#dokydoky
Referencehttps://heap-exploitation.dhavalkapil.com/attacks/house_of_lore.htmlhttps://github.com/shellphish/how2heap/blob/master/house_of_lore.csmallbinAbout smallbin총 62개의 small binfree될 때 앞,뒤 chunk가 free되었다면 병합(coalesce)삽입은 HEAD, 제거는 TAIL (FIFO)32bitsize : 0x10, 0x18, 0x20 ...... , 0x1F8(504) (8x+8, 1fd = bin; if (av != &main_arena) victim->size |= NON_MAIN_ARENA; check_malloced_chunk (av, vict..
ReferenceDouble freehttps://heap-exploitation.dhavalkapil.com/attacks/double_free.htmlhttps://github.com/shellphish/how2heap/blob/master/fastbin_dup.cForging chunkshttps://heap-exploitation.dhavalkapil.com/attacks/forging_chunks.htmlhttps://github.com/shellphish/how2heap/blob/master/fastbin_dup_into_stack.c (double free + forging chunks)House of spirithttps://heap-exploitation.dhavalkapil.com/at..
ReferenceIt is a simple version of dhavalkapil's work https://heap-exploitation.dhavalkapil.com/diving_into_glibc_heap/core_functions.htmlglibc 2.23 code http://repo.or.cz/glibc.git/commit/ab30899d880f9741a409cbc0d7a28399bdac21bfMallocMalloc pseudo-code//step 1if) size == fastbin range 'return chunk' = chunk at the end of the the fastbin list if) return chunk == null move on to 'smallbin case' e..