Skip to content

Heap

Jump to bottom Edit New page
raywang edited this page Nov 1, 2017 · 8 revisions

This is the best resource out there for heap exploits: https://heap-exploitation.dhavalkapil.com/.

Tooling

PwnGDB's angelheap is pretty nice for heap tracing/debugging. https://github.com/scwuaptx/Pwngdb

I also use voltron memory view to get a live view of the heap region, if I know where it's located.

voltron view memory --address 0x804b410 -w 2

Overwrite targets

  • malloc_hook First, find the main_arena address; then malloc_hook should be right before that.

The next time malloc is called, the overwritten hook will be run.

Finding main arena

To get the main arena offset in libc (disclaimer: Not too sure how reliable this is) https://github.com/Escapingbug/get_main_arena

In GDB:

If you have debug symbols in your libc, you can get the address with symbol &main_arena.

x/40gx (long long)(&main_arena)-0x30

pwndbg has the arena(s) utility to show the location of main_arena.

Another way without symbols, suggested by uafio, is to find the address of the top chunk in the heap, then search memory for references to it.

> search -8 0x555555757060                                                             
libc-2.24.so    0x7ffff7dd3b58 0x555555757060 /* '`puUUU' */

and subtract 0x58 to get the main_arena address.

Add a custom footer
Add a custom sidebar
Clone this wiki locally