Don't like this style? Click here to change it! blue.css

Welcome .... Click here to logout


Here are the SECURE SOFTWARE DESIGN flaws to avoid for heap work:

These came from a great heap exploitation post:

Fake Chunks

A really useful concept

AKA what if malloc is constrained?

Alright I'm attempting to make tcache-poisoning our mother tongue.

We've done a complete exploit in 2.31.

So now, what other things do I need to know? What other issues arise?

First of all, glibc 2.34+ will be a mystery to us for a little bit still (FSOP is coming)

For now let's just do one change:

How does our exploit change if every malloc is a chunk of size 0x30?

Obstacle 1: glibc leak

To do this we want to, very carefully, create a FAKE CHUNK by editing the meta-data of a chunk and making it seem larger than it is.

That's one new concept today, if you're not careful you'll corrupt the chunk. If you do it right you'll get your leak from the unsorted bin.

Obstacle 2: how can we overwrite a chunk's size field?

Take a look carefully at the source code, particularly the edit routine.

There is an overflow! We can write a little bit more than we should be able to.

That's a new heap flaw for us that is in the top 3 for unlocking heap exploits.

Starter Script:

For reference, here's yesterday's exploit part:

The Attack Plan