House of Lore | Small bin Attack
Last updated
Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the one from
This isn't working
Or:
This isn't working even if it tries to bypass some checks getting the error: malloc(): unaligned tcache chunk detected
This example is still working:
Insert a fake small chunk in the small bin so then it's possible to allocate it. Note that the small chunk added is the fake one the attacker creates and not a fake one in an arbitrary position.
Create 2 fake chunks and link them together and with the legit chunk in the small bin:
fake0.bk
-> fake1
fake1.fd
-> fake0
fake0.fd
-> legit
(you need to modify a pointer in the freed small bin chunk via some other vuln)
legit.bk
-> fake0
Then you will be able to allocate fake0
.
A small chunk (legit
) is allocated, then another one is allocated to prevent consolidating with top chunk. Then, legit
is freed (moving it to the unsorted bin list) and the a larger chunk is allocated, moving legit
it to the small bin.
An attacker generates a couple of fake small chunks, and makes the needed linking to bypass sanity checks:
fake0.bk
-> fake1
fake1.fd
-> fake0
fake0.fd
-> legit
(you need to modify a pointer in the freed small bin chunk via some other vuln)
legit.bk
-> fake0
A small chunk is allocated to get legit, making fake0
into the top list of small bins
Another small chunk is allocated, getting fake0
as a chunk, allowing potentially to read/write pointers inside of it.
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.