Tags: heap tcache one_gadget off-by-one doublefree tcache-poisoning tcache-dup fake_chunk
Rating:
In `HITCON 2018 - Children Tcache` challenge, there is an `off-by-one` (`poison-null-byte`) vulnerability which leads to `double free` and `overlapping chunks`. Using this, we leak a `libc` address to de-randomize `ASLR`, launch `tcache dup` attack, and then put our `fake chunk` address into the `tcache` using `tcache poisoning` attack. As a result, we can force `malloc` to return our `fake chunk` before `__malloc_hook`, so we can overwrite `__malloc_hook` with `one gadget`. This is an interesting `heap exploitation` challenge to learn bypassing protections like `NX`, `PIE`, `Canary`, `Full RELRO`, and `ASLR` in `x86_64` binaries in presence of `tcache`.