fr0ster
commented
2 years ago Does GLIBC-2.23 have tcache? I read tcache was introduced after 2.26 version.
Closed Ch0pin closed 2 years ago
fr0ster
commented
2 years ago Does GLIBC-2.23 have tcache? I read tcache was introduced after 2.26 version.
Ch0pin
commented
2 years ago This is why I am suggesting to point the link to the latest glibc version poc. The current one is misleading, since after the tcache introduction, there is no need for a second chunk.
fr0ster
commented
2 years ago I think link leads to the oldest glibc version which has this vulnerabilities. Version of house_of_spirit from glibc_2.23 works with 2.34 too and tcached version have separated file.
Ch0pin
commented
2 years ago Indeed, but since the Glibc-Version in the README, refers to the "latest" , shouldn't this link be updated ?
fr0ster
commented
2 years ago From one side Glibc-Version says about newest version with vulnerabilities and could have link to latest version. But for house of spirit version of exploit for 2.23 doesn't have any differences from version for latest glibc. So maybe link to oldest version isn't the best solution but isn't the worst as for me :)
Ch0pin
commented
2 years ago In glibc's exploit for 2.23 you have to pass the double linked list check , so you have to create a second fake chunk to bypass the checks. Since tcache is singled , you don't have to add the second chunk. It took me a while to understand why the code was creating a second fake chunk when I realise that it was referring for glibc versions using the fastbins.
but for house of spirit version of exploit for 2.23 doesn't have any differences from version for latest glibc.
The code is different
Ch0pin
commented
2 years ago Anyway, I don't want to insist. After all it is just a detail.
fr0ster
commented
2 years ago In glibc's exploit for 2.23 you have to pass the double linked list check , so you have to create a second fake chunk to bypass the checks. Since tcache is singled , you don't have to add the second chunk. It took me a while to understand why the code was creating a second fake chunk when I realise that it was referring for glibc versions using the fastbins.
but for house of spirit version of exploit for 2.23 doesn't have any differences from version for latest glibc.
The code is different
For tchaced attack there is https://github.com/shellphish/how2heap/blob/master/glibc_2.34/tcache_house_of_spirit.c
Kyle-Kyle
commented
2 years ago I think you are right. The links should point to the latest exploit versions. I'll go through all the links and fix the links.
fr0ster
commented
2 years ago I think you are right. The links should point to the latest exploit versions. I'll go through all the links and fix the links.
Is it meant house_of_spirit will be copy in all folder from glibc_2.23 up to glibc_2.34?
Kyle-Kyle
commented
2 years ago @fr0ster yes. And ofc with implementation changes for tcache filling and safe linking. I want to preserve this to remind people that heap exploitation is not just about tcache. fastbin is also a thing.
Kyle-Kyle
commented
2 years ago It is fixed in the upstream. I'm closing this :D
house_of_spirit.c in the README section links to https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_spirit.c which still uses the fastbin list. Since it Glibc-Version refers to the "latest" better link the one that points to the tcache versions.