Let’s discuss ‘Heapify’. Please do not share any flags or writeups.
@TxW It seems like there might be an issue with the heapify structure, possibly causing the same pointer to be duplicated, but I’m not entirely sure, whether this is the right path.
Other than leaks for libc and heap, which can be leaked through heapify functionality…
I was able to overwrite either __malloc_hook or __free_hook with system/onegadgets, which is the only path to exploitation I think, but when they get executed the execution flow is normal, nothing happens.
For the idea and to understand, I used this link, maybe there are better ones?
https://medium.com/basecs/heapify-all-the-things-with-heap-sort-55ee1c93af82
The problem is malloc_hook and free_hook are deprecated on newer versions of libc. Look into GOT overwrite in libc, because it is only partial RELRO.
Here is the link:
Hmmm… I read through the article and looked over the binary again, however I still don’t know what could cause some corruption in the “heap” array. The algorithm for “upheap” and “downheap” seems to be working fine, properly clearing removed pointers, checking for zero’d pointers so they won’t be overwritten… but I’m probably just overlooking something.