Similarly to other heap exploitation attacks that we saw so far, the idea behind the House of Lore (HoL) is to trick malloc to return a pointer to a memory location which is controlled by the attacker. HoL (ab)uses the way that ptmalloc handles the small bin entries although the…

Few days ago I came across an interesting case of vulnerability posted at the AndroidInfoSec’s facebook page. Since there are not many references on the specific subject I decided to take a short break from my heap exploitation series and cover this topic in a blog post. …

Please let me know, if I start to sound weird…. The Author House of Spirit The specific attack was initially introduced on October 11th 2005, on the bugtraq mailing list by Phantasmal Phantasmagoria, with the title The Malloc Maleficarum. The idea is very simple and got even simpler with the introduction of the…

Exploiting a heap overflow vulnerability is not always straightforward. Between else, the allocator imposes various checks during the chunk assignment/freeing process which require extra steps in order to achieve an exploitable result. In this post we assume that we have discovered such a vulnerability and we are going to explore…

In this post we are going to trigger a FastBin consolidation which we are going to combine with a double free vulnerability (dup) in order to return a pointer to an already allocated chunk. …

While I’ve started these posts with a “stick to the basics” mindset, I always end up with a gap on every post, which is a fact that forces me to write some more. This is actually the 5th post on the same topic, but since it is closely related to…

This post is part of a series of articles related to x64 Linux Binary Exploitation techniques. Following up from my previous posts, we’ve started by exploring simple stack corruption bugs and their mitigation techniques and gradually moved to more complex topics. …

In the previous parts (1, 2) we discussed about the heap structure and we tried to simplify these concepts using a real life example. …