Preamble:

Here are the SECURE SOFTWARE DESIGN flaws to avoid for heap work:

Fake Chunks

Alright I'm attempting to make tcache-poisoning our mother tongue.

We've done a complete exploit in 2.31.

So now, what other things do I need to know? What other issues arise?

First of all, glibc 2.34+ will be a mystery to us for a little bit still (FSOP is coming)

For now let's just do one change:

To do this we want to, very carefully, create a FAKE CHUNK by editing the meta-data of a chunk and making it seem larger than it is.

That's one new concept today, if you're not careful you'll corrupt the chunk. If you do it right you'll get your leak from the unsorted bin.

Take a look carefully at the source code, particularly the edit routine.

There is an overflow! We can write a little bit more than we should be able to.

That's a new heap flaw for us that is in the top 3 for unlocking heap exploits.

For reference, here's yesterday's exploit part:

Make one chunk that we will use to overflow from
Make enough small chunks that if they were pasted together it would be a chunk of size 0x420 (22 chunks of size 0x30)
Edit the 0 chunk and just past the end of our space put p64(0x421)
Free chunk 1 (now faked to be size 0x421) get the glibc leak, the rest is the same as before
malloc two smaller chunks of the same size
malloc a chunk and write /bin/sh to it
free(a), free(b) and edit(b, free_hook address)
malloc (get b), malloc get free_hook, write system address
free(c) which is actually system("/bin/sh")