In the fifth part of our Exploit 101 series, we will explore heap exploitation, a technique used to manipulate memory allocation mechanisms to gain control over a program's execution.
What is Heap Exploitation?
The heap is a memory region used for dynamic allocation, where programs request memory at runtime using functions like malloc(), calloc(), and realloc(). Unlike stack-based buffer overflows, heap exploitation targets vulnerabilities in heap management to overwrite critical data structures and gain arbitrary code execution.
Common Heap Vulnerabilities
- Heap Buffer Overflow – Writing beyond allocated memory on the heap.
- Use-After-Free (UAF) – Accessing freed memory, leading to unintended behavior.
- Double-Free – Freeing the same memory location twice, corrupting heap structures.
- Heap Spraying – Filling heap memory with controlled data to redirect execution.
Setting Up Heap Exploitation Environment
Required Tools
Ensure your system has the following tools installed:
- GDB with GEF (GDB Enhanced Features)
sudo apt install gdb -y wget -O ~/.gdbinit-gef.py https://gef.blah.cat/py echo "source ~/.gdbinit-gef.py" >> ~/.gdbinit - Pwntools (Python Exploit Development Library)
pip install pwntools - Libc Debugging Symbols
sudo apt install libc6-dbg
Example 1: Heap Buffer Overflow
Consider the following vulnerable C code:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void vulnerable_function(char *input) {
char *buffer = malloc(64);
strcpy(buffer, input); // No bounds checking
printf("You entered: %s\n", buffer);
free(buffer);
}
int main(int argc, char *argv[]) {
if (argc < 2) {
printf("Usage: %s <input>\n", argv[0]);
return 1;
}
vulnerable_function(argv[1]);
return 0;
}
The strcpy() function does not verify input length, leading to a heap overflow.
Exploiting Heap Buffer Overflow
Compile the vulnerable program:
gcc -o heap_overflow heap_overflow.c -fno-stack-protector -z execstack -g
Trigger an overflow using python:
./heap_overflow $(python -c 'print("A" * 100)')
If the program crashes, it indicates memory corruption, which can be leveraged to overwrite function pointers or heap metadata.
Example 2: Use-After-Free (UAF) Exploit
Vulnerable C Code
#include <stdio.h>
#include <stdlib.h>
int main() {
char *ptr = malloc(64);
strcpy(ptr, "Sensitive Data");
free(ptr); // Memory freed but pointer is still accessible
printf("Use-After-Free: %s\n", ptr); // Accessing freed memory
return 0;
}
This program accesses freed memory, which can be exploited by allocating controlled input at the same memory location.
Exploiting UAF
Run the program:
./uaf
If the memory is reused by another allocation, an attacker can control the program flow.
Debugging Heap Exploits with GDB
Use GDB to analyze heap behavior:
gdb -q ./heap_overflow
run $(python -c 'print("A" * 100)')
heap bins # View heap chunk allocations
Use pwndbg to visualize heap corruption:
heap chunks
Conclusion
Heap exploitation is an advanced technique requiring a deep understanding of memory management. In the next part, we will cover Advanced Heap Exploitation Techniques.
Stay tuned for Exploit 101: Part 6 – Advanced Heap Exploitation!
0 comments:
Post a Comment