unlink
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Check this great graphical explanation of the unlink process:
Check if the indicated size of the chunk is the same as the prev_size indicated in the next chunk
Check also that P->fd->bk == P
and P->bk->fw == P
If the chunk is not small, check that P->fd_nextsize->bk_nextsize == P
and P->bk_nextsize->fd_nextsize == P
An unlinked chunk is not cleaning the allocated addreses, so having access to rad it, it's possible to leak some interesting addresses:
Libc Leaks:
If P is located in the head of the doubly linked list, bk
will be pointing to malloc_state
in libc
If P is located at the end of the doubly linked list, fd
will be pointing to malloc_state
in libc
When the doubly linked list contains only one free chunk, P is in the doubly linked list, and both fd
and bk
can leak the address inside malloc_state
.
Heap leaks:
If P is located in the head of the doubly linked list, fd
will be pointing to an available chunk in the heap
If P is located at the end of the doubly linked list, bk
will be pointing to an available chunk in the heap
If P is in the doubly linked list, both fd
and bk
will be pointing to an available chunk in the heap
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)