Dynamic Allocator Misuse


Program Security.

The glibc heap consists of many components distinct parts that balance performance and security. In this introduction to the heap, the thread caching layer, tcache will be targeted for exploitation. tcache is a fast thread-specific caching layer that is often the first point of interaction for programs working with dynamic memory allocations.



Challenges

Exploit a use-after-free vulnerability to get the flag.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Exploit a use-after-free vulnerability to get the flag.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Create and exploit a use-after-free vulnerability to get the flag.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Create and exploit a use-after-free vulnerability to get the flag.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Create and exploit a use-after-free vulnerability to get the flag when multiple allocations occur.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Create and exploit a use-after-free vulnerability to get the flag when multiple allocations occur.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Corrupt the TCACHE entry_struct value to get the flag when multiple allocations occur.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Corrupt the TCACHE entry_struct value to get the flag when multiple allocations occur.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Apply the TCACHE metadata in an unintended manner to set a value.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Apply the TCACHE metadata in an unintended manner to set a value.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Corrupt the TCACHE entry_struct to read unintended memory.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Corrupt the TCACHE entry_struct to read unintended memory.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Corrupt the TCACHE entry_struct to read unintended memory.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Corrupt the TCACHE entry_struct to read unintended memory.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Leverage TCACHE exploits to pass a validation check.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Leverage TCACHE exploits to pass a validation check.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Leverage TCACHE exploits to pass a validation check.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Leverage TCACHE exploits to pass a validation check.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Leverage TCACHE exploits to gain control flow.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Leverage TCACHE exploits to gain control flow.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Leverage TCACHE exploits to gain control flow.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Leverage TCACHE exploits to gain control flow.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Leverage TCACHE exploits to cause malloc() to return a stack pointer.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Leverage TCACHE exploits to cause malloc() to return a stack pointer.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Leverage calling free() on a stack pointer to read secret data.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Leverage calling free() on a stack pointer to read secret data.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Leverage TCACHE exploits to obtain the flag.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Leverage TCACHE exploits to obtain the flag.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Leverage TCACHE exploits to obtain the flag.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Leverage TCACHE exploits to obtain the flag.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Revisit a prior challenge, now with TCACHE safe-linking.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Revisit a prior challenge, now with TCACHE safe-linking.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Revisit a prior challenge, now with TCACHE safe-linking.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Revisit a prior challenge, now with TCACHE safe-linking.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Revisit a prior challenge, now with TCACHE safe-linking.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Revisit a prior challenge, now with TCACHE safe-linking.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Leverage overlapping allocations to obtain the flag.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Leverage overlapping allocations to obtain the flag.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

16 bytes and a dream.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

16 bytes and a dream.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

Rank Hacker Badges Score