In HITCON 2018 - Children Tcache challenge, there is an off-by-one (poison-null-byte) vulnerability which leads to double free and overlapping chunks. Using this, we leak a libc address to de-randomize ASLR, launch tcache dup attack, and then put our fake chunk address into the tcache using tcache poisoning attack. As a result, we can force malloc to return our fake chunk before __malloc_hook, so we can overwrite __malloc_hook with one gadget. This is an interesting heap exploitation challenge to learn bypassing protections like NX, PIE, Canary, Full RELRO, and ASLR in x86_64 binaries in presence of tcache.
children_tcache
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
parent directory.. | ||||