8000 house_of_botcake: demonstrate how to malloc back to `stack_var` by tesuji · Pull Request #205 · shellphish/how2heap · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

house_of_botcake: demonstrate how to malloc back to stack_var #205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 17, 2025
Merged

house_of_botcake: demonstrate how to malloc back to stack_var #205

merged 1 commit into from
Mar 17, 2025

Conversation

tesuji
Copy link
Contributor
@tesuji tesuji commented Feb 21, 2025
edited
Loading

The files for glibc version below 2.32 is unchanged, cause it is already using tcache poistoning technique
to get malloc returns a stack address.

@Kyle-Kyle
Copy link
Contributor

This is essentially using the chunk overlapping primitive to perform a tcache poisoning attack, which makes it clearer for beginners to realize the power of the technique.
However, I'm a little hesitant about merging this because chunk overlapping is a powerful primitive by itself, more than just the ability to perform tcache poisoning attack (for example, read/write other objects).

I think if you could add a sentence explaining what you could do with the chunk overlapping primitive (directly read/write objects, heap metadata etc) and say tcache poisoning attack is just one of them (write to heap metadata) will be great.

@tesuji
Copy link
8000
Contributor Author
tesuji commented Feb 21, 2025

Here is a part of the output from the new changes:
image

I'm not great with words so I'm very happy to have feedback.

tesuji
tesuji commented Feb 23, 2025
View reviewed changes
@Kyle-Kyle
Copy link
Contributor

that looks great. Can you please make the changes to all other files?

@tesuji tesuji marked this pull request as ready f 8000 or review March 5, 2025 20:49
@tesuji
Copy link
Contributor Author
tesuji commented Mar 5, 2025

Done. Sorry for keep you waiting! I was busy with other things.

@Kyle-Kyle Kyle-Kyle merged commit d9c79f5 into shellphish:master Mar 17, 2025
12 checks passed
@Kyle-Kyle
Copy link
Contributor

thanks for the contribution!

@tesuji tesuji deleted the cake-to-stack branch March 17, 2025 21:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tesuji @Kyle-Kyle
0