Need help with heap_exploit_2.31?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

StarCross-Tech
188 Stars 21 Forks 36 Commits 2 Opened issues

Services available

!
?

Need anything else?

Contributors list

Heap Exploit 2.31

heap exploit about ptmalloc in glibc version 2.31.

Heap Exploitation List

Heap exploitation techniques between 2.29 and 2.31.And collect some CTF Challenges about corresponding exploitation techniques.

| Technique | File | CTF Challenges | | ------------------------------- | ---- |---------------------------------------------------- | | tcache stashing unlink attack | tcachestashingunlink | 2019 Hitcon One-punch-man | | tcache stashing unlink attack+ | tcachestashingunlink+ | 2019 Hitcon Lazyhouse | | tcache stashing unlink attack++ | tcachestashingunlink++ | 2020 XCTF-GXZY twochunk | | off by null byte | off by null | 2019 TCTF-Final Babyheap2.29
2019 Balsn Plaintext | | large bin attack | largebin_attack | | | tcache dup | tcache_dup | | | tcache double free | tcache double free | | | fastbin double free | fastbindoublefree | | | house of botcake | house of botcake | |

other heap exploitation techniques are same as how2heap, so i don't write additional code -.- https://github.com/shellphish/how2heap

pwngdb

https://github.com/scwuaptx/Pwngdb pwngdb is a excellent gdb script for heap exploitation, but in glibc 2.31, the tcache struct has something changed.

// version 2.27 - version 2.29
typedef struct tcache_perthread_struct
{
  char counts[TCACHE_MAX_BINS];
  tcache_entry *entries[TCACHE_MAX_BINS];
} tcache_perthread_struct;
// version 2.31
typedef struct tcache_perthread_struct
{
  uint16_t counts[TCACHE_MAX_BINS];
  tcache_entry *entries[TCACHE_MAX_BINS];
} tcache_perthread_struct;

Some error will happen when analysis tcache. so maybe the script need to update for that.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.