Malloc#2: Maleficarum#1

This post is going to be about the different exploitation techniques used to exploit heap-based memory bugs. They have been termed famously by the community as “The Malloc Maleficarum”, after the first Phrack article that came out detailing them. Since then, several new approaches have been developed as is the norm of the cat and mouse chase in infosec. We will see some of the very common ones in this post, using CTF challenges for illustration.

One thing to note: unlinking used to a pretty standard heap exploitation technique up until GLIBC 2.24, past which it was patched. As it is no longer in practical use, I won’t be discussing it, however, feel free to check it out here (sploitfun blog).

Finally, the references used in this post are how2heap by shellphish and a lot of googling for writeups.

Seeing that along with all the explanations and writeups this post would’ve bloated into a small book, I have decided to split it into separate posts for separate techniques, which will all be linked here. They are all in a pipeline and will be added in a few days from now:

  • House of Spirit
  • tcache Exploitation – (similar to House of Spirit)
  • House of Einherjar
  • Unsorted bin attack

More will be added with time. I only discuss one challenge per technique, but it is highly recommended to attempt more (and quirkier) CTF challenges on your own and read writeups to get clarity – you could also check out wargames like pwnable.tw and pwnable.kr. In all the exploits discussed, familiarity with general pwn terms is assumed – NX, stack buffer overflow, canary, GOT overwrite, etc. If you find something that you aren’t familiar with, just google – though be warned: it will almost certainly be a rabbit hole.

Please feel free to send suggestions/criticisms/curses. Would be great if we all get to learn something new. 🙂

Advertisements

Malloc#3: Maleficarum#2: House of Spirit

The House of Spirit is a heap exploitation technique which abuses the fastbin to work. We usually create a fake fastbin chunk (in an area of user-controlled memory whose address we can somehow know) and write its address to the next pointer field of a free fastchunk (through an overflow that may be present on the binary).

Continue reading “Malloc#3: Maleficarum#2: House of Spirit”

FSE#1: File Structure Exploitation 101

We will be discussing file structure exploitation here. There is a disclaimer, I’ll reserve that for the end. In this blog, I haven’t tried to create an exhaustive resource on file structures, but just a basic primer on how to exploit them, so there might be some gaps in between. Let’s dive straight in.

The reason that file structures are an interesting target for exploitation is that they are present everywhere: even in programs which don’t explicitly use file structures the use of stdin and stdout is pretty essential. In a more applied sense, the reason we are able to exploit file structures is that they are allocated on the heap. And the heap, more often than not, is a place where unsanitized user input lives – so it’s basically a land of overflows. 😉

Continue reading “FSE#1: File Structure Exploitation 101”