🍈 Zettelkasten

Tcache Poisoning

1 min read

A heap attack that uses UAF to overwrite metadata of a Tcache Bin to point to a stack address that we can retrieve from a subsequent malloc

Example

  1. Malloc two times to get Heap Chunk
  2. Free these two chunks to get them into the Tcache Bin free list
  3. Use UAF to corrupt B’s metadata
  4. Allocate a chunk, and get B, allocate another chunks and you get the stack’s address

Defenses

Graph View

Backlinks