+ashikombat aww thank you!

I bet its really hard work :D But thank you so much for the videos!

did you also play at 0.25x speed?

@@1e1001 r/theydidthemath

not really

I agree

+Scarlas totally depends on the Heap implementation. Current malloc/free version have this technique fixed anyway. Though Might also be not exploitable at all with these limited malloc/free steps. Sounds like a cool challenge to try :P You should also checkout the cookbook writeup. There I used the heap exploitation technique "house of force" in a modern environment but it requires that you control the size to a malloc() call.

A golden mine of knowledge

In this video (and jn the previous one) you saw how to access properties in an 'object' on a heap. With the '->' arrow like this: 'auth->service'. Now what that really means is: Take the pointer of the auth 'object' and add the proper amount of bytes until the service section begins. So the unlink part from the source code will say "take the address of the beginning of the heap chunk and add 12, since at that address will ALWAYS be the forward pointer in case this chunk wants to be unlinked". And since we are abusing this forward pointer stuff with the "->" arrow, the innocent unlink thingy thinks we wanna jump to the address we give to it + 12 bytes since at that address (in a normal heap chunk) will always be the forward pointer. So we give it the GOT address MINUS 12 because the unlink function will ADD 12. I hope u understood this now and didnt loose motivation since the month you posted this :)). If anything is unclear please let me know so I can better my teaching skills. Have fun

@@uuuuuhhlettuce3909 wouldn't the +12 point to the backward pointer? still woefully new at this stuff, but i thought the forward pointer is first after the metadata (i.e., at +8)

thanks for the suggestion, but that's not the issue here ;) I don't see why egghunting shellcode would help here. The issue here is a different one. But watch the following video where I successfully exploit it.

+cyancoyote that is so nice of you to say! I have never really read books. And books are so quickly outdated. But I plan to work through beginners.re myself. Also "the art of exploitation" is nice.

Thank you very much :)

@@cyancoyote7366 How is your journey now :D?

So..did you wrap your head around it yet? :)

I'm in the same situation as yours now :((

YumekuiNeru explain please ?

in C the {}-blocks are not part of the if/while statements they just group a bunch of statements together and then the {}-block can appear immediately after say an if-statement, and that block is what will run if the condition is true it is pretty much the same as putting a single statement like i=1 after an if without any {}, except when not using a block multiple statements/lines can not be used so the point was that by placing the { on the far right on the same line it gives the false impression that the block is part of the if statement, not to mention it is easy to miss whether there is an opening brace or not (as happens in 12:36 of this video) by always placing the two braces aligned with eachother on the left, it is easy to tell at a glance when you have a block and when you have just a single line

This old VM still uses the old implementation. It’s an introduction practice VM

+F Squad clearer for the viewer. Also I'm used to do tab completion

its about speed versus security. Having only one large block be the heap is easy. if the user needs to increase the heap or the process wants to fork all it has to do is copy the heap in one go.

As you said, one heap block is easy, for the programmer it is. The performance isn't affected much by copying two blocks instead of one, in fact two blocks are easier to parallelize. The tradeoff here seems to be about security vs. complexity.

what affects performance is that with kernel-controlled metadata you would need to make a system call every time the heap changes, even if it's just a couple of bytes, even if it happens dozens of times in a single function.