Closed zardus closed 7 years ago
The initial trick for babyheap (which I only found out from the published exploit) was the fact that scanf ("hidden" out of sight in the exit menu option) allocates a file buffer on the heap with malloc(0x1000), the contents of which we can control. Also, its size is rounded to 0x1010 by malloc and this displaces the other allocations just right. I'm not familiar with libio in libc and didn't really look into this to find out which other functions do this.
While a neat trick, I'm not sure if it's worthy to include in its own example. House of Orange had a similarly obscure trick from what my teammates told me (no free calls in the binary but sysmalloc may call free upon top expansion) as did Sleepy Holder (forcing a chunk in a fastbin into the corresponding smallbin via malloc_consolidate to allow for a double free of said chunk without failing the fastbin double free check and for its effect of unsetting PREV_INUSE of the next chunk).
Maybe create a (possibly separate) list of such tricks with short a description and the concrete CTF challenges where they came up?
Thanks for looking into that!
I agree that babyheap shouldn't be an entry. I think the House of Orange trick might be worth an example to showcase the situation where free
is called during expansion. That seems like a decently cool trick. Maybe someone will get some time eventually :-)
This has now been contributed in PR https://github.com/shellphish/how2heap/pull/57!
We didn't have a chance at the CTF, but we should figure out what babyheap needs, and if we should add a technique to how2heap for it.