Dynamic Allocator Misuse


Program Security.

The glibc heap consists of many components distinct parts that balance performance and security. In this introduction to the heap, the thread caching layer, tcache will be targeted for exploitation. tcache is a fast thread-specific caching layer that is often the first point of interaction for programs working with dynamic memory allocations.



Dynamic Allocator Misuse Resources


Use After Free

Exploit a use-after-free vulnerability to get the flag.

Exploit a use-after-free vulnerability to get the flag.

Create and exploit a use-after-free vulnerability to get the flag.

Create and exploit a use-after-free vulnerability to get the flag.

Create and exploit a use-after-free vulnerability to get the flag when multiple allocations occur.

Create and exploit a use-after-free vulnerability to get the flag when multiple allocations occur.


Metadata Mischief Resources


Metadata Mischief

Corrupt the TCACHE entry_struct value to get the flag when multiple allocations occur.

Corrupt the TCACHE entry_struct value to get the flag when multiple allocations occur.

Apply the TCACHE metadata in an unintended manner to set a value.

Apply the TCACHE metadata in an unintended manner to set a value.

Corrupt the TCACHE entry_struct to read unintended memory.

Corrupt the TCACHE entry_struct to read unintended memory.

Corrupt the TCACHE entry_struct to read unintended memory.

Corrupt the TCACHE entry_struct to read unintended memory.

Leverage TCACHE exploits to pass a validation check.

Leverage TCACHE exploits to pass a validation check.

Leverage TCACHE exploits to pass a validation check.

Leverage TCACHE exploits to pass a validation check.


Heap Hijinx

Leverage TCACHE exploits to gain control flow.

Leverage TCACHE exploits to gain control flow.

Leverage TCACHE exploits to gain control flow.

Leverage TCACHE exploits to gain control flow.

Leverage TCACHE exploits to cause malloc() to return a stack pointer.

Leverage TCACHE exploits to cause malloc() to return a stack pointer.

Leverage calling free() on a stack pointer to read secret data.

Leverage calling free() on a stack pointer to read secret data.

Leverage TCACHE exploits to obtain the flag.

Leverage TCACHE exploits to obtain the flag.

Leverage TCACHE exploits to obtain the flag.

Leverage TCACHE exploits to obtain the flag.


Subverting Safe-Linking Resources


Subverting Safe-Linking Challenges

Revisit a prior challenge, now with TCACHE safe-linking.

Revisit a prior challenge, now with TCACHE safe-linking.

Revisit a prior challenge, now with TCACHE safe-linking.

Revisit a prior challenge, now with TCACHE safe-linking.

Revisit a prior challenge, now with TCACHE safe-linking.

Revisit a prior challenge, now with TCACHE safe-linking.


Exploitation

Leverage overlapping allocations to obtain the flag.

Leverage overlapping allocations to obtain the flag.

16 bytes and a dream.

16 bytes and a dream.


30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

Rank Hacker Badges Score