26Oca
Questions on GLIBC Heap Exploitation (House of Force)
This is with reference to Max Kamper's video on GLIBC heap exploitation and these articles I read
- https://www.crow.rip/crows-nest/binexp/heap/house-of-force-i
- https://www.crow.rip/crows-nest/binexp/heap/house-of-force-i/house-of-force-ii
I have a few questions about the video and articles.
- Why is the formula for calculating the wrap around address the following?
def diff(x, y):
return (0xffffffffffffffff - x) + y
Why use 0xffffffffffffffff to minus x and then plus y? How does this give us the difference in the distance? Why use 0xffffffffffffffff?
- When using __malloc_hook to execute the
system
function, how does the binary knows where is the argument for the function call? The pointer to the argument is located atmalloc((heap + 0x30) "")
but how does the function knows that its there and whyheap + 0x30
?