shellphish / how2heap

A repository for learning various heap exploitation techniques.
MIT License
7.2k stars 1.14k forks source link

look into HITCON 2016 examples #20

Closed zardus closed 7 years ago

zardus commented 8 years ago

We didn't have a chance at the CTF, but we should figure out what babyheap needs, and if we should add a technique to how2heap for it.

andigena commented 8 years ago

The initial trick for babyheap (which I only found out from the published exploit) was the fact that scanf ("hidden" out of sight in the exit menu option) allocates a file buffer on the heap with malloc(0x1000), the contents of which we can control. Also, its size is rounded to 0x1010 by malloc and this displaces the other allocations just right. I'm not familiar with libio in libc and didn't really look into this to find out which other functions do this.

While a neat trick, I'm not sure if it's worthy to include in its own example. House of Orange had a similarly obscure trick from what my teammates told me (no free calls in the binary but sysmalloc may call free upon top expansion) as did Sleepy Holder (forcing a chunk in a fastbin into the corresponding smallbin via malloc_consolidate to allow for a double free of said chunk without failing the fastbin double free check and for its effect of unsetting PREV_INUSE of the next chunk).

Maybe create a (possibly separate) list of such tricks with short a description and the concrete CTF challenges where they came up?

zardus commented 8 years ago

Thanks for looking into that!

I agree that babyheap shouldn't be an entry. I think the House of Orange trick might be worth an example to showcase the situation where free is called during expansion. That seems like a decently cool trick. Maybe someone will get some time eventually :-)

zardus commented 7 years ago

This has now been contributed in PR https://github.com/shellphish/how2heap/pull/57!