/
*
*
K
-
sPecial's vulnerable program
*
/
int
main (void) {
char
*
ptr
=
malloc(
1024
);
/
*
First allocated chunk
*
/
char
*
ptr2;
/
*
Second chunk
*
/
/
*
ptr & ~(HEAP_MAX_SIZE
-
1
)
=
0x08000000
*
/
int
heap
=
(
int
)ptr &
0xFFF00000
;
_Bool found
=
0
;
printf(
"ptr found at %p\n"
, ptr);
/
*
Print
address of first chunk
*
/
/
/
i
=
=
2
because this
is
my second chunk to allocate
for
(
int
i
=
2
; i <
1024
; i
+
+
) {
/
*
Allocate chunks up to
0x08100000
*
/
if
(!found && (((
int
)(ptr2
=
malloc(
1024
)) &
0xFFF00000
)
=
=
\
(heap
+
0x100000
))) {
printf(
"good heap allignment found on malloc() %i (%p)\n"
, i, ptr2);
found
=
1
;
/
*
Go out
*
/
break
;
}
}
malloc(
1024
);
/
*
Request another chunk: (ptr2 !
=
av
-
>top)
*
/
/
*
Incorrect
input
:
1048576
bytes
*
/
fread (ptr,
1024
*
1024
,
1
, stdin);
free(ptr);
/
*
Free first chunk
*
/
free(ptr2);
/
*
The House of Mind
*
/
return
(
0
);
/
*
Bye
*
/
}