() is called under certain conditions, it would lead to overwriting PASSWORD. I've managed to set chunk->next->prev to point to the address of PASSWORD, but this only changes where the prev pointer of the next chunk in the list points, not the value of PASSWORD itself.
My current understanding is that I need to somehow use this vulnerability to cause a write operation that directly affects PASSWORD, but I'm unclear on how to structure my inputs or manipulate the state to achieve this.
Question: How can I adjust my exploit to not just point chunk->next->prev to PASSWORD, but to actually modify the value of PASSWORD itself? Specifically, I'm looking for guidance on the sequence of allocations/frees or the type of input that would directly result in overwriting PASSWORD.
Additional Context:
The program is compiled with -fno-stack-protector -O0 -g -no-pie.
The goal is to make PASSWORD == 0
Any insights or suggestions on how to proceed would be greatly appreciated.
