Linux Heap Exploitation - Part 3

Name: Linux Heap Exploitation - Part 3
Rating: 4.9 (82 reviews)

Complete your GLIBC heap exploitation adventure with HeapLAB Part 3!

Created byMax Kamper

Last updated 7/2024

English

What you'll learn

Finding bugs in the GLIBC source code
The House of Corrosion technique
Exploiting mmapped chunks
Bypassing the Safe Linking mitigation
Exploiting GLIBC bugs

Course content

7 sections • 11 lectures • 5h 22m total length

Welcome0:45
Welcome back!
Environment Setup4:10
In this video we set up our exploit development environment, it simply involves getting a VM started and installing a few tools. Please watch this video even if you already have a working environment from Part 2, you'll need to grab one extra tool.

Browsing the GLIBC source7:51
Learn a few different ways of browsing the GLIBC source code, including online-only resources and how to clone the official repo. We're doing this in preparation for the first challenge binary, which will require us to find a bug in the GLIBC source code.
CHALLENGE: fastbin_dup_322:09
Use your new GLIBC source browsing skills to locate a bug within one of malloc's exploit mitigations, then leverage it to exploit a challenge binary.

Primitives 1 & 238:10
Learn the first 2 of the 3 House of Corrosion primitives, which allow us to corrupt & tamper with GLIBC data, along with some history of the House of Prime technique.
Primitive 322:34
Learn the 3rd House of Corrosion primitive, which lets us transplant & tamper with GLIBC data.
Dropping a shell with the House of Corrosion1:03:05
In this lecture we'll put all 3 House of Corrosion primitives together to drop a shell from our vulnerable binary.

Requirements

Familiarity with the Linux command line environment
Basic debugging skills
A 64-bit Ubuntu Linux VM or Host
Some knowledge from Parts 1 & 2 is assumed

Description

This is a continuation of the HeapLAB Part 2 course, a.k.a Linux Heap Exploitation - Part 2.

If you haven't taken the above course, I highly recommend you do so before embarking on this one.

HeapLAB Part 3 is the same hands-on, practical heap exploitation, just with more new techniques for you to learn!

This part of the course is considered "Expert", whereas the previous parts were labelled "Intermediate", that's because I'm expecting more autonomy from you this time, for example you'll be browsing the GLIBC source code in search of bugs. Don't worry though, we're going to learn a few different ways of browsing that code first.

We're covering just one more "House" of heap exploitation, know as the House of Corrosion. It's complicated but I know you're ready! We'll also be exploiting mmapped chunks, learning how multithreaded malloc works, bypassing the "Safe Linking" exploit mitigation and exploiting any GLIBC bugs we find along the way. There are also a couple more challenge binaries for you to test your new skills against, an updated PDF with all the latest techniques and mitigations, and an improved malloc testbed with multithreading and mallopt options!

Make sure you watch the Environment Setup video, even if you already have an exploit development environment set up from Part 2, you'll need to install one more tool so that you can follow along.

Hack the planet!

Who this course is for:

Exploit developers
Capture The Flag (CTF) players
Those wishing to improve upon the skills they learned in Parts 1 & 2
Anyone interested in weird machines

Linux Heap Exploitation - Part 3

What you'll learn

Explore related topics

Course content

Introduction2 lectures • 5min

The GLIBC Source Code2 lectures • 30min

The House of Corrosion3 lectures • 2hr 4min

Exploiting GLIBC bugs1 lecture • 53min

Safe linking & multithreaded malloc1 lecture • 48min

mmapped chunks1 lecture • 59min

Farewell1 lecture • 5min

Requirements

Description

Who this course is for: