Binary Exploitation - Linux - Heap

Table of Contents

Binary Exploitation - Linux - Heap
- tags: Security PWN
Online Resources
Mechanism
- Detection in Glibc
Use after free
- Fastbin corruption (Fastbin attack)
Overflow
- knowledge: Unlink
- Malloc Maleficarum
  - The House of Spirit
    - Overwrite Fastbin
  - The House of Force
Tcache
Tricks

tags: `Security` `PWN`

Online Resources

shellphish/how2heap Angelboy/Tcache Angelboy/Heap Angelboy/Advanced Heap

Mechanism

Detection in Glibc

Use after free

Fastbin corruption (Fastbin attack)

Overflow

通常無法直接控制 eip 但可以利用蓋下一個 chunk header，再利用 malloc 或 free 的行為達成任意位置寫入，最後控制 eip

knowledge: Unlink

Malloc Maleficarum

The House of Spirit

Overwrite Fastbin

The House of Force

Tcache

Tricks

hooks

__malloc_hook
__free_hook
__realloc_hook

Overlap

Shrink the chunk

Extend the chunk

Unsorted bin attack