shellphish / how2heap

A repository for learning various heap exploitation techniques.
MIT License
7.2k stars 1.14k forks source link

House of lore #155

Closed Ch0pin closed 2 years ago

Ch0pin commented 2 years ago

Hi folks,

checking the corresponding poc for the latest version I got here (line 92):

  fprintf(stderr, "\nIn the unsorted bin the victim's fwd and bk pointers are nil\n");
  fprintf(stderr, "victim->fwd: %p\n", (void *)victim[0]);
  fprintf(stderr, "victim->bk: %p\n\n", (void *)victim[1]);

How accurate is the above ?

it seems like bk and fwd are pointing to the top chunk:

gef➤  x/20gx 0x00005555555592a0-16
0x555555559290: 0x0000000000000000  0x0000000000000111
0x5555555592a0: 0x00007ffff7fb7be0  0x00007ffff7fb7be0
0x5555555592b0: 0x0000000000000000  0x0000000000000000
0x5555555592c0: 0x0000000000000000  0x0000000000000000

where:

gef➤  x/20gx 0x7ffff7fb7be0-96
0x7ffff7fb7b80 <main_arena>:    0x0000000000000000  0x0000000000000000
0x7ffff7fb7b90 <main_arena+16>: 0x0000000000000000  0x0000000000000000
0x7ffff7fb7ba0 <main_arena+32>: 0x0000000000000000  0x0000000000000000
0x7ffff7fb7bb0 <main_arena+48>: 0x0000000000000000  0x0000000000000000
0x7ffff7fb7bc0 <main_arena+64>: 0x0000000000000000  0x0000000000000000
0x7ffff7fb7bd0 <main_arena+80>: 0x0000000000000000  0x0000000000000000
0x7ffff7fb7be0 <main_arena+96>: 0x0000555555559f00  0x0000000000000000
0x7ffff7fb7bf0 <main_arena+112>:    0x0000555555559290  0x0000555555559290
0x7ffff7fb7c00 <main_arena+128>:    0x00007ffff7fb7bf0  0x00007ffff7fb7bf0
0x7ffff7fb7c10 <main_arena+144>:    0x00007ffff7fb7c00  0x00007ffff7fb7c00
Kyle-Kyle commented 2 years ago

you are right. The pointers are not NULL but the unsorted bin header address since the victim just got added into the unsorted bin.

Kyle-Kyle commented 2 years ago

it is impossible that an unsorted bin in heap that can have NULL fwd/bck pointers (under normal scenarios)

Kyle-Kyle commented 2 years ago

the description is updated in https://github.com/shellphish/how2heap/commit/43bd97f8cbd1cf9836fffcfc17576bd0523da4de thanks for the contribution!