HeapLAB - GLIBC Heap Exploitation

2 Day Training: August 3,4

Abstract

For nearly 20 years, exploiting memory allocators has been something of an art form. Become a part of that legacy with HeapLAB.

The GNU C Library (GLIBC) is a fundamental part of most Linux desktop and many embedded distributions; its memory allocator is used in everything from starting threads to dealing with I/O. Learn how to leverage this vast attack surface with more than 10 different heap exploitation techniques, from the original "Unsafe Unlink" to the beautiful overflow-to-shell "House of Orange" and eventually to the cutting-edge "House of Corrosion". This is a 2 day, hands-on course; students will alternate between learning new techniques and developing their own exploits based on what they've learned.

Suggested Combo: Introduction to 64-bit Exploit Development, Aug 1,2

Key Learning Objectives

  • Introduction to the GLIBC memory allocator: "malloc"
  • The history of GLIBC heap exploitation
  • Understanding and bypassing different heap exploit mitigations
  • Hijacking the flow of execution with heap exploits
  • Leaking information with heap corruption
  • Learning the "Houses" of heap exploitation
  • Scripting heap exploits with pwntools
  • Debugging heap implementations with GDB

Who Should Attend

  • CTF team members who want to take on Linux heap challenges
  • Linux exploit developers who want to add another string to their bow
  • Anyone interested in "weird machines"

Agenda

Day 1:

  • An introduction to GLIBC and its memory allocator
  • GLIBC heap exploitation history
  • Tools of the trade
    • GDB and pwndbg
    • The pwntools library
  • The "House of Force" technique
    • The malloc() function
    • The "top" chunk
  • Hijacking the flow of execution
    • Malloc's hooks
    • "One-gadgets"
  • The "Fastbin Dup" technique
    • The free() function
    • Malloc's fastbins
    • The main arena
    • Defeating the fastbins double-free mitigation
    • Dealing with the fastbins size field check
  • The "Unsafe Unlink" technique
    • Malloc's unsortedbin
    • Chunk coalescing
    • Defeating the "safe unlinking" checks
  • Info leaks via the heap
    • Leaking heap addresses
    • Leaking libc addresses
  • The "House of Orange" technique
    • Top chunk extension
    • The "Unsortedbin Attack"
    • Chunk sorting
    • File stream exploitation

Day 2:

  • The "House of Spirit" technique
    • Passing corrupted values to free()
    • Designing fake chunks
  • The "House of Lore" technique
    • Poisoning the unsortedbin
    • Poisoning the smallbins
    • Poisoning the largebins
  • The "House of Einherjar" technique
  • The "House of Rabbit" technique
    • The malloc_consolidate() function
    • Moving fake chunks between bins
  • Project Zero's "Poison Null Byte" technique
  • The "House of Corrosion" technique
    • Reviving the "House of Prime"
    • Defeating libio vtable integrity checks
    • Leveraging partial malloc metadata overwrites
    • Triggering file stream exploits via failed asserts
  • The tcache
    • The "Tcache Dup" technique
    • Defeating the tcache double-free mitigation

Pre-requisites

  • Confidence using command line tools
  • Some basic Python scripting skills
  • Familiarity with a debugging environment e.g. GDB

Hardware Requirements

  • Laptop - powerful enough to run VMs
  • 8GB RAM minimum
  • 35GB free HDD space minimum
  • USB-A slot or dongle to copy VM

Software Requirements

  • Windows / Linux / macOS
  • One of the following virtualization suites:
  • VMWare Player
  • VMWare Workstation
  • VMWare Fusion
  • VirtualBox
Max Kamper

Max Kamper

Upto 25% off! Register Now

Max Kamper is a researcher at BAE Applied Intelligence. A former Royal Marines Commando, Max was a member of the Information Exploitation Group's electronic warfare squadron. Having traded radio signals for process signals, he now specializes in exploit development against Linux platforms. Max is also the author of the ROP Emporium website, a resource for learning practical x86 return-oriented programming.