shellphish / how2heap

A repository for learning various heap exploitation techniques.
MIT License
7.2k stars 1.14k forks source link

Added Safe link double protect #171

Closed UDPctf closed 9 months ago

UDPctf commented 10 months ago

A blind safe-link PROTECT_PTR bypass I came across a while ago.

It requires a strong primitive, namely control of the t-cache metadata.

It references another technique called "House of Water" which I will open a PR asap. It is a technique for getting t-cache control leakless and also indexing a libc pointer leakless.

A sample of these two techniques can be found in the CTF challenge I wrote specifically with them in mind here: Tamagoyaki

Kyle-Kyle commented 9 months ago

This looks good. Thank you for the contribution!