The second rendition of the Glibc’s Heap Basics and How to Exploit it* lecture.
We covered the following topics:
- Chunks and chunk implementation
- Coalescing
- Main arena and Bins
- Tcache
- Common attacks
- Exploit development walkthrough
Demo
We solved gradebook from the K3RN3L CTF 2021 via a Tcache Poison attack (unintended solution). This solution walks through obtaining libc leaks and how to forge heap layouts favorable for using the Tcache Poison technique to obtain code execution.
Download the binary and libc here: gradebook, libc.so.6
Solution Summary
- Allocate a large chunk (0x1000 bytes)
- Allocate a padding chunk so the previous large chunk isn’t merged with the wilderness
- Free all chunks
- Allocate a large chunk (will re-use the last large chunk) and overwrite the first 8 bytes only
- Leak backward pointer through the binary’s
listfunctionality - Create students and names of different sizes to get a Tcache entry immediately after our large chunk
- Use the overflow bug in the binary to poison the tcache
- Allocate a chunk in the
__free_hookand assign it tosystem - Free a chunk containing the string
/bin/sh\x00 - Win
Exploit script: exploit.py
References
- Malloc security checks
- Malloc internals
- How2heap
- Glibc source code
- Temple of PWN
- LiveOverflow
- GEF gdb extension
Lecture Slides: Heap_Basics.pdf