Linux Heap Exploitation - Part 1

Name: Linux Heap Exploitation - Part 1
Rating: 4.9 (905 reviews)

Learn hands-on GLIBC heap exploitation with HeapLAB.

Bestseller

Highest Rated

Created byMax Kamper

Last updated 7/2024

English

What you'll learn

Scripting exploits with pwntools
Introspecting the heap with pwndbg
The House of Force technique
The Fastbin Dup technique
The Unsafe Unlink technique
The Safe Unlink technique
The House of Orange technique
Using one-gadgets to drop a shell
Leveraging a single-byte heap overflow to drop a shell

Course content

9 sections • 22 lectures • 4h 51m total length

Welcome1:33
Welcome to HeapLAB!
What is GLIBC?4:48
Learn about the GNU C library, and how it's tied to Linux heap exploitation.
What is malloc?2:40
Learn about "malloc", the memory allocator at the core of the GLIBC heap implementation.
Environment setup4:37
In this video we set up our exploit development environment, it simply involves getting a VM started and installing a couple of tools.

The top chunk9:51
Learn some basic heap mechanics, including how the malloc() function works and what the "top chunk" is. Along the way we get familiar with the GNU debugger and the pwndbg Python library.
Our 1st vulnerable binary8:01
We take a look at our first vulnerable practice binary, doing our due diligence to find out which protections it uses.
Arbitrary write via the House of Force16:54
Learn the House of Force technique, which is part of the "Malloc Maleficarum" and leverage it to make an arbitrary write, overwriting target memory in our vulnerable binary. We'll make use of the pwntools Python library to script our exploit.
Code execution via the House of Force12:15
In this video we turn our House of Force arbitrary write into code execution.

The fastbins9:54
To prepare for our next heap exploitation technique, we learn about the free() function and how the fastbins operate.
Arbitrary write via the Fastbin Dup17:16
Learn our 2nd heap exploitation technique, the Fastbin Dup, and leverage it to make an arbitrary write.
Code execution via the Fastbin Dup14:40
In this video we turn our Fastbin Dup primitive into a shell, along the way we'll learn about "one-gadgets" and how to meet their constraints.

What is the House of Orange?1:09
A brief introduction to the House of Orange, a beautiful end-to-end heap exploitation technique developed in 2016 by Angelboy.
File stream exploitation10:42
Learn about file stream exploitation, an alternative means of gaining, amongst other things, arbitrary code execution. This is how we'll drop a shell in the 3rd phase of the House of Orange.
The Unsortedbin Attack15:38
Learn the 2nd phase of the House of Orange, the Unsortedbin Attack, which can write the address of an arena's unsortedbin to an arbitrary location.
The complete House of Orange34:04
Learn phase 1 of the House of Orange, top chunk extension, before putting all 3 phases together to finally drop a shell from our vulnerable binary.

Remaindering6:38
Prepare for your final challenge binary by learning about "remaindering", a process in which chunks are broken down into smaller chunks.
One-Byte39:14
Take on your final challenge: One-Byte, in which you're tasked with dropping a shell from a binary with modern protections. You'll need to forge a libc leak and leverage what you've learned so far about heap exploitation to complete this challenge.

Requirements

Familiarity with the Linux command line environment
Basic debugging skills
An x64 Linux VM or Host

Description

For nearly 20 years, exploiting memory allocators has been something of an art form. Become part of that legacy with HeapLAB.

The GNU C Library (GLIBC) is a fundamental part of most Linux desktop and many embedded distributions; its memory allocator is used in everything from starting threads to dealing with I/O. Learn how to leverage this vast attack surface via different heap exploitation techniques, from the original "Unsafe Unlink" to the beautiful overflow-to-shell "House of Orange".

In this hands-on course, students will alternate between learning new techniques and developing their own exploits based on what they've learned. We'll make use of the pwntools and pwndbg frameworks to drop shells from vulnerable practice binaries, and you'll take on challenges that test what you've learned.

Who this course is for:

Exploit developers
Capture The Flag (CTF) players
Those wishing to learn more about exploit dev than just stack buffer overflows
Anyone interested in weird machines

Linux Heap Exploitation - Part 1

What you'll learn

Explore related topics

Course content

Introduction4 lectures • 14min

The House of Force4 lectures • 47min

The Fastbin Dup3 lectures • 42min

CHALLENGE: Fastbin Dup 21 lecture • 24min

Unsafe Unlink2 lectures • 32min

Safe Unlink1 lecture • 22min

The House of Orange4 lectures • 1hr 2min

CHALLENGE: One-Byte2 lectures • 46min

Farewell1 lecture • 3min

Requirements

Description

Who this course is for: