Linux Heap
General
Find good fake chunk values in pwndbg:
Possible Arbitrary Write Targets for Code Exec
Single Byte Overflow
If we can overflow a single byte we can change the size of the following chunk. If this chunk is then freed, this larger size is considered. If we now allocate this enlarged chunk again, we can fully overflow into following chunk! Usually you would do the following setup to overflow into chunk B:
Null Byte Poisoning / Overflow
House Of Force
Libc: libc-2.28.so
Overwrite size field of top chunk (e.g. via full heap overflow). Top chunk can extend down on heap, over libraries, into stack. We can also make it so large so it wraps around and points back into the heap. The following snippet writes a large value into the top chunk size field and then requests just enough space to get us to malloc hook so we can set it to an arbitrary value:
Fastbin Dup
Libc: glibc-2.30
Fastbins are singly linked lists (LIFO). The heap arena can only store 1 address per size, so the pointer to the next elements are stored in the heap metadata next to the user data.
Via Double Free
Some Libc Versions have a check for double free, which checks that the top entry in the bin is not identical to the one that is being added. This can be bypassed by making sure "a" is not on top when freeing "a" again:
A full exploit could look like this:
We get a chunk twice into the fastbin list, overwriting the linked list pointer on the next malloc. We then "use up" the contents of the fastbin until we get the allocation at malloc hook.
When looking for valuable fake chunk targets we can also put one into the main arena directly (first write size field, then allocate fake chunk).
Last updated