HyggeHalcyon
GithubLinkedIn
  • 🕊️whoami
  • 🚩CTFs
    • 2025
      • ARKAVIDIA Quals
      • TECHOMFEST Quals
    • 2024
      • BackdoorCTF
      • World Wide CTF
      • 7th Cyber Mimic Defense
      • TSA Cyber Champion
      • Cyber Jawara International
      • National Cyber Week Quals
      • COMPFEST 16 Finals
      • HackToday Finals
      • UIUCTF
      • TBTL CTF
      • BSidesSF CTF
      • UMD CTF
      • UMassCTF
      • b01lers CTF
      • AmateursCTF
      • UNbreakable International - Team Phase
    • 2023
      • HackToday CTF Quals
        • Vnote
        • TahuBulat
        • Rangkaian Digital
      • Tenable CTF
        • Skiddyana Pwnz and the Loom of Fate
        • Braggart
      • CiGITS
        • afafafaf
        • popping around shell
        • well_known
      • TJCTF
        • flip out
        • shelly
        • groppling-hook
        • formatter
        • teenage-game
      • SanDiegoCTF
        • money printer
        • turtle shell
      • DeadSec CTF
        • one punch
      • FindIT CTF Quals
        • Debugging Spiders
        • Everything Machine
        • Furr(y)verse
        • Bypass the Py
        • Joy Sketching in the Matrix
        • Detective Handal
        • I Like Matrix
        • CRYptograPI
        • Date Night
        • Web-Find IT
        • Mental Health Check
        • NCS Cipher
        • Discovered
  • 🔍NOTES
    • FSOP
      • Structures
      • GDB
      • Arbitrary Read/Write
      • Vtable Hijack
    • Heap Feng Shui
      • Libc Leak
    • Kernel Space
      • Privilege Escalation
      • Objects
      • Escaping Seccomp
    • V8
      • Documentation
      • TurboFan
      • SandBox (Ubercage)
  • 📚Resources
    • Cyber Security
      • General
      • Red Teaming
        • CheatSheet
        • Payload Database
        • Quality of Life
      • Binary Exploitation
        • Return Oriented Programming
        • File Structure Oriented Programming
        • Heap Exploitation
        • Linux Kernel Exploitation
        • Windows Exploitation
        • V8 Browser
      • Reverse Engineering
        • Windows Executable
        • Malware Analysis
        • Tools
      • Web Exploitation
      • Malware Development
      • Detection Engineering
      • Blockchain / Web3
      • Cryptography
    • Software Engineering
  • 📋Planning
    • Quick Notes
Powered by GitBook
On this page
  • natural way
  • tcache fill
  • unsorted bin splitting
  • House Of Orange
  1. NOTES
  2. Heap Feng Shui

Libc Leak

all libc leak is gained through the heap memory region is through the chunk being linked to the unsorted bin. this can be achieved in different ways.

for the examples below, we'll assume we have the following pseudo code function to interface with the challenges:

def alloc(idx: int, size: int, data: byte):
    pass

def free(idx: int):
    pass

natural way

so called natural way is to allocate a chunk of an unsorted bin size, and free it to link it to the unsorted bin as it's implementation, in this case I wouldn't call it an exploitation but rather a misuse. However this might not be always possible due to the environment that may limits the chunk allocation size.

alloc(0, 0x500, b'cawk') # <- victim
alloc(1, 0x10, b'wilderness consolidation protect')
free(0) # links chunk-0 to unsorted bin

tcache fill

in case where allocation size is not enough to link directly to the unsorted bin, another way is to fill the tcache of a certain size to its maximum capacity. any further link attempt to said full tcache bin, will be put into the unsorted bin instead.

for idx in range(7):
    alloc(idx, 0x20, f'idx-{idx}'.encode())
alloc(idx+1, 0x20, b'victim') # <- victim
alloc(idx+2, 0x10, b'wilderness consolidation protect')

for idx in range(7):
    free(idx)
free(idx+1) # links chunk-7 to unsorted bin

unsorted bin splitting

the aforementioned methods are quite easy to use and profit from but they requires UAF primitives that allows us to read free's chunks. Depending on the environment this is not always available.

TODO ELABORATE MORE ON ANGSTORM 2024 - HEAPIFY AS EXAMPLE

However one thing to note is that this technique requires us to have heap overflow or some other write primitive that allows us to change an adjacent chunk size.

House Of Orange

the aforementioned methods requires at least a free functionality to success, in this technique no free is required.

TODO ELABORATE MORE ON ANGSTORM 2024 - THEMECTL AS EXAMPLE

the need for an heap overflow or write primitive, even though convenient, is not mandatory. Although that I haven't tested that statement myself yet, I theorized it would work just as fine as you can deplete the wilderness by requesting more heap memory. this is left as an improvisation for future encounters lol.

PreviousHeap Feng ShuiNextKernel Space

Last updated 9 months ago

🔍
CTFs/2024/ångstrom/heapify/exploit.py at main · HyggeHalcyon/CTFsGitHub
House of Orange - CTF Wiki EN
CTFs/2024/ångstrom/themectl/exploit.py at main · HyggeHalcyon/CTFsGitHub
Logo
Logo
Logo