Linux Heap Exploitation - Part 3
What you'll learn
- Finding bugs in the GLIBC source code
- The House of Corrosion technique
- Exploiting mmapped chunks
- Bypassing the Safe Linking mitigation
- Exploiting GLIBC bugs
Requirements
- Familiarity with the Linux command line environment
- Basic debugging skills
- A 64-bit Ubuntu Linux VM or Host
- Some knowledge from Parts 1 & 2 is assumed
Description
This is a continuation of the HeapLAB Part 2 course, a.k.a Linux Heap Exploitation - Part 2.
If you haven't taken the above course, I highly recommend you do so before embarking on this one.
HeapLAB Part 3 is the same hands-on, practical heap exploitation, just with more new techniques for you to learn!
This part of the course is considered "Expert", whereas the previous parts were labelled "Intermediate", that's because I'm expecting more autonomy from you this time, for example you'll be browsing the GLIBC source code in search of bugs. Don't worry though, we're going to learn a few different ways of browsing that code first.
We're covering just one more "House" of heap exploitation, know as the House of Corrosion. It's complicated but I know you're ready! We'll also be exploiting mmapped chunks, learning how multithreaded malloc works, bypassing the "Safe Linking" exploit mitigation and exploiting any GLIBC bugs we find along the way. There are also a couple more challenge binaries for you to test your new skills against, an updated PDF with all the latest techniques and mitigations, and an improved malloc testbed with multithreading and mallopt options!
Make sure you watch the Environment Setup video, even if you already have an exploit development environment set up from Part 2, you'll need to install one more tool so that you can follow along.
Hack the planet!
Who this course is for:
- Exploit developers
- Capture The Flag (CTF) players
- Those wishing to improve upon the skills they learned in Parts 1 & 2
- Anyone interested in weird machines
Instructor
Max Kamper is an independent researcher and exploit developer. A former Royal Marines Commando, Max was a member of the Information Exploitation Group's electronic warfare squadron.
Having traded radio signals for process signals, he now teaches exploit development at hacker conferences such as 44CON and Ringzer0. Max is also the author of the ROP Emporium website, a resource for learning practical return-oriented programming on different architectures.