You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -41,6 +41,7 @@ We came up with the idea during a hack meeting, and have implemented the followi
41
41
|[decrypt_safe_linking.c](glibc_2.35/decrypt_safe_linking.c)| <ahref="https://wargames.ret2.systems/level/how2heap_decrypt_safe_linking_2.34"title="Debug Technique In Browser">:arrow_forward:</a> | Decrypt the poisoned value in linked list to recover the actual pointer | >= 2.32 |||
42
42
|[safe_link_double_protect.c](glibc_2.36/safe_link_double_protect.c)|| Leakless bypass for PROTECT_PTR by protecting a pointer twice, allowing for arbitrary pointer linking in t-cache | >= 2.32 ||[37c3 Potluck - Tamagoyaki](https://github.com/UDPctf/CTF-challenges/tree/main/Potluck-CTF-2023/Tamagoyaki)|
43
43
|[tcache_dup.c](obsolete/glibc_2.27/tcache_dup.c)(obsolete) || Tricking malloc into returning an already-allocated heap pointer by abusing the tcache freelist. | 2.26 - 2.28 |[patch](https://sourceware.org/git/?p=glibc.git;a=commit;h=bcdaad21d4635931d1bd3b54a7894276925d081d)||
44
+
|[tcache_metadata_poisoning.c](glibc_2.27/tcache_metadata_poisoning.c)|| Trick the tcache into providing arbitrary pointers by manipulating the tcache metadata struct | >= 2.26 |||
44
45
|[house_of_io.c](glibc_2.31/house_of_io.c)|| Tricking malloc into return a pointer to arbitrary memory by manipulating the tcache management struct by UAF in a free'd tcache chunk. | 2.31 - 2.33 |||
45
46
46
47
The GnuLibc is under constant development and several of the techniques above have let to consistency checks introduced in the malloc/free logic.
0 commit comments