Heap Exploitation
The glibc library provides functions such as free and malloc to help developers manage the heap memory according to their use cases. It is the responsibility of the developer to:
freeany memory he/she has obtained usingmalloc.Do not
freethe same memory more than once.Ensure that memory usage does not go beyond the amount of memory requested, in other terms, prevent heap overflows.
Failing to do makes the software vulnerable to various kinds of attacks. Shellphish, a famous Capture the Flag team from UC Santa Barbara, has done a great job in listing a variety of heap exploitation techniques in how2heap. Attacks described in "The Malloc Maleficarum" by "Phantasmal Phantasmagoria" in an email to the "Bugtraq" mailing list are also described.
A summary of the attacks has been described below:
Attack
Target
Technique
First Fit
This is not an attack, it just demonstrates the nature of glibc's allocator
---
Double Free
Making malloc return an already allocated fastchunk
Disrupt the fastbin by freeing a chunk twice
Forging chunks
Making malloc return a nearly arbitrary pointer
Disrupting fastbin link structure
Unlink Exploit
Getting (nearly)arbitrary write access
Freeing a corrupted chunk and exploiting unlink
Shrinking Free Chunks
Making malloc return a chunk overlapping with an already allocated chunk
Corrupting a free chunk by decreasing its size
House of Spirit
Making malloc return a nearly arbitrary pointer
Forcing freeing of a crafted fake chunk
House of Lore
Making malloc return a nearly arbitrary pointer
Disrupting smallbin link structure
House of Force
Making malloc return a nearly arbitrary pointer
Overflowing into top chunk's header
House of Einherjar
Making malloc return a nearly arbitrary pointer
Overflowing a single byte into the next chunk
Last updated