Hi!, I want to make exploit code in 32 bit environment.

There have been various attempts, but the most fundamental problem is that there is only one space(Unsorted bin) in the bins just before the overflow buffer is allocated.

Is there any way to increase this? (i want to use small bins, fast bins... but always Only unsorted bins remain.)

**

Oh, and the create_libx code is missing in exploit_nss_u14.py.

Thanks for reporting. I added missing create_libx in exploit_nss_u14.py.

I have no plan to support Linux 32 bit.

Exploiting without tcache on debian based (including Ubuntu) by overwriting struct service_user is not straightforward. On 64 bit, I had to trace heap usage and adjust number of argument to make a fastbin existed. Then, I tried with many LC_* combination to get a free fastbin before struct service_user.

I don't know if it is possible to overwrite struct service_user on Ubuntu 14.04 32 bit. But overwriting userspec method should be possible.