heap exploit about ptmalloc in glibc version 2.31.
Heap exploitation techniques between 2.29 and 2.31.And collect some CTF Challenges about corresponding exploitation techniques.
| Technique | File | CTF Challenges |
|---|---|---|
| tcache stashing unlink attack | tcache_stashing_unlink | 2019 Hitcon One-punch-man |
| tcache stashing unlink attack+ | tcache_stashing_unlink+ | 2019 Hitcon Lazyhouse |
| tcache stashing unlink attack++ | tcache_stashing_unlink++ | 2020 XCTF-GXZY twochunk |
| off by null byte | off by null | 2019 TCTF-Final Babyheap2.29 2019 Balsn Plaintext |
| large bin attack | largebin_attack | |
| tcache dup | tcache_dup | |
| tcache double free | tcache double free | |
| fastbin double free | fastbin_double_free | |
| house of botcake | house of botcake |
other heap exploitation techniques are same as how2heap, so i don't write additional code -.- https://github.com/shellphish/how2heap
https://github.com/scwuaptx/Pwngdb pwngdb is a excellent gdb script for heap exploitation, but in glibc 2.31, the tcache struct has something changed.
// version 2.27 - version 2.29
typedef struct tcache_perthread_struct
{
char counts[TCACHE_MAX_BINS];
tcache_entry *entries[TCACHE_MAX_BINS];
} tcache_perthread_struct;
// version 2.31
typedef struct tcache_perthread_struct
{
uint16_t counts[TCACHE_MAX_BINS];
tcache_entry *entries[TCACHE_MAX_BINS];
} tcache_perthread_struct;
Some error will happen when analysis tcache. so maybe the script need to update for that.