Linux Heap Fast Bin Double Free Exploitation
In this paper, I introduce the reader to a heap metadata corruption against the current Linux Heap Allocator. An attacker that forces the application to perform a double free can manipulate it to make malloc return an arbitrary pointer in one instance and a duplicate pointer in another instance. Given the appropriate application logic, this can lead to exploitation.
Linux Heap Fast Bin Double Free Exploitation.PDF