- Heap exploitation training for glibc.
- Taught at DEFCON, CanSecWest and many other conferences.
- Contains free videos, slides and exercises.
- Videos are made for modules 1-6. The next five are in progress!
- Installation steps for docker and virtual machine are below.
There is a lot of content here. So, there are two ways to go through it:
- Go through each of the modules as specified in the order below.
- Do the first 5 then skip to 10 & 11.
- Personally, I think this is the best bang-for-your-time if you're time limited. But all of the content is fun and well-polished.
Whatever you do, do NOT skip the first two modules. These are the most important concepts in the entire course.
- Course introduction
- Introduction to Malloc
- Heap Vulnerability Classes:
- Double free
- Use after free
- Arbitrary Frees
- Fd Poison:
- Tcache
- 2.32+ (pointer mangling)
- Unlink
- Overlapping chunks
- House of Force
- Unsorted Bin Attack && TCache Stashing Demo
- House of Spirit
- Mmap Chunks + House of Muney -- not tested yet
- Leaks
- HTTP Server (final challenge)
- House of IO and New:
- Pointer mangling and House IO. Fun challenges in there but not super relevant anymore.
- House of Orange:
- Out of date + the POC doesn't work as you'd expect.
All of these are helpful per challenge but not all are implemented yet
- Challenge file:
- Challenge to test the knowledge of the technique
- Source & compiled binary with the LD_PRELOAD section handled
- Solution - python pwntools solution:
- Checkpoints for going from stage to stage, if stuck.
- Currently, this is ONLY implemented for the House of Spirit
- Checkpoints for going from stage to stage, if stuck.
- Slides for the technique:
- Background of heap mechanics needed
- Technique description
- Challenge
- Challenge Walkthrough
- Versions and situations
- Other things to discuss
- compile script (make)
- Patches the loader of the challenge files
- modules/
- Holds challenges for unique techniques (structure described in 'Assets Per Technique')
- demos/
- Showcasing of techniques and other fun things
- libc_versions:
- Versions of LibC and loader
- old_challenges:
- Old/failed challenges. Don't do these.
- resources:
- Miscellaneous scripts and things
There are two ways to do the training:
- Use the Virtual Machine
- Use Docker on an x86_64 machine (advanced)
- Download VM
- Exercises setup in guarenteed to work test environment.
- Custom libc compilations with symbols
- Custom tools in the VM
- Follow the steps at here
- Must be on an x86_64 Linux machine!
- Go to the
resources/remote_setupdirectory. - Run
./start_container.sh.- Mounts the entire training as part of the file system in the container. Allows for you to save progress.
- Must use tmux to run challenges.
tar xvf Heap\ Course\ DEFCON\ 30.ova
qemu-img convert -f vmdk -O qcow2 Heap\ Course\ DEFCON\ 30-disk002.vmdk HeapCourse.qcow2
qemu-system-x86_64 \
-smp 2 \
-hda HeapCourse.qcow2 \
-m 6G \
-usb \
-device usb-tablet
- If something doesn't work or you get stuck, feel free to open an issue on this repo. Max Dulin's personal email works as well.
- Patience is a virtue for a reason :) I'm sure there are mistakes but I'll do my best to fix them as I am made aware.