House of Heap Exploitation (Workshop)
2021-10-13, 13:00–17:00 (US/Pacific), The Point

Heap exploitation is an incredibly powerful tool for a hacker. As exploit mitigations have made exploitation more difficult, modern exploit development has moved to the heap. However, heap exploitation is a subject that has evaded many people for years for one reason: they focus on the techniques instead of the allocator. By learning with an allocator first style, the techniques are easily understood and practical to use.

This workshop is for learning heap exploit development in GLibC Malloc. GLibC Malloc is the default allocator on most Linux distros. With this hands-on introduction into GLibC Malloc heap exploitation you will learn how the allocator functions, heap specific vulnerability classes and to pwn with a variety of techniques. Whether you're an avid CTFer or just trying to get into heap exploitation on your pwnables site, this course is good for adding another tool to the tools arsenal. After taking this course you will understand the GLibC Malloc allocator, be able to discover heap specific vulnerability classes and pwn the heap with a variety of techniques, with the capability to easily learn more.

  • Module 1 - Introduction to the GLibC Heap Allocator:
    • History of dynamic memory allocators
    • Basic Data structures
    • Chunks
    • Bins (Free Chunks Handling)
    • Challenge #1: Fixing a chunk
    • Malloc & Free Ordering
  • Module 2 - Heap Vulnerability Classes:
    • Ideal heap environment testing setup
    • Buffer overflows
    • Use after frees
    • Challenge #2: Use after free
    • Double frees
  • Module 3 - Fd Poisoning:
    • Understanding the TCache Bin
    • Exploiting fd pointers
    • Challenge #3: Fd Poison
    • Introduction to TCache leaks
    • Fastbin Variation
    • Pointer Mangling
  • Module 4: Unlink:
    • Understanding the original bins (unsorted, small and large)
    • Removing a chunk from a bin
    • Unlink attack for arbitrary write primitive
    • Modern unlink attack
    • Unsafe unlink demo
    • Challenge #5: Unlink Attack
  • Module 5 - Overlapping Chunks:
    • Understanding the size and prev_size chunk metadata
    • Corrupting the size field
    • Overlap chunks by growing the size
    • Challenge #6: Overlap two chunks
    • Variant analysis (shrinking, mmap, unsorted bin, etc.)
  • Conclusion

Maxwell Dulin (Strikeout) is a security consultant at Security Innovation hacking all things under the sun, from robots to web applications. Maxwell has published many articles/papers for a plethora of heap exploitation techniques, assorted web application hacking exploits, machine learning and IoT device vulnerability hunting. He has previously spoken at DEF CON 27 IoT Village and DEF CON workshops. In his free time, he plays with RF toys, hikes to fire lookouts and catches everything at dodgeball.

Kevin Choi is always on the lookout for his next adventure. Whether trekking past remote glaciers, exploring abandoned hospitals, accessing rooftops, spelunking down subnets, or reconnoitering web applications, Kevin finds that new horizons open creative solutions for existing problems. Kevin is currently working on the problem of self-sovereign identity and smart contract vulnerabilities. No matter where Kevin is in the world or the internet, Kevin will always consider two places home-- the University of California, Irvine, and the Security Innovation VPN.