Educational Heap Exploitation

This repo is for learning various heap exploitation techniques. We use Ubuntu's Libc releases as the gold-standard. Each technique is verified to work on corresponding Ubuntu releases. You can run apt source libc6 to download the source code of the Libc your are using on Debian-based operating system. You can also click ▶️ to debug the technique in your browser using gdb.

We came up with the idea during a hack meeting, and have implemented the following techniques:

File	▶️	Technique	Glibc-Version	Patch	Applicable CTF Challenges
first_fit.c		Demonstrating glibc malloc's first-fit behavior.
calc_tcache_idx.c		Demonstrating glibc's tcache index calculation.
fastbin_dup.c	▶️	Tricking malloc into returning an already-allocated heap pointer by abusing the fastbin freelist.	latest
fastbin_dup_into_stack.c	▶️	Tricking malloc into returning a nearly-arbitrary pointer by abusing the fastbin freelist.	latest		9447-search-engine, 0ctf 2017-babyheap
fastbin_dup_consolidate.c	▶️	Tricking malloc into returning an already-allocated heap pointer by putting a pointer on both fastbin freelist and unsorted bin freelist.	latest		Hitcon 2016 SleepyHolder
unsafe_unlink.c	▶️	Exploiting free on a corrupted chunk to get arbitrary write.	latest		HITCON CTF 2014-stkof, Insomni'hack 2017-Wheel of Robots
house_of_spirit.c	▶️	Frees a fake fastbin chunk to get malloc to return a nearly-arbitrary pointer.	latest		hack.lu CTF 2014-OREO
poison_null_byte.c	▶️	Exploiting a single null byte overflow.	latest		PlaidCTF 2015-plaiddb, BalsnCTF 2019-PlainNote
house_of_lore.c	▶️	Tricking malloc into returning a nearly-arbitrary pointer by abusing the smallbin freelist.	latest
overlapping_chunks.c	▶️	Exploit the overwrite of a freed chunk size in the unsorted bin in order to make a new allocation overlap with an existing chunk	< 2.29	patch	hack.lu CTF 2015-bookstore, Nuit du Hack 2016-night-deamonic-heap
overlapping_chunks_2.c	▶️	Exploit the overwrite of an in use chunk size in order to make a new allocation overlap with an existing chunk	< 2.29	patch
mmap_overlapping_chunks.c		Exploit an in use mmap chunk in order to make a new allocation overlap with a current mmap chunk	latest
house_of_force.c	▶️	Exploiting the Top Chunk (Wilderness) header in order to get malloc to return a nearly-arbitrary pointer	< 2.29	patch	Boston Key Party 2016-cookbook, BCTF 2016-bcloud
unsorted_bin_into_stack.c	▶️	Exploiting the overwrite of a freed chunk on unsorted bin freelist to return a nearly-arbitrary pointer.	< 2.29	patch
unsorted_bin_attack.c	▶️	Exploiting the overwrite of a freed chunk on unsorted bin freelist to write a large value into arbitrary address	< 2.29	patch	0ctf 2016-zerostorage
large_bin_attack.c	▶️	Exploiting the overwrite of a freed chunk on large bin freelist to write a large value into arbitrary address	latest		0ctf 2018-heapstorm2
house_of_einherjar.c	▶️	Exploiting a single null byte overflow to trick malloc into returning a controlled pointer	latest		Seccon 2016-tinypad
house_of_orange.c	▶️	Exploiting the Top Chunk (Wilderness) in order to gain arbitrary code execution	< 2.26	patch	Hitcon 2016 houseoforange
house_of_roman.c	▶️	Leakless technique in order to gain remote code execution via fake fastbins, the unsorted_bin attack and relative overwrites.	< 2.29	patch
tcache_poisoning.c	▶️	Tricking malloc into returning a completely arbitrary pointer by abusing the tcache freelist. (requires heap leak on and after 2.32)	> 2.25	patch
tcache_house_of_spirit.c	▶️	Frees a fake chunk to get malloc to return a nearly-arbitrary pointer.	> 2.25
house_of_botcake.c	▶️	Bypass double free restriction on tcache. Make `tcache_dup` great again.	> 2.25
tcache_stashing_unlink_attack.c	▶️	Exploiting the overwrite of a freed chunk on small bin freelist to trick malloc into returning an arbitrary pointer and write a large value into arbitraty address with the help of calloc.	> 2.25		Hitcon 2019 one punch man
fastbin_reverse_into_tcache.c	▶️	Exploiting the overwrite of a freed chunk in the fastbin to write a large value into an arbitrary address.	> 2.25
house_of_mind_fastbin.c	▶️	Exploiting a single byte overwrite with arena handling to write a large value (heap pointer) to an arbitrary address	latest
house_of_storm.c	▶️	Exploiting a use after free on both a large and unsorted bin chunk to return an arbitrary chunk from malloc	< 2.29
house_of_gods.c	▶️	A technique to hijack a thread's arena within 8 allocations	< 2.27
decrypt_safe_linking.c	▶️	Decrypt the poisoned value in linked list to recover the actual pointer	>= 2.32
tcache_dup.c(obsolete)		Tricking malloc into returning an already-allocated heap pointer by abusing the tcache freelist.	2.26 - 2.28	patch

The GnuLibc is under constant development and several of the techniques above have let to consistency checks introduced in the malloc/free logic. Consequently, these checks regularly break some of the techniques and require adjustments to bypass them (if possible). We address this issue by keeping multiple versions of the same technique for each Glibc-release that required an adjustment. The structure is glibc_<version>/technique.c.

