tag:blogger.com,1999:blog-3500917063499850097.post1709971016142527507..comments2023-04-17T15:20:23.244+02:00Comments on Mathy Vanhoef: Understanding the Heap & Exploiting Heap OverflowsMathyhttp://www.blogger.com/profile/12266874794108836514noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-3500917063499850097.post-4856530042850309392017-01-27T12:00:03.059+01:002017-01-27T12:00:03.059+01:00"The fd field points to the previous free chu..."The fd field points to the previous free chunk, and the bk field to the next free chunk."<br /><br />Shouldn't this be the other way around?<br /><br />Thanks.Akshay Sharmahttps://www.blogger.com/profile/17190437215645222065noreply@blogger.comtag:blogger.com,1999:blog-3500917063499850097.post-33024173927094154262016-09-17T01:51:03.071+02:002016-09-17T01:51:03.071+02:00We control the second argument: nb (in the #define...We control the second argument: nb (in the #define called s). By debugging the program I found that victim (the older value for av->top) was 0x804b110. Hence the value passed to malloc should be 0x804a000 - 0x804b110 = FFFFEEF0. We now get:<br />By debugging the program I found that victim (the older value for av->top) -> How did you find that out. Can you explain.<br />Unknownhttps://www.blogger.com/profile/02414628511113359293noreply@blogger.comtag:blogger.com,1999:blog-3500917063499850097.post-28716923041155270122015-07-15T06:41:44.875+02:002015-07-15T06:41:44.875+02:00Great stuff!
I'm checking the trunk layout und...Great stuff!<br />I'm checking the trunk layout under 64bit ubuntu. But found out that it's not like what expected:<br /><br />0x601ff0: 0x00000000 0x00000000 0x00000000 0x00000000<br />0x602000: 0x00000000 0x00000000 0x00000031 0x00000000<br />0x602010: 0x41414141 0x41414141 0x41414141 0x41414141<br />0x602020: 0x41414141 0x41414141 0x41414141 0x41414141<br /><br />This is the trunk of malloc(32).<br />The "0x00000031" is correct( 48 bytes of overall size of trunk)<br />but the the 'prev_size', 'fd', 'bk' are all 0.<br />Do you happen to know why?<br /><br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3500917063499850097.post-66598409305584507612015-01-29T05:56:48.199+01:002015-01-29T05:56:48.199+01:00Good stuff sir !!!!!!!!!Good stuff sir !!!!!!!!!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3500917063499850097.post-42592820457140518642014-06-23T23:23:31.454+02:002014-06-23T23:23:31.454+02:00It should be visible? Try to enable javascript (I ...It should be visible? Try to enable javascript (I have to fix it so it all works without JS... one day).Mathyhttps://www.blogger.com/profile/12266874794108836514noreply@blogger.comtag:blogger.com,1999:blog-3500917063499850097.post-57516047487588663672014-06-21T19:31:37.506+02:002014-06-21T19:31:37.506+02:00Where is Updated example ? its not visibleWhere is Updated example ? its not visibleAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-3500917063499850097.post-70607434762011401472014-05-24T16:22:54.777+02:002014-05-24T16:22:54.777+02:00Hi, Thanks a lot. Which version of gcc did you use...Hi, Thanks a lot. Which version of gcc did you use?Dharmahttps://www.blogger.com/profile/16746531841359451416noreply@blogger.comtag:blogger.com,1999:blog-3500917063499850097.post-66257240242629537662013-10-19T11:19:12.989+02:002013-10-19T11:19:12.989+02:00Thanks a lot for the article! Everything was expla...Thanks a lot for the article! Everything was explained nicely, and without assuming prior knowledge, which was what I needed :-) all the other articles assume too muchAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-3500917063499850097.post-55361682877483007022013-09-24T09:49:53.151+02:002013-09-24T09:49:53.151+02:00Really good read!Really good read!Anonymousnoreply@blogger.com