Tweet
Maxwell Dulin & Zachary Minneker - Wild World of Heap Exploitation
Latest details, requirements, description, cost: https://defcontrainings.myshopify.co...p-exploitation
Training description:
As exploit mitigation's, such as Nx and stack canaries, have made traditional binary exploitation more difficult, modern exploits have moved to the heap. But heap exploitation is a major increase in difficulty compared to traditional methods, making it a major wall on the binary exploitation journey.
To conquer the complexity of heap exploitation, we'll learn all about the malloc allocator by diving into the weeds of the allocator directly, explaining the how, what, and why. We'll use hands-on exercises to demonstrate techniques that are largely applicable and cover the contexts which allow certain techniques to be used. Additionally, we will demonstrate how the victim program can add even more primitives that can be exploited and how to find these objects, allowing the information learned in the course to be widely applicable.
This training is specifically targeted at GLibC malloc, which is the default allocator on most Linux distributions. We will start by learning how the allocator functions and about heap specific vulnerability classes. From there, you will learn how to pwn with techniques in the allocator itself and how to find your own gadgets within victim programs to live off the land. Finally, we will attack a custom HTTP server stack by finding the vulnerabilities and exploiting them. This will require complicated heap feng shui and exploit techniques learned from the training in order to pull off. To make the content easy to grasp, the training includes 13+ hands-on exercises for practicing the material, a large collection of visuals and an amazing virtual machine for pwnable challenges. After taking this course, you will be highly capable at finding heap related vulnerabilities and exploiting these bugs in a variety of ways.
Course outline:
- Module 1 - Introduction to the glibc heap Allocator:
- Basic Data structures
- Chunks
- Exercise #1: Fixing a chunk
- Bins (Free Chunks Handling)
- Arenas
- Malloc & Free Ordering
- Module 2 - Heap Vulnerability Classes:
- Heap buffer overflows
- Use after frees
- Exercise #2: Use after free
- Double frees/arbitrary frees
- Exercise #3: Double free exploitation
- Module 3 - Fd Poisoning:
- Understanding the TCache Bin
- Exploiting fd pointers
- Exercise #4: Fd Poison
- Fastbin Variation
- Pointer Mangling
- Exercise #5: Fd poison with Pointer Mangling
- Module 4 - The Classic Unlink:
- Understanding the original bins (unsorted, small and large)
- Removing a chunk from a bin
- Unlink attack for arbitrary write primitive
- Exercise #6: Unlink
- Unsafe unlink demo
- Module 5 - Overlapping Chunks:
- Understanding the size and prev_size chunk metadata
- Corrupting the size field
- Overlap chunks by growing the size
- Exercise #7: Overlap two chunks
- Other variations - shrinking chunks, unsorted bin variation
- Module 6 - House of Force
- Top Chunk
- Moving the top chunk forward
- Overlapping your target
- Exercise #8: House of Force
- Similar technique overview: House of Einherjar
- Module 7 - Write WHERE Primitives
- Processing chunks in the unsorted bin
- Unsorted Bin Attack method
- Exercise #9: Unsorted Bin Attack
- Uses of Unsorted Bin Attack: House of Husk and more
- Similar technique overview: TCache Stashing
- Module 8 - Leaks & Heap Grooming:
- Uninitialized memory leaks
- Exercise #10: Uninitialized memory read
- Out of bounds read leak
- Use after free leak
- Filling in holes - heap feng shui
- Heap Spraying - heap feng shui
- Exercise #11: UAF read with heap feng shui
- `sudoedit` vulnerability - heap grooming case study
- Module 9 - Entering the real world - Attacking an HTTP Server Stack:
- Finding vulnerabilities in large applications via dynamic testing & code review
- Vulnerability triaging & exploit planning
- Exercise #12: Finding & Exploiting an uninitialized memory read for heap & libc info leaks
- Allocation & freeing primitives for heap grooming in large applications
- Living off the land - exploiting objects in the application itself
- Exercise #13: Finding & Exploiting a use after free by living off the land
- Other vulnerabiilty demos - integer overflows, arbitrary frees, etc.
- Conclusion
Takeaways for the students after completing the class:
- How the glibc malloc allocator functions (chunks, bins, etc.)
- Heap specific vulnerability classes (use after free, double free, etc.)
- 6+ glibc malloc allocator exploitation techniques
- Bypassing allocator and operating system binary protections, such as pointer mangling and ASLR
- Living off the land of the program for context dependent exploit primitives
- Information leaks from the heap
- Heap grooming (heap feng shui)
- Debugging and testing memory corruption vulnerabilities
Student skill level:
Intermediate.
What should students bring to the Training?:
- Laptop with enough power for a moderately sized Linux VM
- Administrative access to the laptop
- 8GB RAM minimum
- 30GB harddrive space
- Virtualbox or another virtualization platform installed
Bios:
Maxwell Dulin (Strikeout) is a senior security consultant hacking all things under the sun, from garage doors to web applications to operating systems. Maxwell has published many articles/talks for a plethora of heap exploitation techniques, assorted web application exploits and IoT devices. He has previously spoken at DEF CON 27s IoT Village, ToorCon, CanSecWest, Hackfest and DEF CON workshops. His research is focused on custom RF protocols and binary exploitation methods. In his free time, he plays with RF toys, hikes to fire lookouts and catches everything at dodgeball.
Zachary Minneker is a security researcher and security engineer at Security Innovation. His first computer was a PowerPC Macintosh, an ISA which he continues to defend to this day. At Security Innovation, he has performed security assessments on a variety of systems, including robots for kids, audio transcription codecs, and electronic medical systems. He has previous experience administrating electronic medical systems, and deep experience in fuzzing, reverse engineering, and protocol analysis. His research has focused on techniques for in-memory fuzzing, macOS sandbox security, and IPC methods, and his current research focusses on healthcare and related infrastructure security. He has spoken previously at Hackfest, DEF CON workshops, and CanSecWest.
Trainer(s) social media links:
- Max: https://maxwelldulin.com
Maxwell ꓘ Dulin (@Dooflin5) / Twitter
- Zach: https://twitter.com/seiranib
DATE:Aug 15th to 16th 2022
TIME:9am to 5pm PDT
VENUE:Caesars Forum Ballroom
TRAINERS:Maxwell Dulin & Zachary Minneker
- 16 hours of training with a certificate of completion for some classes
- COVID safety: Masks required for indoor training
- Note: Classes that do not meet their minimum class size by July 15 will be canceled, please register early
- Note: Food is NOT included