Don't like this style? Click here to change it! blue.css

Welcome .... Click here to logout

malloc_hook, free_hook

A complete PWN from UAF

OK here we go, what are the 3 parts of a PWN?

OK this is going to be our new baseline heap exploit.

We're going to go after the one at nc 1344 just NOT using the win function.

glibc 2.31 version on the playground

OK stages:

OK I'm going to do this from scratch live.

tmux debugging!

OK this will be cool, here's my starter script:

2.32 version...

Now we ALSO need a heap leak before we can write the target.

We write (free_hook ^ heap >> 12)

Next wrinkles

OK suppose you can't control the size of your mallocs

Say they are all small...

Then we want to fake a larger chunk where our chunks are

What if we're in glibc 2.34+, then there is no free_hook:

We have to learn something very fancy: FSOP (not quick to learn)

OR we could maybe target the stack and a return address...