The art of exploiting heap overflow, part 1

The art of exploiting heap overflow, part 1

Introduction

Let’s start with the simpler version, stack overflow.

Exploiting stack overflow is simple and fun, it turns a useless segfault into a beautiful piece of art — a root shell with full control of the system. It also exposes several essentials of the overflow-based attacks:

Heap overflows are much harder and so much fun to exploit than stack overflows because some of the essentials are so different:

Because of these “natural” constraints, exploiting heap-based overflow requires a lot of patience and much more efforts and is therefore a much more beautiful piece of art.

On the other hand, glibc code gets more solid after learning how attackers exploit, many of the classic exploits no longer work on the latest glibc, and exploiting a newer version of glibc only becomes harder, but still we can learn their ideas and spirits which are more precious than the exploits themselves.

I will only cover the ptmalloc in glibc, since it is the most widely used one (at least for Linux). Different memory allocators have different algorithms to organize memory chunks and different metadata to represent memory chunks, so all of these exploits I will cover only apply to ptmalloc, but the spirit goes beyond that.

You may ask, there are several articles on Internet explaining heap overflow exploits, why this one? I want to explain heap overflow in a completely different way so that I hope you will not be as confused as I was.

It is going to be a long journey. Let’s start with something really simple.