Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

GLibC Heap Exploitation is crazy and has lots of interesting techniques. Recently, I was interested in mmap requests within malloc. After doing some preliminary research and finding interesting things, I found that somebody had already done it!

Mmap allocations are used in the following circumstances:

• Allocation that is served via mmap by ptmalloc
• Library Load via dlopen
• Non-library Mmap Call
• Thread starts

Now, why is this useful? In the ptmalloc case, when a chunk is freed, there are very few sanity checks in place for this to work. So, we could corrupt the heap metadata of an mmapped chunk and use it to munmap an already mmapped chunk!

There are a few ways this could be abused:

• .text section (not usable as mmap allocation is not executable)
• Top of the brk heap
• .got/.data/.bss of a library
• Chunks mmaped by ptmalloc
• Thread Stacks

The bottom 4 are all feasible attacks but would require immense precision to setup. To me, the most interesting is the chunks mmapped by ptmalloc. This is because we can likely create a use after free condition (with restrictions) on this.

The final observation that is made is about the the main thread’s stack. If a page fault happens within the main thread stack, the kernel automatically remmaps it a page full of zeros! Although this seems interesting, this would break many things, such as stack canaries, and cause null pointer dereferences.