No Data
heap exploit about ptmalloc in glibc version 2.31.
Heap exploitation techniques between 2.29 and 2.31.And collect some CTF Challenges about corresponding exploitation techniques.
| Technique | File | CTF Challenges |
| ------------------------------- | ---- |---------------------------------------------------- |
| tcache stashing unlink attack | tcachestashingunlink | 2019 Hitcon One-punch-man |
| tcache stashing unlink attack+ | tcachestashingunlink+ | 2019 Hitcon Lazyhouse |
| tcache stashing unlink attack++ | tcachestashingunlink++ | 2020 XCTF-GXZY twochunk |
| off by null byte | off by null | 2019 TCTF-Final Babyheap2.29
2019 Balsn Plaintext |
| large bin attack | largebin_attack | |
| tcache dup | tcache_dup | |
| tcache double free | tcache double free | |
| fastbin double free | fastbindoublefree | |
| house of botcake | house of botcake | |
other heap exploitation techniques are same as how2heap, so i don't write additional code -.- https://github.com/shellphish/how2heap
https://github.com/scwuaptx/Pwngdb pwngdb is a excellent gdb script for heap exploitation, but in glibc 2.31, the tcache struct has something changed.
// version 2.27 - version 2.29 typedef struct tcache_perthread_struct { char counts[TCACHE_MAX_BINS]; tcache_entry *entries[TCACHE_MAX_BINS]; } tcache_perthread_struct;
// version 2.31 typedef struct tcache_perthread_struct { uint16_t counts[TCACHE_MAX_BINS]; tcache_entry *entries[TCACHE_MAX_BINS]; } tcache_perthread_struct;
Some error will happen when analysis tcache. so maybe the script need to update for that.