how2heap: learn heap exploitation

hacker_compMany of the deadliest hacks and malware use stack and heap exploitation techniques to gain privileged access to a computer or destroy everything on the disk. If you are a budding white hat hacker or the developer of an industry-grade software, you must learn how they work and the techniques to counter those issues. how2heap is a collection of C programs which explain the working principles behind heap attacks.

At the time of writing the 5 programs are available:

  1. fastbin_dup.c: tricks malloc into returning an already-allocated heap pointer by abusing the fastbin freelist.
  2. fastbin_dup_into_stack.c: tricks malloc into returning a nearly-arbitrary pointer by abusing the fastbin freelist.
  3. unsafe_unlink.c: exploits free on a corrupted chunk to get arbitrary write.
  4. house_of_spirit.c: frees a fake fastbin chunk to get malloc to return a nearly-arbitrary pointer.
  5. poison_null_byte.c: exploits a single null byte overflow.

malloc_playground.c is an interactive program to allocate and free chunks of memory.

Applicable CTF (Capture The Flag) hacking challenges are also linked to try out the lessons you learnt.

Compilation

The usual steps would have been:

$ git clone https://github.com/shellphish/how2heap
$ cd how2heap/
$ make

The code is a great resource to skim through and learn the possible gotchas of heap memory allocation.

On GitHub: how2heap

Leave a Reply

Your email address will not be published. Required fields are marked *