hacktricks/binary-exploitation/libc-heap/overwriting-a-freed-chunk.md
2024-12-12 11:39:29 +01:00

3.6 KiB

Overwriting a freed chunk

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Several of the proposed heap exploitation techniques need to be able to overwrite pointers inside freed chunks. The goal of this page is to summarise the potential vulnerabilities that could grant this access:

Simple Use After Free

If it's possible for the attacker to write info in a free chunk, they could abuse this to overwrite the needed pointers.

Double Free

If the attacker can free two times the same chunk (free other chunks in between potentially) and make it be 2 times in the same bin, it would be possible for the user to allocate the chunk later, write the needed pointers and then allocate it again triggering the actions of the chunk being allocated (e.g. fast bin attack, tcache attack...)

Heap Overflow

It might be possible to overflow an allocated chunk having next a freed chunk and modify some headers/pointers of it.

Off-by-one overflow

In this case it would be possible to modify the size of the following chunk in memory. An attacker could abuse this to make an allocated chunk have a bigger size, then free it, making the chunk been added to a bin of a different size (bigger), then allocate the fake size, and the attack will have access to a chunk with a size which is bigger than it really is, granting therefore an overlapping chunks situation, which is exploitable the same way to a heap overflow (check previous section).

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}