The Heap

Alright what are our goals?

Healthy Heap Goals:

• Let's understand dynamic memory (you know memory for when the compiler can't predict your needs)
• malloc and free
• How to recycle memory
• How to avoid defragmentation
• Singly Linked Lists (called fast bins and tcache bins in this class)
• Doubly Linked Lists (called unsorted bins, small bins, and large bins)
• What's the main_arena?

Hacker Goals:

These are the same as they always been in a way, these 3 a part of all hacks.

• CONQUER ADDRESS RANDOMIZATION Generate a memory leak (from the heap segment and from glibc)
• WRITE WHAT WHERE Trick the recyclers into giving you an address you provided (a write-what-where)
• CONTROL RIP Taking control of the intruction pointer (old targets: GOT, the stack; new targets: free_hook, malloc_hook, FSOP)

Our BIG Goal: Mom's Spaghetti

So I'm going to teach you ONE MAJOR heap hack in pieces.

We will get to know this one which I'll call mom's spaghetti, you know, comfort food.

THEN once we know mom's spaghetti well we're going to face obstacles that prevent it.

We'll learn OTHER HACKS as bastardizations of Mom's Spaghetti.

I want to just do the hack I want... oh I can't? How about if I change one part? OK now I can hack again.

That's my guide to handling all of the uncertainty.

Here's a rough cut of mom's spaghetti, which won't make sense yet, but my job is now to get you learn mom's spaghetti, so I'll revisit this daily:

• CONQUER ADDRESS RANDOMIZATION by a USE-AFTER-FREE vulnerability to leak a glibc address
• WRITE-WHAT-WHERE using TCACHE-POISONING for arbitrary writing to glibc
• CONTROL INSTRUCTION POINTER by overwriting the FREE_HOOK in glibc with system where "/bin/sh" is written in the free'd chunk

Our goal is to understand those three tricks inside and out. Once we're good at that we'll go into the variations.

Watching the Heap Grow and Shrink

AKA: pwndbg

https://github.com/pwndbg/pwndbg should be available in your pwndockers but in the other environments you'll need to install it.

OK let's just make a program to call malloc and free and see what happens.

Inspecting the heap with vis bins and heap. 1) Let's write a program, 2) Let's use gdb with pwndbg and 3) Let's start and step through.

Now let's look at a typical CTF style Heap setup:

This sort of state-machine menu is classic CTF exploit stuff, and is actually surprisingly easy to inspect/debug/work with.

Heap Reference Guides:

I'm gonna drop these here for reference in the notes later: