Daily Reminder: Mom's Spaghetti

Our compass through all of this is the desire for the following comfort food:

• CONQUER ADDRESS RANDOMIZATION by a USE-AFTER-FREE vulnerability to leak a glibc address
• WRITE-WHAT-WHERE using TCACHE-POISONING for arbitrary writing to glibc
• CONTROL INSTRUCTION POINTER by overwriting the **FREE_HOOK** in glibc with system where "/bin/sh" is written in the free'd chunk

OK what if the developer wasn't as careless? They did NOT give us an arbitrary Use-After-Free? But they still made one mistake, which is the ability to "double-free" that is, I can free the same address twice... OK here is how we adapt MOM's for this new double-free situation.

House of Botcake

So our goal is this:

• Fill a larger tcache bin
• Get two chunks to consolidate and go into unsorted bin
• Make room in the tcache bin
• FREE the consolidated chunk into that tcache bin
• Ask for larger chunk and get OVERLAPPING CHUNKS

This allows in-use memory to edit a free'd chunk in the tcache and now we resume mom's spaghetti.

Our Target: This but glibc 2.31

I made a new zip for this: dubfree.zip

Annotated Samba

(Link to) Heap Reference Materials

The Bins as Diagrams

Heap Flow Charts:

HEAP PLAYGROUND and STARTER SCRIPT: