Steps Allocate 10 chunks. 7 chunk to fill tcache bins chunk 8 will be used later for later consolidation chunk 9 is the victim chunk chunk 10 is to prevent consolid...

About The binary The binary is dynamically linked, and has all security mitigations turned on. Reversing main int main() { void* fsbase int64_t canary = *(fsbase + 0x28) setup() puts("What ...

Sigreturn Oriented Programming. SROP (Sigreturn Oriented Programming) is binary exploitation technique that leverages the signal handling mechanisms in POSIX systems to gain control over CPU regis...

Overview So what are Uninitialized variables? Uninitialized variables are variables that are declared byt they are not assigned a value e.g. #include <stdio.h> // complile : gcc vuln.c -o...

Explanation of the `fastbin dup` heap exploitation technique

Information/Memory Leaks In Binary Exploitation What is a memory leak? A information/memory leak is any primitive in a binary that reveals bytes from the program’s memory such as addresses, pointe...

Facing a gadget-poor binary? This post reveals how gets() can be your ultimate ROP primitive. By understanding how gets() reuses the existing RDI value from the vulnerable buffer, we can craft precise chains that set up function arguments and leak libc addresses without traditional gadgets.

Understanding Tcache Thread Local Caching (Tcache) is a set of bins, organised as singly-linked lists, that are local to each thread. Tcache was made to avoid the need to lock a global arena for f...

Understanding how unlinking happens in libc (old and modern) and how to exploit it

Exploit Write-up: Buffer Overflow with Global Variable Control Challenge Overview In this challenge, we are given a C program that contains a buffer overflow vulnerability in the func() function...