Heap Exploitation - Documentation

Link to this headingHeap Exploitation

TODO:
https://heap-exploitation.dhavalkapil.com/heap_memory.html
https://azeria-labs.com/heap-overflows-and-the-ios-kernel-heap/
https://github.com/str8outtaheap/heapwn
https://github.com/shellphish/how2heap

Windows 7 Heap Implementation
Heap Overflow Exploitation on Windows 10 Explained

Link to this headingHeap Buffer Overflows

Are more tricker to gain code execution.
These are usually exploited by rewriting some other data on the heap.
- This can be another string or another object or class.

Link to this headingHeap Spraying

Allocate a lot of memory until some allocation is always places at a known address
Works on a low ASLR entropy of heap base

void spray(){ const size_t size = 0x4000; //Page Size const size_t count = (256 * 1024 * 1024) / size; //256MB for (int i=0; i < count; i++){ int* chunk = malloc(size); *chunk = 0x41414141; } int addr = (int*)0x110000000; printf("0x110000000: 0x%x\n", *addr); //0x110000000: 0x41414141 }

Link to this headingFirst Fit

The last element to be freed is the first one to be allocated.
- Operates like a stack. Last in First out (LIFO)

Link to this headingUnsorted Example

char *a = malloc(300); // 0xe4b0010 char *b = malloc(250); // 0xe4b0150 free(a); a = malloc(250); // 0xe4b0010

Link to this headingFastbin Example

char *a = malloc(20); // 0xe4b010 char *b = malloc(20); // 0xe4b030 char *c = malloc(20); // 0xe4b050 char *d = malloc(20); // 0xe4b070 free(a); // head -> a -> tail free(b); // head -> b -> a -> tail free(c); // head -> c -> b -> a -> tail free(d); // head -> d -> c -> b -> a -> tail a = malloc(20); // 0xe4b070 // head -> c -> b -> a -> tail [ 'd' is returned ] b = malloc(20); // 0xe4b050 // head -> b -> a -> tail [ 'c' is returned ] c = malloc(20); // 0xe4b030 // head -> a -> tail [ 'b' is returned ] d = malloc(20); // 0xe4b010 // head -> tail [ 'a' is returned ]

Link to this headingHouse of Force (Arbitrary write)

By corrupting the Top chunk of the heap you trick the heap in to thinking it has more room then it does.
Using this you can malloc a huge piece of data to wraparound the address space.
- Doing this with the proper size will put the chunk right before the address that you want to write to
Then do another malloc and you have a pointer to the address that you want to write to.

Link to this headingExample

Link to this headingDouble Free

Link to this headingFastbin Duplication Example

By using a [Double Free](/Exploitation/Heap/Double Free.md) you can return the same pointer twice. This allows modification of the data to one object that will effect the other.

Example:

a = malloc(10); // 0xa04010 b = malloc(10); // 0xa04030 c = malloc(10); // 0xa04050 free(a); // head -> a -> tail free(b); // There is a check to make sure that a freed pointer is not freed immediately again. This is mitigated by freeing a different chunk. // head -> b -> a -> tail free(a); // Double Free !! // head -> a -> b -> a -> tail d = malloc(10); // 0xa04010 // head -> b -> a -> tail [ 'a' is returned ] e = malloc(10); // 0xa04030 // head -> a -> tail [ 'b' is returned ] f = malloc(10); // 0xa04010 - Same as 'd' ! // head -> tail [ 'a' is returned ]

Link to this headingFastBin Duplication Consolidation

By freeing a small fastbin block and then mallocing a huge chunk the fastbin chunk is moved to the unsorted bin.
This allows the same chunk to be freed again.

Link to this headingHouse of Force (Arbitrary write)

By corrupting the Top chunk of the heap you trick the heap in to thinking it has more room then it does.
Using this you can malloc a huge piece of data to wraparound the address space.
- Doing this with the proper size will put the chunk right before the address that you want to write to
Then do another malloc and you have a pointer to the address that you want to write to.

Link to this headingExample

Link to this headingFrontlink Exploit

Link to this headingSingle Byte Overflow

You can update the Size field of a chunk and use it to gain control of a malloc chunk