Abstract
For nearly 20 years, exploiting memory allocators has been something of an art form. Become a part of that legacy with HeapLAB.
The GNU C Library (GLIBC) is a fundamental part of most Linux desktop and many embedded distributions; its memory allocator is used in everything from starting threads to dealing with I/O. Learn how to leverage this vast attack surface with more than 10 different heap exploitation techniques, from the original "Unsafe Unlink" to the beautiful overflow-to-shell "House of Orange" and eventually to the cutting-edge "House of Corrosion". In this hands-on course, students will alternate between learning new techniques and developing their own exploits based on what they've learned.
SUGGESTED COMBO: INTRODUCTION TO 64-BIT EXPLOIT DEVELOPMENT
Key Learning Objectives
- Introduction to the GLIBC memory allocator: "malloc"
- The history of GLIBC heap exploitation
- Understanding and bypassing different heap exploit mitigations
- Hijacking the flow of execution with heap exploits
- Leaking information with heap corruption
- Learning the "Houses" of heap exploitation
- Scripting heap exploits with pwntools
- Debugging heap implementations with GDB
Who Should Attend
- CTF team members who want to take on Linux heap challenges
- Linux exploit developers who want to add another string to their bow
- Anyone interested in "weird machines"
Agenda
Session 1:
- An introduction to GLIBC and its memory allocator
- GLIBC heap exploitation history
- Tools of the trade
- GDB and pwndbg
- The pwntools library
- The "House of Force" technique
- The malloc() function
- The "top" chunk
- Hijacking the flow of execution
- Malloc's hooks
- "One-gadgets"
- The "Fastbin Dup" technique
- The free() function
- Malloc's fastbins
- Arenas
- Defeating the fastbins double-free mitigation
- Dealing with the fastbins size field check
- CHALLENGE: "fastbin dup 2"
Session 2:
- The "Unsafe Unlink" technique
- Malloc's unsortedbin
- Chunk coalescing
- Defeating the "safe unlinking" checks
- The "House of Orange" technique
- File stream exploitation
- The "Unsortedbin Attack"
- Top chunk extension
- Sorting
- Info leaks via the heap
- Leaking heap addresses
- Leaking libc addresses
- CHALLENGE: one-byte
- Leverage a one-byte overflow against a modern pwnable
Session 3:
- The "House of Spirit" technique
- Passing corrupted values to free()
- Designing fake chunks
- The "House of Lore" technique
- Poisoning the unsortedbin
- Poisoning the smallbins
- Poisoning the largebins
- The "House of Einherjar" technique
- The "House of Rabbit" technique
- The malloc_consolidate() function
- Moving fake chunks between bins
- Project Zero's "Poison Null Byte" technique
- CHALLENGE: poison null byte
- Leverage a single null byte overflow against a modern pwnable
Session 4:
- The "House of Corrosion" technique
- Reviving the "House of Prime"
- Defeating libio vtable integrity checks
- Leveraging partial malloc metadata overwrites
- Triggering file stream exploits via failed asserts
- The Tcache
- The "Tcache Dup" technique
- Defeating the tcache double-free mitigation
- CHALLENGE: "tcache troll"
- Leverage a double-free against a modern pwnable
- BONUS CHALLENGE: "optimize"
Pre-requisites
- Confidence using command line tools
- Some basic Python scripting skills
- Familiarity with a debugging environment e.g. GDB
Hardware Requirements
- Laptop - powerful enough to run VMs
- 8GB RAM minimum
- 35GB free HDD space minimum
- USB-A slot or dongle to copy VM
Software Requirements
- Windows / Linux / macOS
- One of the following virtualization suites:
- VMWare Player
- VMWare Workstation
- VMWare Fusion
- VirtualBox