Back to All Events

Heap Exploitation


 

Course Schedule

Dates:

  • May 16 - 17 (Monday to Tuesday) (10am to 6pm PST).

Available for IN-PERSON and ONLINE attendance.

 

Course Abstract

As exploit mitigation's, such as Nx and stack canaries, have made traditional binary exploitation more difficult, modern exploits have moved to the heap. But heap exploitation is a major increase in difficulty compared to traditional methods because of its complexity and methods being context dependent. In this training, we will conquer both of these issues.


To conquer the complexity, we'll learn all about the GLibC's malloc allocator by diving into the weeds of the allocator directly, explaining the how, what, and why. We'll use hands-on exercises to demonstrate techniques that are largely applicable, and cover the contexts which allow certain techniques to be used. Additionally, we will demonstrate how the victim program can add even more primitives that can be exploited and how to find these objects, allowing the information learned in the course to be widely applicable.


This workshop is specifically targeted at GLibC malloc, which is the default allocator on most Linux distributions. We will start by learning how the allocator functions and about heap specific vulnerability classes. From there, you will learn how to pwn with techniques in the allocator itself and how to find your own gadgets within victim programs to live off the land. Finally, we will attack a custom HTTP server stack by finding the vulnerabilities and exploiting them. This will require complicated heap feng shui and exploit techniques learned from the workshop in order to pull off. To make the content easy to grasp, the training includes many hands-on exercises for practicing the material, a large collection of visuals and an amazing virtual machine for pwnable challenges. After taking this course, you will be highly capable at finding heap related vulnerabilities and exploiting these bugs in a variety of ways.

 

Course Pre-requisites

  • Basic computer science background (x86_64 assembly, stack, programming skills in C & Python)

  • Basic binary exploitation skills (buffer overflow exploitation, ROP, ASLR, etc.)

  • Familiar with Linux developer tools such as the command line, Python scripting and GDB.

 

About the Instructor: Maxwell Dulin

Maxwell Dulin (Strikeout) is a senior security consultant hacking all things under the sun, from garage doors to web applications to operating systems. Maxwell has published many articles/talks for a plethora of heap exploitation techniques, assorted web application techniques and IoT devices. He has previously spoken at DEF CON 27s IoT Village, ToorCon, Hackfest and DEF CON workshops. His research is focused on custom RF protocols and binary exploitation methods. In his free time, he plays with RF toys, hikes to fire lookouts and catches everything at dodgeball.

 

About the Instructor: Zachary Minneker

Zachary Minneker is a security researcher and security engineer at Security Innovation. His first computer was a PowerPC Macintosh, an ISA which he continues to defend to this day. At Security Innovation, he has performed security assessments on a variety of systems, including robots for kids, audio transcription codecs, and electronic medical systems. He has previous experience administrating electronic medical systems, and deep experience in fuzzing, reverse engineering, and protocol analysis. His research has focused on techniques for in-memory fuzzing, macOS sandbox security, and IPC methods.

 
 

Takeaways

  • How the glibc malloc allocator functions (chunks, bins, etc.)

  • Heap specific vulnerability classes (use after free, double free, etc.)

  • 6+ glibc malloc allocator exploitation techniques

  • Bypassing allocator and operating system binary protections, such as pointer mangling and ASLR

  • Living off the land of the program for context dependent exploit primitives

  • Leaking memory from the heap

  • Heap grooming (heap feng shui)

  • Debugging and testing memory corruption vulnerabilities

 

Course Agenda

Day 1

  • Module 1 - Introduction to the glibc heap Allocator:

    • Basic Data structures

    • Chunks

    • Exercise #1: Fixing a chunk

    • Bins (Free Chunks Handling)

    • Arenas

    • Malloc & Free Ordering

  • Module 2 - Heap Vulnerability Classes:

    • Heap buffer overflows

    • Use after frees

    • Exercise #2: Use after free

    • Double frees/arbitrary frees

    • Exercise #3: Double free exploitation

  • Module 3 - Fd Poisoning:

    • Understanding the TCache Bin

    • Exploiting fd pointers

    • Exercise #4: Fd Poison

    • Fastbin Variation

    • Pointer Mangling

    • Exercise #5: Fd poiston with Pointer Mangling

  • Module 4: The Classic Unlink:

    • Understanding the original bins (unsorted, small and large)

    • Removing a chunk from a bin

    • Unlink attack for arbitrary write primitive

    • Exercise #6: Unlink Attack

    • Unsafe unlink demo

  • Module 5 - Overlapping Chunks:

    • Understanding the size and prev_size chunk metadata

    • Corrupting the size field

    • Overlap chunks by growing the size

    • Exercise #7: Overlap two chunks

    • Other variations - shrinking chunks, unsorted bin variation

Day 2

  • Module 6 - House of Force

    • Top Chunk

    • Moving the top chunk forward

    • Overlapping your target

    • Exercise #8: House of Force

    • Similar technique overview: House of Einherjar

  • Module 7 - Write WHERE Primitives

    • Processing chunks in the unsorted bin

    • Unsorted Bin Attack method

    • Exercise #9: Unsorted Bin Attack

    • Uses of Unsorted Bin Attack: House of Husk and more

    • Similar technique overview: TCache Stashing

  • Module 8 - Leaks & Heap Grooming:

    • Uninitialized memory leaks

    • Exercise #10: Uninitialized memory read

    • Out of bounds read leak

    • Use after free leak

    • Filling in holes - heap feng shui

    • Heap Spraying - heap feng shui

    • Exercise #11: UAF read with heap feng shui

    • `sudoedit` vulnerability - heap grooming case study

  • Module 9 - Entering the Real World - Attacking an HTTP Server Stack:

    • Finding vulnerabilities in large applications via dynamic testing & code review

    • Vulnerability hunting walkthrough - subtle heap overflow

    • Vulnerability triaging & exploit planning

    • Exercise #12: Finding & Exploiting an uninitialized memory read for heap & libc info leaks

    • Allocation & freeing primitives for heap grooming in large applications

    • Living off the land - exploiting objects in the application itself

    • Exercise #13: Finding & Exploiting a use after free by living off the land

    • Other vulnerabiilty demos - integer overflows, arbitrary frees, etc.

  • Conclusion

 

Who Does What

  • Max:

    • 1. Introduction to the glibc heap Allocator

    • 3. Fd poison

    • 7. Write WHERE primitives

    • 9. HTTP Server Stack

  • Zach:

    • 2. Vulnerability Classes

    • 4. Unlink

    • 5. Overlapping Chunks

    • 6. House of Force

    • 8. Leaks

 

Hardware and Software Requirements

  • Laptop with enough power for a moderately sized Linux VM

  • Administrative access to the laptop

  • 8GB RAM minimum

  • 30GB harddrive space

  • Virtualbox or another virtualization platform installed

 
 
Previous
Previous
May 16

Evil Mainframe: Mainframe Hacking for Penetration Testers

Next
Next
May 17

Reproducing Zero-Days with Mayhem