You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: README.md
+1-1
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,7 @@ We came up with the idea during a hack meeting, and have implemented the followi
12
12
|[calc_tcache_idx.c](calc_tcache_idx.c)|| Demonstrating glibc's tcache index calculation.||||
13
13
|[fastbin_dup.c](glibc_2.35/fastbin_dup.c)| <ahref="https://wargames.ret2.systems/level/how2heap_fastbin_dup_2.34"title="Debug Technique In Browser">:arrow_forward:</a> | Tricking malloc into returning an already-allocated heap pointer by abusing the fastbin freelist. | latest |||
14
14
|[fastbin_dup_into_stack.c](glibc_2.35/fastbin_dup_into_stack.c)| <ahref="https://wargames.ret2.systems/level/how2heap_fastbin_dup_into_stack_2.23"title="Debug Technique In Browser">:arrow_forward:</a> | Tricking malloc into returning a nearly-arbitrary pointer by abusing the fastbin freelist. | latest ||[9447-search-engine](https://github.com/ctfs/write-ups-2015/tree/master/9447-ctf-2015/exploitation/search-engine), [0ctf 2017-babyheap](http://uaf.io/exploitation/2017/03/19/0ctf-Quals-2017-BabyHeap2017.html)|
15
-
|[fastbin_dup_consolidate.c](glibc_2.35/fastbin_dup_consolidate.c)| <ahref="https://wargames.ret2.systems/level/how2heap_fastbin_dup_consolidate_2.23"title="Debug Technique In Browser">:arrow_forward:</a> | Tricking malloc into returning an already-allocated heap pointer by putting a pointer on both fastbin freelist and unsorted bin freelist. | latest ||[Hitcon 2016 SleepyHolder](https://github.com/mehQQ/public_writeup/tree/master/hitcon2016/SleepyHolder)|
15
+
|[fastbin_dup_consolidate.c](glibc_2.35/fastbin_dup_consolidate.c)| <ahref="https://wargames.ret2.systems/level/how2heap_fastbin_dup_consolidate_2.23"title="Debug Technique In Browser">:arrow_forward:</a> | Tricking malloc into returning an already-allocated heap pointer by putting a pointer on both fastbin freelist and the top chunk. | latest ||[Hitcon 2016 SleepyHolder](https://github.com/mehQQ/public_writeup/tree/master/hitcon2016/SleepyHolder)|
16
16
|[unsafe_unlink.c](glibc_2.35/unsafe_unlink.c)| <ahref="https://wargames.ret2.systems/level/how2heap_unsafe_unlink_2.34"title="Debug Technique In Browser">:arrow_forward:</a> | Exploiting free on a corrupted chunk to get arbitrary write. | latest ||[HITCON CTF 2014-stkof](http://acez.re/ctf-writeup-hitcon-ctf-2014-stkof-or-modern-heap-overflow/), [Insomni'hack 2017-Wheel of Robots](https://gist.github.com/niklasb/074428333b817d2ecb63f7926074427a)|
17
17
|[house_of_spirit.c](glibc_2.35/house_of_spirit.c)| <ahref="https://wargames.ret2.systems/level/how2heap_house_of_spirit_2.23"title="Debug Technique In Browser">:arrow_forward:</a> | Frees a fake fastbin chunk to get malloc to return a nearly-arbitrary pointer. | latest ||[hack.lu CTF 2014-OREO](https://github.com/ctfs/write-ups-2014/tree/master/hack-lu-ctf-2014/oreo)|
18
18
|[poison_null_byte.c](glibc_2.35/poison_null_byte.c)| <ahref="https://wargames.ret2.systems/level/how2heap_poison_null_byte_2.34"title="Debug Technique In Browser">:arrow_forward:</a> | Exploiting a single null byte overflow. | latest ||[PlaidCTF 2015-plaiddb](https://github.com/ctfs/write-ups-2015/tree/master/plaidctf-2015/pwnable/plaiddb), [BalsnCTF 2019-PlainNote](https://gist.github.com/st424204/6b5c007cfa2b62ed3fd2ef30f6533e94?fbclid=IwAR3n0h1WeL21MY6cQ_C51wbXimdts53G3FklVIHw2iQSgtgGo0kR3Lt-1Ek)|
0 commit comments