House of Spirit on Tcache
Tested on libc 2.37
Requirements:
- Able to perform a free() on any address you want, which allows you to put an arbitrary address into a tcache bin
- Able to write to memory where you know the address of where you wrote
Summary: Write a fake heap size header like 0x40 into a user controllable part of memory based on the application in order to create a fake chunk. Know the address to that of that fake chunk based on PIE, heap, or libc address leaks. Free the "data" region of that fake address chunk (not the part where you wrote a fake size). In this screenshot, you want to do a free on address 0x7fffffffdd40.
Tcache Poisoning
Tested on libc 2.37
Summary and Requirements: Be able to overwrite the FD pointer on a free'd chunk sitting in a tcache bin to put an arbitrary address into the tcache bin for future malloc-ing.
