Heap Overflow

Linux Heap Exploitation Intro Series: Set you free() – part 2

06 September 2018 ~11 min By Javier Jimenez
Heap Heap Linux Heap Overflow Apngopt Exploit Exploitaion
Intro Hello there! On this part we are focusing on abusing chunk creation and heap massaging in hope of overwriting the __malloc_hook weak pointer. Before getting into all the juicy stuff let’s remember some key things from last post. The value returned by png_get_uint_32 is of type unsigned integer For a 32 bit integer, the following happens: 0xffffffff + 1 = 0 fread will read values into the destination unless it can’t read from source memory (spoiler: it can) fread will return the number of elements read from the source Points 1 and 2 were made clear but 3 and 4 were left unanswered.

Linux Heap Exploitation Intro Series: Set you free() – part 1

15 March 2018 ~11 min By Javier Jimenez
Exploit Gdb Heap Heap Linux Heap Overflow Apng Apngopt Exploitaion
Intro (part 1) Hello and welcome to the final post of our Intro to exploitation series! We have learned the basics about how the memory management as per the ptmalloc2 allocator works. It was a basic but enough approach to have a good starting point. However, there are a few concepts and attack scenarios that, due to existing a lot of information about these, I have kept long distance from “unsafe unlink“, “malloc (des)malleficarum” and techniques alike. These weren’t either basic enough or outdated and wanted to learn and note down the most basic and known exploit primitives: Use-after-invalidation (incl. Use-after-free), overflows (incl. Off-by-one) and double-free.

Linux Heap Exploitation Intro Series: The magicians cape – 1 Byte Overflow

20 September 2017 ~15 min By Javier Jimenez
Heap Heap Linux Heap Overflow
Intro Hello again! It’s been a while since the last blog post. This is due to not having as much time as we wanted but hopefully you all kept the pace with this heapy things as they are easy to forget due to the heavy amount of little details the heap involves. On this post we are going to demonstrate how a single byte overflow, with a user controlled value, can cause chunks to disappear for the implementation like a magician puts a cape on top of objects (chunks) and makes them disappear.

Painless intro to the Linux userland heap

05 May 2017 ~19 min By Javier Jimenez
Heap Heap Linux Heap Overflow Linux
-1 – Pre-Intro When looking at heap exploit tutorials most of the time I found myself lacking knowledge on the actual implementation and, soon, had the urge of knowing how it’s allocated and freed and why it’s done that way, memory wise. -0.9 – ptmalloc2 The best source of knowledge with regards to the implementation of the heap is itself, the source code. Do not fear it, thankfully it is widely commented!