David Milosevic

Results 12 comments of David Milosevic

Great, thank you :)

> Let me repeat what the technique is about to make sure I understand it correctly: > > 1. it uses a UAF write bug to link the `binmap-chunk` into...

> 1. instead of doing an exact-fit, what if we just do a small allocation? Like, we allocate a small chunk (big enough to > overwrite `main_arena`) out of this...

> I have another question, in your original example, you used non-pie binary, which means heap pointers are relatively small. Does it still work with PIE heap pointers? PIE heap...

> > So, I wonder, since overwriting `narenas` requries `unsortedbin attack`, what if we use `unsortedbin attack` to hijack a fastbin? That will give us use after free in the...

> > because it offers exploitable linked lists and zero glibc mitigations/security-checks :) > > Interesting I'm just starting my heap journey and this excites me! Feel free to share...

> I like this technique a lot and I think it is very cool. It opens the door to exploiting arenas. > > However, I'm a little hesitant about merging...

Glad we agree. I will prepare everything for the PR :)

> the 2.24 version of house-of-gods works so I tried to port it to 2.23. But it seems it stops working in 2.23 and the crash seems non-trivial, can you...

Hi @Kyle-Kyle I've recently uploaded the first revision of HoG and although very difficult to apply it might contain a somewhat interesting finding. Take a look at the arena corruption...