/how2heap

A repository for learning various heap exploitation techniques.

Primary LanguageC

Educational Heap Exploitation

This repo is for learning various heap exploitation techniques. We came up with the idea during a hack meeting, and have implemented the following techniques:

File Technique Glibc-Version Applicable CTF Challenges
first_fit.c Demonstrating glibc malloc's first-fit behavior.
fastbin_dup.c Tricking malloc into returning an already-allocated heap pointer by abusing the fastbin freelist.
fastbin_dup_into_stack.c Tricking malloc into returning a nearly-arbitrary pointer by abusing the fastbin freelist. latest 9447-search-engine, 0ctf 2017-babyheap
fastbin_dup_consolidate.c Tricking malloc into returning an already-allocated heap pointer by putting a pointer on both fastbin freelist and unsorted bin freelist. latest Hitcon 2016 SleepyHolder
unsafe_unlink.c Exploiting free on a corrupted chunk to get arbitrary write. < 2.26 HITCON CTF 2014-stkof, Insomni'hack 2017-Wheel of Robots
house_of_spirit.c Frees a fake fastbin chunk to get malloc to return a nearly-arbitrary pointer. latest hack.lu CTF 2014-OREO
poison_null_byte.c Exploiting a single null byte overflow. < 2.26 PlaidCTF 2015-plaiddb
house_of_lore.c Tricking malloc into returning a nearly-arbitrary pointer by abusing the smallbin freelist. < 2.26
overlapping_chunks.c Exploit the overwrite of a freed chunk size in the unsorted bin in order to make a new allocation overlap with an existing chunk < 2.26 hack.lu CTF 2015-bookstore, Nuit du Hack 2016-night-deamonic-heap
overlapping_chunks_2.c Exploit the overwrite of an in use chunk size in order to make a new allocation overlap with an existing chunk latest
house_of_force.c Exploiting the Top Chunk (Wilderness) header in order to get malloc to return a nearly-arbitrary pointer < 2.29 Boston Key Party 2016-cookbook, BCTF 2016-bcloud
unsorted_bin_into_stack.c Exploiting the overwrite of a freed chunk on unsorted bin freelist to return a nearly-arbitrary pointer. < 2.26
unsorted_bin_attack.c Exploiting the overwrite of a freed chunk on unsorted bin freelist to write a large value into arbitrary address < 2.26 0ctf 2016-zerostorage
large_bin_attack.c Exploiting the overwrite of a freed chunk on large bin freelist to write a large value into arbitrary address < 2.26 0ctf 2018-heapstorm2
house_of_einherjar.c Exploiting a single null byte overflow to trick malloc into returning a controlled pointer < 2.26 Seccon 2016-tinypad
house_of_orange.c Exploiting the Top Chunk (Wilderness) in order to gain arbitrary code execution < 2.26 Hitcon 2016 houseoforange
tcache_dup.c Tricking malloc into returning an already-allocated heap pointer by abusing the tcache freelist. 2.26 - 2.28
tcache_poisoning.c Tricking malloc into returning a completely arbitrary pointer by abusing the tcache freelist. > 2.25
tcache_house_of_spirit.c Frees a fake chunk to get malloc to return a nearly-arbitrary pointer. > 2.25

The GnuLibc is under constant development and several of the techniques above have let to consistency checks introduced in the malloc/free logic. Consequently, these checks regularly break some of the techniques and require adjustments to bypass them (if possible). We address this issue by keeping multiple versions of the same technique for each Glibc-release that required an adjustment. The structure is glibc_<version>/technique.c.

Have a good example? Add it here! Try to inline the whole technique in a single .c -- it's a lot easier to learn that way.

Heap Exploitation Tools

There are some heap exploitation tools floating around.

shadow

jemalloc exploitation framework: https://github.com/CENSUS/shadow

libheap

Examine the glibc heap in gdb: https://github.com/cloudburst/libheap

heap-viewer

Examine the glibc heap in IDA Pro: https://github.com/danigargu/heap-viewer

heapinspect

A Python based heap playground with good visualization for educational purposes: https://github.com/matrix1001/heapinspect

Malloc Playground

The malloc_playground.c file given is the source for a program that prompts the user for commands to allocate and free memory interactively.

Other resources

Some good heap exploitation resources, roughly in order of their publication, are:

Hardening

There are a couple of "hardening" measures embedded in glibc, like export MALLOC_CHECK_=1 (enables some checks), export MALLOC_PERTURB_=1 (data is overwritten), export MALLOC_MMAP_THRESHOLD_=1 (always use mmap()), ...

More info: mcheck(), mallopt().

There's also some tracing support as mtrace(), malloc_stats(), malloc_info(), memusage, and in other functions in this family.