Share
## https://sploitus.com/exploit?id=68DD3167-7419-5263-BCF7-35FC6EF96FBB
# Double-Free Heap Exploit

## Author

**Created by 0x5da** (Toasty / OsintToast / WoahToast)  
Exploit Developer & Security Engineer • OSINT • Malware Analysis • Pentesting Tools  
[https://www.imperiumsolutions.xyz/](https://www.imperiumsolutions.xyz/) • [GitHub @0x5da](https://github.com/0x5da)

This project and all code in this directory were fully written and designed by me. You may use, study, and build upon it for authorized security research and education only.

---

## What This Is

A **double-free** proof-of-concept. The vulnerable program allocates a pointer, frees it, then frees it again. Calling `free()` twice on the same pointer corrupts the heap allocator’s internal structures (e.g. freelist). Later allocations can return the same chunk twice, leading to use-after-free or overlapping buffers and, from there, to arbitrary write or code execution when combined with other primitives.

## Why I Made It

I wanted a minimal, self-contained example of a double-free: no external input, just the bug pattern. It’s a classic heap vulnerability and the first step toward more advanced techniques (e.g. tcache poisoning, fastbin attack) on glibc heaps.

## What It’s Used For

- **Learning** — Understand why double-free is undefined and how it breaks the allocator.
- **CTF / labs** — Template for double-free and heap corruption challenges.
- **Reference** — Base for building full double-free exploits (e.g. overwriting fd/next pointers).

## Contents

| File | Description |
|------|-------------|
| `vulnerable.c` | Allocates two buffers, frees the first one twice (double-free), then allocates two more. The re-use of the same chunk can be observed (e.g. second alloc gets the same memory as the first). |
| `run_vulnerable.c` | Simply executes the vulnerable binary to trigger the double-free; the “exploit” here is the vulnerable code itself. Full weaponization would add steps to control the freelist and overwrite pointers. |
| `Makefile` | Builds the vulnerable binary and the exploit. |

## How to Build

```bash
make
```

## How to Use

1. Build: `make`
2. Run: `./run_vulnerable` (which runs `./vulnerable`).  
   Or run directly: `./vulnerable`
3. Observe behavior; on some glibc versions you may see a crash or warning from the allocator. The point is to see the double-free pattern in code.
4. For a full exploit you’d extend this with controlled allocations and writes to abuse the corrupted freelist.

## Notes

- Modern glibc has double-free checks (e.g. in tcache); behavior and exploitability depend on version and allocator state.
- This PoC is deliberately simple to show the bug; real exploits often need multiple allocations and frees to shape the heap.

---

**Use only on systems you own or have explicit permission to test.**