# 0x00 Abstract
House of orange is mainly used in the absence of a free function. When you malloc a chunk larger than top chunk. System will put top chunk into unsorted bin list and get a new top chunk.
This method is mainly used for unsorted bin attack without free function. Complete exploit also requires knowledge of IO_FILE.
# 0x01 hijack size of top chunk
Forged top chunk size have several requirements
- 1.Forged size must be aligned to the memory page
- 2.Size is greater than MINSIZE (0x10)
- 3.Size is smaller than the chunk size + MINSIZE (0x10) applied later
- 4.The prev inuse bit of size must be 1
In short, size needs to meet the following conditions
1 | top_chunk_addr + top_chunk_size - 1 % 0x1000 = 0 |