Extra Heap Exploitation 2: TCache and Potential Exploitation

20180116001

Introduction

In glibc-2.26, TCache (per-thread cache), a new feature, was introduced in malloc. I did not take much notice to the new patch last year until I came across the SimpleGC challenge in 34C3 CTF last year. During the contest, I did not take much time analysing the work flow of TCache and used a brute-force method to get the desired result.
In this post, I am going to give a detailed explanation on how TCache works. Based on the background knowledge, I will introduce two potential exploitation techniques that may appear in future CTF challenges. One is TCache poison [1], which is very similar to fastbin corruption attack. The other one is CVE-2017-17426, which may bring unexpected effect in heap exploitation. Both techniques are tested with glibc-2.26 on Ubuntu 17.04.
(more…)

SECCON CTF 2017 Online Candy Store Write-Up

Introduction

Since I was trying to make an extra tutorial on House of Lore exploitation technique recently and found this challenge in SECCON last year, I decided to use this challenge to demonstrate the usage of House of Lore.
The binary of this challenge is a bit complicated, I will first introduce the work flow of this challenge and then explain how to develop the exploit.
(more…)

Advanced Heap Exploitation: File Stream Oriented Programming

Lambdadelta

Introduction

In this post, I will give a detailed introduction of File Stream Oriented Programming, including the internal implementation on file structure, related file operation and corresponding exploitation techniques in CTF. This post is based on the source code of glibc-2.26. Since this post is for newbies interested in CTF challenges, I will add many implementation details based on source code. I write this post following the lecture notes given by [1].
(more…)