Although I didn’t have much time to do CTFs as of late, I sat down for part of the DEFCON 2018 Qualifiers with HATS_SG. Among the challenges solved, Mario was a rather peculiar (and somewhat amusing) one that involved multiple heap exploitation techniques along with some tricks to get an exploit working successfully. Overview We […]
Category: Heap Exploitation
tcache dup makes use of a double free (like fastbin dup). The fastbin dup makes use of the fastbin freelists, while tcache dup makes use of the tcache freelists. When we allocate a chunk and free it twice, the subsequent allocations will be duplicate and we can trick the allocator into returning a desired memory […]
(Update 05/2019: Made a note that this method is now patched in glibc>=2.29) The “House of Force” is a glibc heap overflow exploitation technique first named in the archived email “Malloc Maleficarum” by Phantasmal Phantasmagoria, and subsequently a PoC surfaced online in the Phrack magazine. Vector The House of Force technique overwrites the top chunk […]
Consider what happens if we allocate a fastbin-sized chunk and freed it multiple times. We know that free() pushes the freed chunk to the fastbin, but if freed multiple times, the same freed chunk would end up multiple times in the same fastbin, which makes reallocation of the same chunk to different allocation requests possible. This is […]