Skip to content

Latest commit

 

History

History
61 lines (40 loc) · 3.84 KB

house-of-lore.md

File metadata and controls

61 lines (40 loc) · 3.84 KB

House of Lore

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Basic Information

Code

Goal

  • Insert a fake small chunks in the small bin so then it's possible to allocate it.

Requirements

  • Create fake chunks
  • Know the address of the victim chunk and the fake chunks
  • Be able to modify the bk and fd pointers

Attack

  • A victim small chunk is allocated
  • An attacker generates a couple of fake small chunks, and makes the first fake chunk fd point to a real chunk and the bk point to the second fake chunk. Also make the second fake chunk bk point the first one.
  • Then, a new large chunk is allocated to prevent the first one to being merge in the top chunk when freed
  • Then, the initial pointer is freed and a second pointer of a bigger size is allocated so the freed initial small chunk is placed in the small bin.
  • The real small chunk is modified so it’s bk pointer points to the fake one and.
  • Then, when 2 chunks of this size are allocated they get the valid chunk first and then the invalid chunk somehow controlled by the attacker.

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: