본 저장소는 Glibc 버전 2.31에서 ptmalloc 기반 힙 익스플로잇 기법들에 대한 내용들을 담고 있습니다.
원본 저장소 : StarCross-Tech/heap_exploit_2.31
glibc 2.29부터 2.31 사이의 힙 익스플로잇 기법들과 해당 기법들을 활용한 관련 CTF 문제들의 목록입니다.
| Technique | File | CTF Challenges |
|---|---|---|
| tcache stashing unlink attack | tcache_stashing_unlink | 2019 Hitcon One-punch-man |
| tcache stashing unlink attack+ | tcache_stashing_unlink+ | 2019 Hitcon Lazyhouse |
| tcache stashing unlink attack++ | tcache_stashing_unlink++ | 2020 XCTF-GXZY twochunk |
| off by null byte | off by null | 2019 TCTF-Final Babyheap2.29 2019 Balsn Plaintext |
| large bin attack | largebin_attack | |
| tcache dup | tcache_dup | |
| tcache double free | tcache double free | |
| fastbin double free | fastbin_double_free | |
| house of botcake | house of botcake |
다른 힙 익스플로잇 기법들은 how2heap 문서의 내용과 동일합니다.
https://github.com/shellphish/how2heap
https://github.com/scwuaptx/Pwngdb pwngdb is a excellent gdb script for heap exploitation, but in glibc 2.31, the tcache struct has something changed.
// version 2.27 - version 2.29
typedef struct tcache_perthread_struct
{
char counts[TCACHE_MAX_BINS];
tcache_entry *entries[TCACHE_MAX_BINS];
} tcache_perthread_struct;
// version 2.31
typedef struct tcache_perthread_struct
{
uint16_t counts[TCACHE_MAX_BINS];
tcache_entry *entries[TCACHE_MAX_BINS];
} tcache_perthread_struct;
Some error will happen when analysis tcache. so maybe the script need to update for that.