in fastbin, consolidate if possible, insert back into unsorted bin - used to prevent fragmentation. • ‘malloc_consolidate’ is called in certain cases. One of them being: ‘allocating a large chunk and no candidate chunk found in any bin’ [code]. • Fast chunks in fastbin are still considered ‘in_use’ to prevent consolidation. • Trick: Freeing a fastbin doesn’t set the PREV_IN_USE bit of next chunk to 1. Allocating a fast chunk from a fastbin also doesn’t set the bit to 1. It simply assumes that it already is 1.
-> large chunk allocated 3. Wipe small -> fast chunk inserted in fastbin (PREV_IN_USE of large chunk is still set) 4. Keep huge -> no candidate chunk in any bin, ‘malloc_consolidate’ causes fast chunk in unsorted bin and then into small bin. PREV_IN_USE of large chunk cleared to 0. 5. Wipe small -> chunk again inserted in fast chunk, PREV_IN_USE bit of large chunk still 0. 6. Keep small -> chunk returned from fastbin, PREV_IN_USE bit of large chunk still 0.
fd pointing to ‘small_secret - 3’ and bk pointing to ‘small_secret - 2’. • Adjust previous size of ‘big_secret’. PREV_IN_USE bit already 0 • Free ‘big_secret’ • ‘small_secret’ now points to a few bytes before ‘big_secret’ -> Arbitrary write
dhavalkapil
signer
cbtlibrary
yukinumata
debug_mode
molmolken
yasslab
sciencetokyo
matleenalaakso
yatabe
akiraasano
junhat6
rkendrick25
katarinadahlin
tmiket
gurzu
maggiecrowley
productmarketing
ipullrank
sferik
aemeredith
skipperchong
reverentgeek
aleyda
![https://github.com/DhavalKapil/ctf-writeups/blob/master/hitcon-2016/sleepyholder/ exploit.py [Exploit]](https://files.speakerdeck.com/presentations/9f9fbfc3d02f44308048a3e3dd6aa8df/slide_11.jpg){kind=link}