romydj / how2heap

A repository for learning various heap exploitation techniques.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Educational Heap Exploitation

This repo is for learning various heap exploitation techniques. We came up with the idea during a hack meeting, and have implemented the following techniques:

File Technique Applicable CTF Challenges
fastbin_dup.c Tricking malloc into returning an already-allocated heap pointer by abusing the fastbin freelist.
fastbin_dup_into_stack.c Tricking malloc into returning a nearly-arbitrary pointer by abusing the fastbin freelist. 9447-search-engine
unsafe_unlink.c Exploiting free on a corrupted chunk to get arbitrary write. HITCON CTF 2014-stkof
house_of_spirit.c Frees a fake fastbin chunk to get malloc to return a nearly-arbitrary pointer. hack.lu CTF 2014-OREO
poison_null_byte.c Exploiting a single null byte overflow. PlaidCTF 2015-plaiddb

Have a good example? Add it here! Try to inline the whole technique in a single .c -- it's a lot easier to learn that way.

Malloc Playground

The malloc_playground.c file given is the source for a program that prompts the user for commands to allocate and free memory interactively.

Other resources

Some good heap exploitation resources are:

Hardening

There are a couple of "hardening" measures embedded in glibc, like export MALLOC_CHECK_=1 (enables some checks), export MALLOC_PERTURB_=1 (data is overwritten), export MALLOC_MMAP_THRESHOLD_=1 (always use mmap()), ...

More info: mcheck(), mallopt().

There's also some tracing support as mtrace(), malloc_stats(), malloc_info(), memusage, and in other functions in this family.

About

A repository for learning various heap exploitation techniques.


Languages

Language:C 98.0%Language:Makefile 2.0%