Dynamic Allocator Misuse


CSE 494 - Spring 2023

The glibc heap consists of many components distinct parts that balance performance and security. In this introduction to the heap, the thread caching layer, tcache will be targeted for exploitation. tcache is a fast thread-specific caching layer that is often the first point of interaction for programs working with dynamic memory allocations.


Lectures and Reading


Challenges

Exploit a use-after-free vulnerability to get the flag.

Exploit a use-after-free vulnerability to get the flag.

Create and exploit a use-after-free vulnerability to get the flag.

Create and exploit a use-after-free vulnerability to get the flag.

Create and exploit a use-after-free vulnerability to get the flag when multiple allocations occur.

Create and exploit a use-after-free vulnerability to get the flag when multiple allocations occur.

Corrupt the TCACHE entry_struct value to get the flag when multiple allocations occur.

Corrupt the TCACHE entry_struct value to get the flag when multiple allocations occur.

Apply the TCACHE metadata in an unintended manner to set a value.

Apply the TCACHE metadata in an unintended manner to set a value.

Corrupt the TCACHE entry_struct to read unintended memory.

Corrupt the TCACHE entry_struct to read unintended memory.

Corrupt the TCACHE entry_struct to read unintended memory.

Corrupt the TCACHE entry_struct to read unintended memory.

Leverage TCACHE exploits to pass a validation check.

Leverage TCACHE exploits to pass a validation check.

Leverage TCACHE exploits to pass a validation check.

Leverage TCACHE exploits to pass a validation check.

Leverage TCACHE exploits to gain control flow.

Leverage TCACHE exploits to gain control flow.

Leverage TCACHE exploits to gain control flow.

Leverage TCACHE exploits to gain control flow.

Leverage TCACHE exploits to cause malloc() to return a stack pointer.

Leverage TCACHE exploits to cause malloc() to return a stack pointer.

Leverage calling free() on a stack pointer to read secret data.

Leverage calling free() on a stack pointer to read secret data.

Leverage TCACHE exploits to obtain the flag.

Leverage TCACHE exploits to obtain the flag.

Leverage TCACHE exploits to obtain the flag.

Leverage TCACHE exploits to obtain the flag.

Revisit a prior challenge, now with TCACHE safe-linking.

Revisit a prior challenge, now with TCACHE safe-linking.

Revisit a prior challenge, now with TCACHE safe-linking.

Revisit a prior challenge, now with TCACHE safe-linking.

Revisit a prior challenge, now with TCACHE safe-linking.

Revisit a prior challenge, now with TCACHE safe-linking.

Leverage overlapping allocations to obtain the flag.

Leverage overlapping allocations to obtain the flag.

16 bytes and a dream.

16 bytes and a dream.


30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

Rank Hacker Badges Score