Course Schedule
Dates:
May 16 - 17 (Monday to Tuesday) (10am to 6pm PST).
Available for IN-PERSON and ONLINE attendance.
Course Abstract
As exploit mitigation's, such as Nx and stack canaries, have made traditional binary exploitation more difficult, modern exploits have moved to the heap. But heap exploitation is a major increase in difficulty compared to traditional methods because of its complexity and methods being context dependent. In this training, we will conquer both of these issues.
To conquer the complexity, we'll learn all about the GLibC's malloc allocator by diving into the weeds of the allocator directly, explaining the how, what, and why. We'll use hands-on exercises to demonstrate techniques that are largely applicable, and cover the contexts which allow certain techniques to be used. Additionally, we will demonstrate how the victim program can add even more primitives that can be exploited and how to find these objects, allowing the information learned in the course to be widely applicable.
This workshop is specifically targeted at GLibC malloc, which is the default allocator on most Linux distributions. We will start by learning how the allocator functions and about heap specific vulnerability classes. From there, you will learn how to pwn with techniques in the allocator itself and how to find your own gadgets within victim programs to live off the land. Finally, we will attack a custom HTTP server stack by finding the vulnerabilities and exploiting them. This will require complicated heap feng shui and exploit techniques learned from the workshop in order to pull off. To make the content easy to grasp, the training includes many hands-on exercises for practicing the material, a large collection of visuals and an amazing virtual machine for pwnable challenges. After taking this course, you will be highly capable at finding heap related vulnerabilities and exploiting these bugs in a variety of ways.
Course Pre-requisites
Basic computer science background (x86_64 assembly, stack, programming skills in C & Python)
Basic binary exploitation skills (buffer overflow exploitation, ROP, ASLR, etc.)
Familiar with Linux developer tools such as the command line, Python scripting and GDB.
About the Instructor: Maxwell Dulin
Maxwell Dulin (Strikeout) is a senior security consultant hacking all things under the sun, from garage doors to web applications to operating systems. Maxwell has published many articles/talks for a plethora of heap exploitation techniques, assorted web application techniques and IoT devices. He has previously spoken at DEF CON 27s IoT Village, ToorCon, Hackfest and DEF CON workshops. His research is focused on custom RF protocols and binary exploitation methods. In his free time, he plays with RF toys, hikes to fire lookouts and catches everything at dodgeball.
About the Instructor: Zachary Minneker
Zachary Minneker is a security researcher and security engineer at Security Innovation. His first computer was a PowerPC Macintosh, an ISA which he continues to defend to this day. At Security Innovation, he has performed security assessments on a variety of systems, including robots for kids, audio transcription codecs, and electronic medical systems. He has previous experience administrating electronic medical systems, and deep experience in fuzzing, reverse engineering, and protocol analysis. His research has focused on techniques for in-memory fuzzing, macOS sandbox security, and IPC methods.
Takeaways
How the glibc malloc allocator functions (chunks, bins, etc.)
Heap specific vulnerability classes (use after free, double free, etc.)
6+ glibc malloc allocator exploitation techniques
Bypassing allocator and operating system binary protections, such as pointer mangling and ASLR
Living off the land of the program for context dependent exploit primitives
Leaking memory from the heap
Heap grooming (heap feng shui)
Debugging and testing memory corruption vulnerabilities
Course Agenda
Day 1
Module 1 - Introduction to the glibc heap Allocator:
Basic Data structures
Chunks
Exercise #1: Fixing a chunk
Bins (Free Chunks Handling)
Arenas
Malloc & Free Ordering
Module 2 - Heap Vulnerability Classes:
Heap buffer overflows
Use after frees
Exercise #2: Use after free
Double frees/arbitrary frees
Exercise #3: Double free exploitation
Module 3 - Fd Poisoning:
Understanding the TCache Bin
Exploiting fd pointers
Exercise #4: Fd Poison
Fastbin Variation
Pointer Mangling
Exercise #5: Fd poiston with Pointer Mangling
Module 4: The Classic Unlink:
Understanding the original bins (unsorted, small and large)
Removing a chunk from a bin
Unlink attack for arbitrary write primitive
Exercise #6: Unlink Attack
Unsafe unlink demo
Module 5 - Overlapping Chunks:
Understanding the size and prev_size chunk metadata
Corrupting the size field
Overlap chunks by growing the size
Exercise #7: Overlap two chunks
Other variations - shrinking chunks, unsorted bin variation
Day 2
Module 6 - House of Force
Top Chunk
Moving the top chunk forward
Overlapping your target
Exercise #8: House of Force
Similar technique overview: House of Einherjar
Module 7 - Write WHERE Primitives
Processing chunks in the unsorted bin
Unsorted Bin Attack method
Exercise #9: Unsorted Bin Attack
Uses of Unsorted Bin Attack: House of Husk and more
Similar technique overview: TCache Stashing
Module 8 - Leaks & Heap Grooming:
Uninitialized memory leaks
Exercise #10: Uninitialized memory read
Out of bounds read leak
Use after free leak
Filling in holes - heap feng shui
Heap Spraying - heap feng shui
Exercise #11: UAF read with heap feng shui
`sudoedit` vulnerability - heap grooming case study
Module 9 - Entering the Real World - Attacking an HTTP Server Stack:
Finding vulnerabilities in large applications via dynamic testing & code review
Vulnerability hunting walkthrough - subtle heap overflow
Vulnerability triaging & exploit planning
Exercise #12: Finding & Exploiting an uninitialized memory read for heap & libc info leaks
Allocation & freeing primitives for heap grooming in large applications
Living off the land - exploiting objects in the application itself
Exercise #13: Finding & Exploiting a use after free by living off the land
Other vulnerabiilty demos - integer overflows, arbitrary frees, etc.
Conclusion
Who Does What
Max:
1. Introduction to the glibc heap Allocator
3. Fd poison
7. Write WHERE primitives
9. HTTP Server Stack
Zach:
2. Vulnerability Classes
4. Unlink
5. Overlapping Chunks
6. House of Force
8. Leaks
Hardware and Software Requirements
Laptop with enough power for a moderately sized Linux VM
Administrative access to the laptop
8GB RAM minimum
30GB harddrive space
Virtualbox or another virtualization platform installed