Skip to content

The resources for GLibC Malloc heap exploitation course by Maxwell Dulin and Security Innovation.

Notifications You must be signed in to change notification settings

SecurityInnovation/glibc_heap_exploitation_training

Repository files navigation

Overview

  • Heap exploitation training for glibc.
  • Taught at DEFCON, CanSecWest and many other conferences.
  • Contains free videos, slides and exercises.
    • Videos are made for modules 1-6. The next five are in progress!
  • Installation steps for docker and virtual machine are below.

Modules

There is a lot of content here. So, there are two ways to go through it:

  • Go through each of the modules as specified in the order below.
  • Do the first 5 then skip to 10 & 11.
    • Personally, I think this is the best bang-for-your-time if you're time limited. But all of the content is fun and well-polished.

Whatever you do, do NOT skip the first two modules. These are the most important concepts in the entire course.

Introduction To Heap

  1. Course introduction
  2. Introduction to Malloc
  3. Heap Vulnerability Classes:
    • Double free
    • Use after free
    • Arbitrary Frees

Techniques

  1. Fd Poison:
    • Tcache
    • 2.32+ (pointer mangling)
  2. Unlink
  3. Overlapping chunks
  4. House of Force
  5. Unsorted Bin Attack && TCache Stashing Demo
  6. House of Spirit
  7. Mmap Chunks + House of Muney -- not tested yet

Final Countdown

  1. Leaks
  2. HTTP Server (final challenge)

Unused

  • House of IO and New:
    • Pointer mangling and House IO. Fun challenges in there but not super relevant anymore.
  • House of Orange:
    • Out of date + the POC doesn't work as you'd expect.

Assets Per Module

All of these are helpful per challenge but not all are implemented yet

  • Challenge file:
    • Challenge to test the knowledge of the technique
    • Source & compiled binary with the LD_PRELOAD section handled
  • Solution - python pwntools solution:
    • Checkpoints for going from stage to stage, if stuck.
      • Currently, this is ONLY implemented for the House of Spirit
  • Slides for the technique:
    • Background of heap mechanics needed
    • Technique description
    • Challenge
    • Challenge Walkthrough
    • Versions and situations
    • Other things to discuss
  • compile script (make)
    • Patches the loader of the challenge files

Folder Structure of Repository

  • modules/
    • Holds challenges for unique techniques (structure described in 'Assets Per Technique')
  • demos/
    • Showcasing of techniques and other fun things
  • libc_versions:
    • Versions of LibC and loader
  • old_challenges:
    • Old/failed challenges. Don't do these.
  • resources:
    • Miscellaneous scripts and things

Get Started

There are two ways to do the training:

  • Use the Virtual Machine
  • Use Docker on an x86_64 machine (advanced)

Virtual Machine Installation

  • Download VM
    • Exercises setup in guarenteed to work test environment.
    • Custom libc compilations with symbols
    • Custom tools in the VM
  • Follow the steps at here

Docker Setup

  • Must be on an x86_64 Linux machine!
  • Go to the resources/remote_setup directory.
  • Run ./start_container.sh.
    • Mounts the entire training as part of the file system in the container. Allows for you to save progress.
    • Must use tmux to run challenges.

Qemu

tar xvf Heap\ Course\ DEFCON\ 30.ova
qemu-img convert -f vmdk -O qcow2 Heap\ Course\ DEFCON\ 30-disk002.vmdk HeapCourse.qcow2

qemu-system-x86_64 \
    -smp 2 \
    -hda HeapCourse.qcow2 \
    -m 6G \
    -usb \
    -device usb-tablet

Questions/Help

  • If something doesn't work or you get stuck, feel free to open an issue on this repo. Max Dulin's personal email works as well.
  • Patience is a virtue for a reason :) I'm sure there are mistakes but I'll do my best to fix them as I am made aware.

About

The resources for GLibC Malloc heap exploitation course by Maxwell Dulin and Security Innovation.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •