off-by-one overwrite allocated
……
off-by-one overwrite freed
……
off-by-one null byte
- In this exploit, the oveflow byte can only be a null byte ‘x00’.
-
The heap layout is like this:
-
Exploit steps:
1 |
malloc three chunks A, B and C (There is an off-by-one in chunk A). |
- Sample code
1 |
|
unlink
……
近期评论