Heap Exploitation

Heap Exploitation¶

Todo

https://heap-exploitation.dhavalkapil.com/heap_memory.html
https://azeria-labs.com/heap-overflows-and-the-ios-kernel-heap/
https://github.com/str8outtaheap/heapwn
https://github.com/shellphish/how2heap

Windows 7 Heap Implementation
Heap Overflow Exploitation on Windows 10 Explained

Heap Buffer Overflows¶

Are more tricker to gain code execution.
These are usually exploited by rewriting some other data on the heap.
- This can be another string or another object or class.

Heap Spraying¶

Allocate a lot of memory until some allocation is always places at a known address
Works on a low ASLR entropy of heap base

void spray(){
	const size_t size  = 0x4000; //Page Size
	const size_t count = (256 * 1024 * 1024) / size; //256MB

	for (int i=0; i < count; i++){
		int* chunk = malloc(size);
		*chunk = 0x41414141;
	}

	int addr = (int*)0x110000000;
	printf("0x110000000: 0x%x\n", *addr);
	//0x110000000: 0x41414141
}

First Fit¶

The last element to be freed is the first one to be allocated.
- Operates like a stack. Last in First out (LIFO)

Unsorted Example¶

char *a = malloc(300);    // 0xe4b0010
char *b = malloc(250);    // 0xe4b0150

free(a);

a = malloc(250);          // 0xe4b0010

Fastbin Example¶

char *a = malloc(20);     // 0xe4b010
char *b = malloc(20);     // 0xe4b030
char *c = malloc(20);     // 0xe4b050
char *d = malloc(20);     // 0xe4b070

free(a);
// head -> a -> tail
free(b);
// head -> b -> a -> tail
free(c);
// head -> c -> b -> a -> tail
free(d);
// head -> d -> c -> b -> a -> tail

a = malloc(20);           // 0xe4b070
// head -> c -> b -> a -> tail [ 'd' is returned ]
b = malloc(20);           // 0xe4b050
// head -> b -> a -> tail      [ 'c' is returned ]
c = malloc(20);           // 0xe4b030
// head -> a -> tail           [ 'b' is returned ]
d = malloc(20);           // 0xe4b010
// head -> tail                [ 'a' is returned ]

House of Force (Arbitrary write)¶

By corrupting the Top chunk of the heap you trick the heap in to thinking it has more room then it does.
Using this you can malloc a huge piece of data to wraparound the address space.
- Doing this with the proper size will put the chunk right before the address that you want to write to
Then do another malloc and you have a pointer to the address that you want to write to.

Example¶

Double Free¶

Fastbin Duplication Example¶

By using a Double Free you can return the same pointer twice. This allows modification of the data to one object that will effect the other.

Example:

a = malloc(10);     // 0xa04010
b = malloc(10);     // 0xa04030
c = malloc(10);     // 0xa04050

free(a);
// head -> a -> tail
free(b);  // There is a check to make sure that a freed pointer is not freed immediately again. This is mitigated by freeing a different chunk. 
// head -> b -> a -> tail
free(a);  // Double Free !!
// head -> a -> b -> a -> tail

d = malloc(10);     // 0xa04010
// head -> b -> a -> tail [ 'a' is returned ]
e = malloc(10);     // 0xa04030
// head -> a -> tail      [ 'b' is returned ]
f = malloc(10);     // 0xa04010   - Same as 'd' !
// head -> tail           [ 'a' is returned ]

FastBin Duplication Consolidation¶

By freeing a small fastbin block and then mallocing a huge chunk the fastbin chunk is moved to the unsorted bin.
This allows the same chunk to be freed again.

House of Force (Arbitrary write)¶

By corrupting the Top chunk of the heap you trick the heap in to thinking it has more room then it does.
Using this you can malloc a huge piece of data to wraparound the address space.
- Doing this with the proper size will put the chunk right before the address that you want to write to
Then do another malloc and you have a pointer to the address that you want to write to.

Example¶

Frontlink Exploit¶

Single Byte Overflow¶

You can update the Size field of a chunk and use it to gain control of a malloc chunk