This post is going to be about the different exploitation techniques used to exploit heap-based memory bugs. They have been termed famously by the community as “The Malloc Maleficarum”, after the first Phrack article that came out detailing them. Since then, several new approaches have been developed as is the norm of the cat and mouse chase in infosec. We will see some of the very common ones in this post, using CTF challenges for illustration.
One thing to note: unlinking used to a pretty standard heap exploitation technique up until GLIBC 2.24, past which it was patched. As it is no longer in practical use, I won’t be discussing it, however, feel free to check it out here (sploitfun blog).
Finally, the references used in this post are how2heap by shellphish and a lot of googling for writeups.
Seeing that along with all the explanations and writeups this post would’ve bloated into a small book, I have decided to split it into separate posts for separate techniques, which will all be linked here. They are all in a pipeline and will be added in a few days from now:
- House of Spirit
- tcache Exploitation – (similar to House of Spirit)
- House of Einherjar
- Unsorted bin attack
More will be added with time. I only discuss one challenge per technique, but it is highly recommended to attempt more (and quirkier) CTF challenges on your own and read writeups to get clarity – you could also check out wargames like pwnable.tw and pwnable.kr. In all the exploits discussed, familiarity with general pwn terms is assumed – NX, stack buffer overflow, canary, GOT overwrite, etc. If you find something that you aren’t familiar with, just google – though be warned: it will almost certainly be a rabbit hole.
Please feel free to send suggestions/criticisms/curses. Would be great if we all get to learn something new. 🙂
The House of Spirit is a heap exploitation technique which abuses the fastbin to work. We usually create a fake fastbin chunk (in an area of user-controlled memory whose address we can somehow know) and write its address to the next pointer field of a free fastchunk (through an overflow that may be present on the binary).
Continue reading “Malloc#3: Maleficarum#2: House of Spirit”
I am going to skip over SymEx#1 and start with #2 because I want to get hands dirty with actually using a symbolic execution engine. So this blog is aimed mostly at being a tutorial for getting started with and writing basic angr scripts in python.
Continue reading “SymEx#2: Working with angr”
In this series of posts, I am going to be writing about and detailing (mostly for my future self) how to heap. Continue reading “Malloc#1: Heap Exploitation 101”
Hello. In this post, we are going to further understand file structure exploitation by attempting a challenge given in Hitcon17 – babyfs. Let’s dive straight in. You might want to check out #FSE1 and #FSE2 if you haven’t done so already, they contain some basics discussed earlier.
Continue reading “FSE#3: babyfs Writeup Hitcon 17”
We will be discussing file structure exploitation here. There is a disclaimer, I’ll reserve that for the end. In this blog, I haven’t tried to create an exhaustive resource on file structures, but just a basic primer on how to exploit them, so there might be some gaps in between. Let’s dive straight in.
The reason that file structures are an interesting target for exploitation is that they are present everywhere: even in programs which don’t explicitly use file structures the use of stdin and stdout is pretty essential. In a more applied sense, the reason we are able to exploit file structures is that they are allocated on the heap. And the heap, more often than not, is a place where unsanitized user input lives – so it’s basically a land of overflows. 😉
Continue reading “FSE#1: File Structure Exploitation 101”
This challenge is a very nice introduction to FILE Structure exploitation involving a classic technique –
vtable overwrite. It has been discussed in rough detail in the previous post – #FSE1.
Continue reading “FSE#2: jumping_jacks Writeup InCTF 2017”