tag:blogger.com,1999:blog-3024470480937744884.post3759188733212740502..comments2024-03-18T04:40:58.042-07:00Comments on Security: [1day] [PoC with $rip] Deterministic Linux heap grooming with huge allocationsChris Evanshttp://www.blogger.com/profile/01004765479735675808noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-3024470480937744884.post-73814399467996845252016-12-05T22:17:10.953-08:002016-12-05T22:17:10.953-08:00If you can provide dimensions that result in a sma...If you can provide dimensions that result in a small allocation but allow unbounded writes (is that how you're overwriting the malloc metadata?) you should be able to change the size of the top chunk so that it's gigantic, and so that a subsequent, also controlled allocation soaks up this space and leaves the top in a desired area (e.g. GOT being an easy target if there's no full RELRO). A third allocation will now return an address in GOT (or wherever). If you can write here you can force calls to wherever. What I'm describing here is just House of Force as described in Phrack: https://packetstormsecurity.com/files/40638/MallocMaleficarum.txt.htmlGrazfatherhttps://www.blogger.com/profile/07763524501157799071noreply@blogger.com