Heap Exploit 2.31

heap exploit about ptmalloc in glibc version 2.31.

Heap Exploitation List

Heap exploitation techniques between 2.29 and 2.31.And collect some CTF Challenges about corresponding exploitation techniques.

Technique File CTF Challenges
tcache stashing unlink attack tcache_stashing_unlink 2019 Hitcon One-punch-man
tcache stashing unlink attack+ tcache_stashing_unlink+ 2019 Hitcon Lazyhouse
tcache stashing unlink attack++ tcache_stashing_unlink++ 2020 XCTF-GXZY twochunk
off by null byte off by null 2019 TCTF-Final Babyheap2.29
2019 Balsn Plaintext
large bin attack largebin_attack
tcache dup tcache_dup
tcache double free tcache double free
fastbin double free fastbin_double_free
house of botcake house of botcake

other heap exploitation techniques are same as how2heap, so i don't write additional code -.- https://github.com/shellphish/how2heap

pwngdb

https://github.com/scwuaptx/Pwngdb pwngdb is a excellent gdb script for heap exploitation, but in glibc 2.31, the tcache struct has something changed.

// version 2.27 - version 2.29
typedef struct tcache_perthread_struct
{
  char counts[TCACHE_MAX_BINS];
  tcache_entry *entries[TCACHE_MAX_BINS];
} tcache_perthread_struct;
// version 2.31
typedef struct tcache_perthread_struct
{
  uint16_t counts[TCACHE_MAX_BINS];
  tcache_entry *entries[TCACHE_MAX_BINS];
} tcache_perthread_struct;

Some error will happen when analysis tcache. so maybe the script need to update for that.