This repo is for learning various heap exploitation techniques. We came up with the idea during a hack meeting, and have implemented the following techniques:
File | Technique | Applicable CTF Challenges |
---|---|---|
first_fit.c | Demonstrating glibc malloc's first-fit behavior. | |
fastbin_dup.c | Tricking malloc into returning an already-allocated heap pointer by abusing the fastbin freelist. | |
fastbin_dup_into_stack.c | Tricking malloc into returning a nearly-arbitrary pointer by abusing the fastbin freelist. | 9447-search-engine |
unsafe_unlink.c | Exploiting free on a corrupted chunk to get arbitrary write. | HITCON CTF 2014-stkof |
house_of_spirit.c | Frees a fake fastbin chunk to get malloc to return a nearly-arbitrary pointer. | hack.lu CTF 2014-OREO |
poison_null_byte.c | Exploiting a single null byte overflow. | PlaidCTF 2015-plaiddb |
house_of_lore.c | Tricking malloc into returning a nearly-arbitrary pointer by abusing the smallbin freelist. | |
house_of_force.c | Tricking malloc into returning a nearly-arbitrary pointer by abusing the top chunk. |
Have a good example?
Add it here!
Try to inline the whole technique in a single .c
-- it's a lot easier to learn that way.
The malloc_playground.c
file given is the source for a program that prompts the user for commands to allocate and free memory interactively.
Some good heap exploitation resources are:
- Malloc Des-Maleficarum (http://phrack.org/issues/66/10.html) - some malloc exploitation techniques
- Understanding the heap by breaking it (https://www.blackhat.com/presentations/bh-usa-07/Ferguson/Whitepaper/bh-usa-07-ferguson-WP.pdf) - explains heap implementation and a couple exploits
- Glibc Adventures: The Forgotten Chunk (http://www.contextis.com/documents/120/Glibc_Adventures-The_Forgotten_Chunks.pdf) - advanced heap exploitation
- Pseudomonarchia jemallocum (http://www.phrack.org/issues/68/10.html)
- The House Of Lore: Reloaded (http://phrack.org/issues/67/8.html)
- Yet another free() exploitation technique (http://phrack.org/issues/66/6.html)
- The use of set_head to defeat the wilderness (http://phrack.org/issues/64/9.html)
- The Malloc Maleficarum (http://seclists.org/bugtraq/2005/Oct/118)
- OS X heap exploitation techniques (http://phrack.org/issues/63/5.html)
- Exploiting The Wilderness (http://seclists.org/vuln-dev/2004/Feb/25)
- Advanced Doug lea's malloc exploits (http://phrack.org/issues/61/6.html)
There are a couple of "hardening" measures embedded in glibc, like export MALLOC_CHECK_=1
(enables some checks), export MALLOC_PERTURB_=1
(data is overwritten), export MALLOC_MMAP_THRESHOLD_=1
(always use mmap()), ...
More info: mcheck(), mallopt().
There's also some tracing support as mtrace(), malloc_stats(), malloc_info(), memusage, and in other functions in this family.