Overwriting a freed chunk
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Several of the proposed heap exploitation techniques need to be able to overwrite pointers inside freed chunks. The goal of this page is to summarise the potential vulnerabilities that could grant this access:
If it's possible for the attacker to write info in a free chunk, they could abuse this to overwrite the needed pointers.
If the attacker can free two times the same chunk (free other chunks in between potentially) and make it be 2 times in the same bin, it would be possible for the user to allocate the chunk later, write the needed pointers and then allocate it again triggering the actions of the chunk being allocated (e.g. fast bin attack, tcache attack...)
It might be possible to overflow an allocated chunk having next a freed chunk and modify some headers/pointers of it.
In this case it would be possible to modify the size of the following chunk in memory. An attacker could abuse this to make an allocated chunk have a bigger size, then free it, making the chunk been added to a bin of a different size (bigger), then allocate the fake size, and the attack will have access to a chunk with a size which is bigger than it really is, granting therefore an overlapping chunks situation, which is exploitable the same way to a heap overflow (check previous section).
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
