https://github.com/shellphish/how2heap 汉化加补充自己的理解
欢迎来:https://www.yuque.com/hxfqg9/bin/ape5up 看图文版的2333
把原项目的表格复制过来了,链接还没换:
File | Technique | Glibc-Version | Patch | Applicable CTF Challenges |
---|---|---|---|---|
first_fit.c | Demonstrating glibc malloc's first-fit behavior. | |||
calc_tcache_idx.c | Demonstrating glibc's tcache index calculation. | |||
fastbin_dup.c | Tricking malloc into returning an already-allocated heap pointer by abusing the fastbin freelist. | latest | ||
fastbin_dup_into_stack.c | Tricking malloc into returning a nearly-arbitrary pointer by abusing the fastbin freelist. | latest | 9447-search-engine, 0ctf 2017-babyheap | |
fastbin_dup_consolidate.c | Tricking malloc into returning an already-allocated heap pointer by putting a pointer on both fastbin freelist and unsorted bin freelist. | latest | Hitcon 2016 SleepyHolder | |
unsafe_unlink.c | Exploiting free on a corrupted chunk to get arbitrary write. | latest | HITCON CTF 2014-stkof, Insomni'hack 2017-Wheel of Robots | |
house_of_spirit.c | Frees a fake fastbin chunk to get malloc to return a nearly-arbitrary pointer. | latest | hack.lu CTF 2014-OREO | |
poison_null_byte.c | Exploiting a single null byte overflow. | latest | PlaidCTF 2015-plaiddb, BalsnCTF 2019-PlainNote | |
house_of_lore.c | Tricking malloc into returning a nearly-arbitrary pointer by abusing the smallbin freelist. | < 2.31 | unknown | |
overlapping_chunks.c | Exploit the overwrite of a freed chunk size in the unsorted bin in order to make a new allocation overlap with an existing chunk | < 2.29 | patch | hack.lu CTF 2015-bookstore, Nuit du Hack 2016-night-deamonic-heap |
overlapping_chunks_2.c | Exploit the overwrite of an in use chunk size in order to make a new allocation overlap with an existing chunk | < 2.29 | patch | |
mmap_overlapping_chunks.c | Exploit an in use mmap chunk in order to make a new allocation overlap with a current mmap chunk | latest | ||
house_of_force.c | Exploiting the Top Chunk (Wilderness) header in order to get malloc to return a nearly-arbitrary pointer | < 2.29 | patch | Boston Key Party 2016-cookbook, BCTF 2016-bcloud |
unsorted_bin_into_stack.c | Exploiting the overwrite of a freed chunk on unsorted bin freelist to return a nearly-arbitrary pointer. | < 2.29 | patch | |
unsorted_bin_attack.c | Exploiting the overwrite of a freed chunk on unsorted bin freelist to write a large value into arbitrary address | < 2.29 | patch | 0ctf 2016-zerostorage |
large_bin_attack.c | Exploiting the overwrite of a freed chunk on large bin freelist to write a large value into arbitrary address | latest | 0ctf 2018-heapstorm2 | |
house_of_einherjar.c | Exploiting a single null byte overflow to trick malloc into returning a controlled pointer | latest | Seccon 2016-tinypad | |
house_of_orange.c | Exploiting the Top Chunk (Wilderness) in order to gain arbitrary code execution | < 2.26 | unknown | Hitcon 2016 houseoforange |
house_of_roman.c | Leakless technique in order to gain remote code execution via fake fastbins, the unsorted_bin attack and relative overwrites. | < 2.29 | patch | |
tcache_dup.c | Tricking malloc into returning an already-allocated heap pointer by abusing the tcache freelist. | 2.26 - 2.28 | patch | |
tcache_poisoning.c | Tricking malloc into returning a completely arbitrary pointer by abusing the tcache freelist. | > 2.25 | ||
tcache_house_of_spirit.c | Frees a fake chunk to get malloc to return a nearly-arbitrary pointer. | > 2.25 | ||
house_of_botcake.c | Bypass double free restriction on tcache. Make tcache_dup great again. |
> 2.25 | ||
tcache_stashing_unlink_attack.c | Exploiting the overwrite of a freed chunk on small bin freelist to trick malloc into returning an arbitrary pointer and write a large value into arbitraty address with the help of calloc. | > 2.25 | Hitcon 2019 one punch man | |
fastbin_reverse_into_tcache.c | Exploiting the overwrite of a freed chunk in the fastbin to write a large value into an arbitrary address. | > 2.25 |