/how2heap

A repository for learning various heap exploitation techniques.

Primary LanguageC

Educational Heap Exploitation

This repo is for learning various heap exploitation techniques. We came up with the idea during a hack meeting, and have implemented the following techniques:

File Technique Applicable CTF Challenges
first_fit.c Demonstrating glibc malloc's first-fit behavior.
fastbin_dup.c Tricking malloc into returning an already-allocated heap pointer by abusing the fastbin freelist.
fastbin_dup_into_stack.c Tricking malloc into returning a nearly-arbitrary pointer by abusing the fastbin freelist. 9447-search-engine, 0ctf 2017-babyheap
unsafe_unlink.c Exploiting free on a corrupted chunk to get arbitrary write. HITCON CTF 2014-stkof, Insomni'hack 2017-Wheel of Robots
house_of_spirit.c Frees a fake fastbin chunk to get malloc to return a nearly-arbitrary pointer. hack.lu CTF 2014-OREO
poison_null_byte.c Exploiting a single null byte overflow. PlaidCTF 2015-plaiddb
house_of_lore.c Tricking malloc into returning a nearly-arbitrary pointer by abusing the smallbin freelist.
overlapping_chunks.c Exploit the overwrite of a freed chunk size in the unsorted bin in order to make a new allocation overlap with an existing chunk hack.lu CTF 2015-bookstore, Nuit du Hack 2016-night-deamonic-heap
overlapping_chunks_2.c Exploit the overwrite of an in use chunk size in order to make a new allocation overlap with an existing chunk
house_of_force.c Exploiting the Top Chunk (Wilderness) header in order to get malloc to return a nearly-arbitrary pointer Boston Key Party 2016-cookbook, BCTF 2016-bcloud
unsorted_bin_attack.c Exploiting the overwrite of a freed chunk on unsorted bin freelist to write a large value into arbitrary address 0ctf 2016-zerostorage
house_of_einherjar.c Exploiting a single null byte overflow to trick malloc into returning a controlled pointer Seccon 2016-tinypad

Have a good example? Add it here! Try to inline the whole technique in a single .c -- it's a lot easier to learn that way.

Heap Exploitation Tools

There are some heap exploitation tools floating around.

shadow

jemalloc exploitation framework: https://github.com/CENSUS/shadow

libheap

Examine the glibc heap in gdb: https://github.com/cloudburst/libheap

Malloc Playground

The malloc_playground.c file given is the source for a program that prompts the user for commands to allocate and free memory interactively.

Other resources

Some good heap exploitation resources, roughly in order of their publication, are:

Hardening

There are a couple of "hardening" measures embedded in glibc, like export MALLOC_CHECK_=1 (enables some checks), export MALLOC_PERTURB_=1 (data is overwritten), export MALLOC_MMAP_THRESHOLD_=1 (always use mmap()), ...

More info: mcheck(), mallopt().

There's also some tracing support as mtrace(), malloc_stats(), malloc_info(), memusage, and in other functions in this family.