## https://sploitus.com/exploit?id=68DD3167-7419-5263-BCF7-35FC6EF96FBB
# Double-Free Heap Exploit
## Author
**Created by 0x5da** (Toasty / OsintToast / WoahToast)
Exploit Developer & Security Engineer • OSINT • Malware Analysis • Pentesting Tools
[https://www.imperiumsolutions.xyz/](https://www.imperiumsolutions.xyz/) • [GitHub @0x5da](https://github.com/0x5da)
This project and all code in this directory were fully written and designed by me. You may use, study, and build upon it for authorized security research and education only.
---
## What This Is
A **double-free** proof-of-concept. The vulnerable program allocates a pointer, frees it, then frees it again. Calling `free()` twice on the same pointer corrupts the heap allocator’s internal structures (e.g. freelist). Later allocations can return the same chunk twice, leading to use-after-free or overlapping buffers and, from there, to arbitrary write or code execution when combined with other primitives.
## Why I Made It
I wanted a minimal, self-contained example of a double-free: no external input, just the bug pattern. It’s a classic heap vulnerability and the first step toward more advanced techniques (e.g. tcache poisoning, fastbin attack) on glibc heaps.
## What It’s Used For
- **Learning** — Understand why double-free is undefined and how it breaks the allocator.
- **CTF / labs** — Template for double-free and heap corruption challenges.
- **Reference** — Base for building full double-free exploits (e.g. overwriting fd/next pointers).
## Contents
| File | Description |
|------|-------------|
| `vulnerable.c` | Allocates two buffers, frees the first one twice (double-free), then allocates two more. The re-use of the same chunk can be observed (e.g. second alloc gets the same memory as the first). |
| `run_vulnerable.c` | Simply executes the vulnerable binary to trigger the double-free; the “exploit” here is the vulnerable code itself. Full weaponization would add steps to control the freelist and overwrite pointers. |
| `Makefile` | Builds the vulnerable binary and the exploit. |
## How to Build
```bash
make
```
## How to Use
1. Build: `make`
2. Run: `./run_vulnerable` (which runs `./vulnerable`).
Or run directly: `./vulnerable`
3. Observe behavior; on some glibc versions you may see a crash or warning from the allocator. The point is to see the double-free pattern in code.
4. For a full exploit you’d extend this with controlled allocations and writes to abuse the corrupted freelist.
## Notes
- Modern glibc has double-free checks (e.g. in tcache); behavior and exploitability depend on version and allocator state.
- This PoC is deliberately simple to show the bug; real exploits often need multiple allocations and frees to shape the heap.
---
**Use only on systems you own or have explicit permission to test.**