Heap Exploitation: Off-By-One / Poison Null Byte

The goal of this article is to explain in detail how an off-by-one vulnerability on the heap also known as poison null byte can be exploited. Although this technique does not work with the latest libc, I think it can be used very good in order to demonstrate how exploits based on heap-metadata corruption work (also check out shellphish’s how2heap).

In order to do this I created a vulnerable program, which we will use as an example to create such an exploit. If you like to, you can start by analyzing and exploiting the program on your own (at least check out Environment):

–> heap.zip

Though it is not required to the exploit the program, the source-code might be helpful:

–> heap.c

The article is divided into the following sections:

–> Environment
–> Vulnerable Program
–> Heap Basics
–> Libc-Leak
–> Control Instruction Pointer
–> One Gadget
–> Final Exploit

Continue reading “Heap Exploitation: Off-By-One / Poison Null Byte”