House of Force

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

Code

This technique was patched (here) and produces this error: malloc(): corrupted top size

Goal

The goal of this attack is to be able to allocate a chunk in a specific address.

Requirements

An overflow that allows to overwrite the size of the top chunk header (e.g. -1).
Be able to control the size of the heap allocation

Attack

If an attacker wants to have a chunk in the address P, having overwritten the size of the top chunk with -1. first of all is needed a malloc of (&top_chunk - P). Note that this pointer can be before or after the top_chunk as any size will be less than -1 (0xFFFFFFFFFFFFFFFF). Then, after allocating this initial chunk, the top chunk will be moved to the desired P address and the next chunk will be from that address.

References