Dynamic Allocator Exploitation


CSE 494 - Spring 2023

The glibc heap consists of many components distinct parts that balance performance and security. Beyond tcache exists a memory management system consisting of many interrelated bins and components. This module explores these components and interactions between them. By applying advanced heap exploits that "shape" the internal state of the heap, exploitation primitives can be created. Heap exploits are complex and ephemeral, frequently changing with libc versions. For this reason, success in the module relies on parsing heap exploit proof of concepts to craft an exploit.


Lectures and Reading

  • The challenges in this module are using glibc 2.35.
  • Remember, there is a lot of heap exploitation information online that is outdated.
  • An "advanced heap exploit" refers to techniques shown in how2heap.
    • These exploits take advantage of the normal functionality of specific heap actions.
    • The proof of exploit code is compilable! Build it, run it, change it, gdb it. This is your opportunity to reason about how it works!
  • Break down the challenges and heap exploits into primitives.
    • List the vulnerabilities/primitives in the challenge.
    • Identify the primitive(s) needed to obtain the flag in the challenge. Is an arbitrary read needed? An arbitrary write? Does the challenge have reading/writing functionality and setting a pointer value is sufficient to obtain the flag?
    • Explore the how2heap exploit repository. Distill the heap exploits to requirements and resulting primitives.
    • Filter the exploitation techniques to only those that can work given the challenge specifics.

Challenges

Leverage consolidation to obtain the flag.

Leverage consolidation to obtain the flag.

Leverage consolidation to obtain the flag.

Leverage consolidation to obtain the flag.

Leverage consolidation to obtain the flag.

Leverage consolidation to obtain the flag.

Perform an advanced heap exploit to obtain the flag

Perform an advanced heap exploit to obtain the flag

Perform an advanced heap exploit to obtain the flag

Perform an advanced heap exploit to obtain the flag

Perform an advanced heap exploit to obtain the flag

Perform an advanced heap exploit to obtain the flag

Perform an advanced heap exploit to obtain the flag

Perform an advanced heap exploit to obtain the flag

Perform an advanced heap exploit to obtain the flag

Perform an advanced heap exploit to obtain the flag


30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

Rank Hacker Badges Score