Have a good example? Add it here! Try to inline the whole technique in a single .c -- it's a lot easier to learn that way.

Get Started

Quick Setup

make sure you have the following packages/tools installed: patchelf zstd wget (of course also build-essential or similar for compilers, make, ...)
also, /usr/bin/python must be/point to your python binary (e. g. /usr/bin/python3)

git clone https://github.com/shellphish/how2heap
cd how2heap
make clean all
./glibc_run.sh 2.30 ./malloc_playground -u -r

Complete Setup

This creates a Docker-based environment to get started with pwndbg and pwntools.

## on your host
git clone https://github.com/shellphish/how2heap
cd how2heap
git clone https://github.com/pwndbg/pwndbg
docker build -t how2heap-pwndbg pwndbg 
docker run -it --rm --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -v $(pwd):/io:Z --name how2heap how2heap-pwndbg

## inside the docker container
apt update
apt -y install patchelf zstd python-is-python3 wget
python -m pip install pwntools
export PATH="$PATH:$(python -c 'import site; print(site.getsitepackages()[0])')/bin"
cd /io
git config --global --add safe.directory "*"
make clean all
./glibc_run.sh 2.30 ./malloc_playground -u -r

## debugging
# check modified RUNPATH and interpreter
readelf -d -W malloc_playground | grep RUNPATH # or use checksec
readelf -l -W malloc_playground | grep interpreter
gdb -q -ex "start" ./malloc_playground

Heap Exploitation Tools

There are some heap exploitation tools floating around.

shadow

jemalloc exploitation framework: https://github.com/CENSUS/shadow

libheap

Examine the glibc heap in gdb: https://github.com/cloudburst/libheap

heap-viewer

Examine the glibc heap in IDA Pro: https://github.com/danigargu/heap-viewer

heapinspect

A Python based heap playground with good visualization for educational purposes: https://github.com/matrix1001/heapinspect

Forkever

Debugger that lets you set "checkpoints" as well as view and edit the heap using a hexeditor: https://github.com/haxkor/forkever

Malloc Playground

The malloc_playground.c file given is the source for a program that prompts the user for commands to allocate and free memory interactively.

Pwngdb

Examine the glibc heap in gdb: https://github.com/scwuaptx/Pwngdb

heaptrace

Helps you visualize heap operations by replacing addresses with symbols: https://github.com/Arinerron/heaptrace

Heap Search

Search for applicable heap exploitation techniques based on primitive requirements: https://kissprogramming.com/heap/heap-search

Other resources

Some good heap exploitation resources, roughly in order of their publication, are:

glibc in-depth tutorial (https://heap-exploitation.dhavalkapil.com/) - book and exploit samples
ptmalloc fanzine, a set of resources and examples related to meta-data attacks on ptmalloc (http://tukan.farm/2016/07/26/ptmalloc-fanzine/)
A malloc diagram, from libheap (https://raw.githubusercontent.com/cloudburst/libheap/master/heap.png)
Glibc Adventures: The Forgotten Chunk (https://go.contextis.com/rs/140-OCV-459/images/Glibc_Adventures-The_Forgotten_Chunks.pdf) - advanced heap exploitation
Pseudomonarchia jemallocum (http://www.phrack.org/issues/68/10.html)
The House Of Lore: Reloaded (http://phrack.org/issues/67/8.html)
Malloc Des-Maleficarum (http://phrack.org/issues/66/10.html) - some malloc exploitation techniques
Yet another free() exploitation technique (http://phrack.org/issues/66/6.html)
Understanding the heap by breaking it (https://www.blackhat.com/presentations/bh-usa-07/Ferguson/Whitepaper/bh-usa-07-ferguson-WP.pdf) - explains heap implementation and a couple exploits
The use of set_head to defeat the wilderness (http://phrack.org/issues/64/9.html)
The Malloc Maleficarum (http://seclists.org/bugtraq/2005/Oct/118)
OS X heap exploitation techniques (http://phrack.org/issues/63/5.html)
Exploiting The Wilderness (http://seclists.org/vuln-dev/2004/Feb/25)
Advanced Doug lea's malloc exploits (http://phrack.org/issues/61/6.html)
GDB Enhanced Features (GEF) Heap Exploration Tools (https://gef.readthedocs.io/en/master/commands/heap/)
Painless intro to the Linux userland heap (https://sensepost.com/blog/2017/painless-intro-to-the-linux-userland-heap/)
Heap exploitation techniques that work on glibc-2.31 (https://github.com/StarCross-Tech/heap_exploit_2.31)
Overview of GLIBC heap exploitation techniques (https://0x434b.dev/overview-of-glibc-heap-exploitation-techniques/)

Hardening

There are a couple of "hardening" measures embedded in glibc, like export MALLOC_CHECK_=1 (enables some checks), export MALLOC_PERTURB_=1 (data is overwritten), export MALLOC_MMAP_THRESHOLD_=1 (always use mmap()), ...

More info: mcheck(), mallopt().

There's also some tracing support as mtrace(), malloc_stats(), malloc_info(), memusage, and in other functions in this family.

shellphish/how2heap

shellphish

Reviews

Repository Details