StarCross-Tech/ heap_exploit_2.31
About the developer
188 Stars 
21 Forks 
36 Commits 
2 Opened issues 
Services available
Contributors list
Heap Exploit 2.31
heap exploit about ptmalloc in glibc version 2.31.
Heap Exploitation List
Heap exploitation techniques between 2.29 and 2.31.And collect some CTF Challenges about corresponding exploitation techniques.
| Technique | File | CTF Challenges |
| ------------------------------- | ---- |---------------------------------------------------- |
| tcache stashing unlink attack | tcachestashingunlink | 2019 Hitcon One-punch-man |
| tcache stashing unlink attack+ | tcachestashingunlink+ | 2019 Hitcon Lazyhouse |
| tcache stashing unlink attack++ | tcachestashingunlink++ | 2020 XCTF-GXZY twochunk |
| off by null byte | off by null | 2019 TCTF-Final Babyheap2.29
2019 Balsn Plaintext |
| large bin attack | largebin_attack | |
| tcache dup | tcache_dup | |
| tcache double free | tcache double free | |
| fastbin double free | fastbindoublefree | |
| house of botcake | house of botcake | |
other heap exploitation techniques are same as how2heap, so i don't write additional code -.- https://github.com/shellphish/how2heap
pwngdb
https://github.com/scwuaptx/Pwngdb pwngdb is a excellent gdb script for heap exploitation, but in glibc 2.31, the tcache struct has something changed.
// version 2.27 - version 2.29
typedef struct tcache_perthread_struct
{
char counts[TCACHE_MAX_BINS];
tcache_entry *entries[TCACHE_MAX_BINS];
} tcache_perthread_struct;
// version 2.31
typedef struct tcache_perthread_struct
{
uint16_t counts[TCACHE_MAX_BINS];
tcache_entry *entries[TCACHE_MAX_BINS];
} tcache_perthread_struct;
Some error will happen when analysis tcache. so maybe the script need to update for that.