HeapLAB – GLIBC Heap Exploitation with Max Kamper: March 2020

£1,500.00 inc VAT

The GNU C Library (GLIBC) is a fundamental part of most Linux desktop and many embedded distributions, its memory allocator is used in everything from starting threads to dealing with I/O.

This 2-day, hands-on course is ideal for students who’ve completed basic stack-based overflows and are wondering where to go next. It’s an ideal follow-up course to any of Saumil Shah’s exploit labs, or Telspace’s Hack 2 Basics.

This course runs on the 12th and 13th of March, 2020 at the Novotel London West, London.

Out of stock

SKU: 44CON-M20-TRN-GHEL Category: Tags: , ,

Learn how to leverage this vast attack surface with more than 11 different heap exploitation techniques, from the original “Unsafe Unlink” to the beautiful overflow-to-shell “House of Orange” and eventually to the cutting-edge “House of Corrosion”.

This is a 2-day, hands-on course. Students will alternate between learning new techniques and developing their own exploits based on what they’ve learned.

For nearly 20 years, exploiting memory allocators has been somewhat of an art form; become a part of that legacy with HeapLAB.

£1,500.00 inc VATRead more

Day 1

  • An introduction to GLIBC and its memory allocator
  • GLIBC heap exploitation history
  • Tools of the trade
    • GDB & pwndbg
    • The pwntools library
  • The “House of Force” technique
    • The malloc() function
    • The “top” chunk
  • Hijacking the flow of execution
    • Malloc’s hooks
    • “One-gadgets”
  • The “Fastbin Dup” technique
    • The free() function
    • Malloc’s fastbins
    • Arenas
    • Defeating the fastbins double-free mitigation
    • Dealing with the fastbins size field check
  • The “Unsafe Unlink” technique
    • Malloc’s unsortedbin
    • Chunk coalescing
    • Defeating the “safe unlinking” checks
  • The “House of Orange” technique
    • File stream exploitation
    • The “Unsortedbin Attack”
    • Top chunk extension
    • Sorting
  • Info leaks via the heap
    • Leaking heap addresses
    • Leaking libc addresses
  • CHALLENGE: one-byte
    • Leverage a one-byte overflow against a modern pwnable

Day 2

  • The “House of Spirit” technique
    • Passing corrupted values to free()
    • Designing fake chunks
  • The “House of Lore” technique
    • Poisoning the unsortedbin
    • Poisoning the smallbins
    • Poisoning the largebins
  • The “House of Einherjar” technique
  • The “House of Rabbit” technique
    • The malloc_consolidate() function
    • Moving fake chunks between bins
  • Project Zero’s “Poison Null Byte” technique
  • CHALLENGE: poison null byte
    • Leverage a single null byte overflow against a modern pwnable
  • The “House of Corrosion” technique
    • Reviving the “House of Prime”
    • Defeating libio vtable integrity checks
    • Leveraging partial malloc metadata overwrites
    • Triggering file stream exploits via failed asserts
  • The Tcache
    • The “Tcache Dup” technique
    • Defeating the tcache double-free mitigation
  • CHALLENGE: tcache troll
    • Leverage a double-free against a modern pwnable

What You’ll Learn

  • How memory allocation works, specifically under GLIBC
  • 11 Different heap exploitation techniques
  • Many different routes to arbitrary code execution

Who Should Take This Course

  • CTF team members who want to take on Linux heap challenges
  • Linux exploit developers who want to add another string to their bow
  • Anyone interested in “weird machines”

What Students Should Bring

  • Confidence using command line tools
  • Some basic Python scripting skills
  • Familiarity with a debugging environment e.g. GDB
  • Laptop – powerful enough to run VMs
    • 8GB RAM minimum
    • 35GB free HDD space minimum
  • USB-A port or dongle to copy VM

What Students Will Be Provided With

  • Course VM
  • HeapLAB Heap Exploitation Bible PDF

£1,500.00 inc VATRead more

About The Trainer

Max Kamper is a researcher and exploit developer. A former Royal Marines Commando, Max was a member of the Information Exploitation Group’s electronic warfare squadron. Having traded radio signals for process signals, he now specializes in exploit development against Linux platforms. Max is also the author of the “ROP Emporium” website, a resource for learning practical x86 return-oriented programming.