Dynamic Allocator Misuse


CSE 598 - Spring 2024.

The glibc heap consists of many components distinct parts that balance performance and security. In this introduction to the heap, the thread caching layer, tcache will be targeted for exploitation. tcache is a fast thread-specific caching layer that is often the first point of interaction for programs working with dynamic memory allocations.


Exploit a use-after-free vulnerability to get the flag.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Exploit a use-after-free vulnerability to get the flag.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Create and exploit a use-after-free vulnerability to get the flag.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Create and exploit a use-after-free vulnerability to get the flag.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Create and exploit a use-after-free vulnerability to get the flag when multiple allocations occur.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Create and exploit a use-after-free vulnerability to get the flag when multiple allocations occur.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Corrupt the TCACHE entry_struct value to get the flag when multiple allocations occur.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Corrupt the TCACHE entry_struct value to get the flag when multiple allocations occur.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Apply the TCACHE metadata in an unintended manner to set a value.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Apply the TCACHE metadata in an unintended manner to set a value.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Corrupt the TCACHE entry_struct to read unintended memory.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Corrupt the TCACHE entry_struct to read unintended memory.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Corrupt the TCACHE entry_struct to read unintended memory.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Corrupt the TCACHE entry_struct to read unintended memory.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Leverage TCACHE exploits to pass a validation check.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Leverage TCACHE exploits to pass a validation check.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Leverage TCACHE exploits to pass a validation check.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Leverage TCACHE exploits to pass a validation check.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Leverage TCACHE exploits to gain control flow.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Leverage TCACHE exploits to gain control flow.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Leverage TCACHE exploits to gain control flow.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Leverage TCACHE exploits to gain control flow.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Leverage TCACHE exploits to cause malloc() to return a stack pointer.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Leverage TCACHE exploits to cause malloc() to return a stack pointer.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Leverage calling free() on a stack pointer to read secret data.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Leverage calling free() on a stack pointer to read secret data.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Leverage TCACHE exploits to obtain the flag.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Leverage TCACHE exploits to obtain the flag.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Leverage TCACHE exploits to obtain the flag.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Leverage TCACHE exploits to obtain the flag.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Revisit a prior challenge, now with TCACHE safe-linking.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Revisit a prior challenge, now with TCACHE safe-linking.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Revisit a prior challenge, now with TCACHE safe-linking.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Revisit a prior challenge, now with TCACHE safe-linking.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Revisit a prior challenge, now with TCACHE safe-linking.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Revisit a prior challenge, now with TCACHE safe-linking.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Leverage overlapping allocations to obtain the flag.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Leverage overlapping allocations to obtain the flag.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

16 bytes and a dream.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

16 bytes and a dream.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

Rank Hacker Badges Score