The realm of heap exploitation has always intrigued security researchers due to its complexity and the potential for high-impact vulnerabilities. The HitconCTF Qualifiers 2024 presented a formidable challenge in this domain, featuring a heap pwn challenge dubbed “setjmp.”
The HitconCTF Qualifiers 2024 has been marked as one of the toughest capture the flag events (CTFs) of the year. Among a slew of kernel and VM escape challenges, the setjmp challenge stood out with its seemingly straightforward approach but complex underlying mechanisms.
According to Quarkslab’s blog, this challenge involved classic heap exploitation techniques on a system running GLIBC 2.31, the GNU C library. The core difficulty lay in obtaining a libc pointer leak, which was ultimately resolved using scanf() to trigger a substantial memory allocation.
Heap Exploitation Techniques Explained
Before diving into the specific details of the setjmp challenge, it is crucial to grasp some foundational concepts about GLIBC’s malloc internals. Resources such as Azeria Labs’ malloc internals primer and Shellphish’s “how2heap” provide valuable insights. Additionally, the “Malloc Des Malificarum” offers historical context on heap exploitation techniques. Understanding these concepts will lay the groundwork for comprehending how vulnerabilities are exploited in heap management.
The heap is a critical component of a process’s memory space, utilized for dynamic memory allocation. Managed through functions like malloc() and free(), the heap allows programs to allocate and deallocate memory blocks as needed. When a memory allocation request is made, the heap manager returns a pointer to a chunk of memory of the requested size. When memory is freed, it must be managed efficiently to avoid fragmentation and ensure quick reallocation.
Heap management in GLIBC employs various types of bins to efficiently organize memory chunks: Small Bins are doubly linked lists for chunks up to 1024 bytes, while Large Bins handle chunks larger than 1024 bytes with their own doubly linked lists. The Unsorted Bin acts as a cache for chunks that don’t fit into other bins immediately. Fast Bins consist of singly linked lists for small chunks expected to be reused soon, and Tcache Bins provide thread-local storage for frequently used chunks to speed up allocation.
Each bin type has distinct characteristics and optimizations, which are vital for understanding heap exploitation techniques. For example, while fastbins and tcache bins facilitate rapid allocation and deallocation, they also present vulnerabilities that can be exploited.
Heap Exploitation Techniques: Core Concepts
Heap exploitation techniques frequently focus on manipulating free lists and bins within memory management systems. Key exploitation primitives include Heap Overflow, which takes advantage of buffer overflows to alter adjacent chunks or bin list pointers; Use After Free (UAF), where a freed chunk is still referenced, allowing attackers to leak or modify memory; and Double-Free, which involves freeing the same chunk twice to cause memory corruption or arbitrary write primitives.
In the context of the Setjmp challenge, the use of setjmp and longjmp functions for non-local jumps highlights their role in managing execution contexts and complex control flows. This challenge required handling a doubly linked list of user structures in heap memory, involving operations to create, delete, and modify users.
The challenge featured both Use After Free (UAF) and Double-Free vulnerabilities, which were central to the exploitation strategy. In the Use After Free scenario, deleting a user left its reference on the stack, creating a UAF vulnerability that allowed for manipulation of memory structures. The Double-Free vulnerability involved freeing the same user twice, enabling advanced memory manipulation.
By exploiting a UAF vulnerability, attackers could circumvent double-free detection in the tcache and gain control over memory. The exploitation strategy involved triggering a double-free condition to perform arbitrary read and write operations within libc. By overwriting the __free_hook with the address of the system(), attackers could execute arbitrary commands. For instance, creating a user with the username /bin/sh and subsequently freeing it would activate the __free_hook, ultimately leading to the execution of a shell command.
Practical Steps and Heap Exploitation Techniques
The challenge at HitconCTF Qualifiers 2024 involved several critical steps in heap exploitation. The Heap Leak was achieved by deleting a user and then reading the contents of the freed chunk to extract the base address of the heap. This technique allowed the researchers to gain insight into the heap’s layout and memory structure. To perform a Libc Leak, a large chunk was strategically forced into the unsorted bin using scanf() for large allocations. This process, which required careful management of chunk placements, revealed the libc base address and facilitated further exploitation.
The Final Exploit focused on overwriting the __free_hook with the address of the system() function. This technique enabled the execution of arbitrary commands by leveraging both double-free conditions and heap leaks. By creating a user with the username /bin/sh and then freeing it, the __free_hook was triggered to execute the shell command, effectively demonstrating the exploit’s success.
In conclusion, the setjmp challenge exemplified the intricate nature of heap exploitation and the detailed understanding required of GLIBC malloc internals. It highlighted the importance of mastering heap structures, free lists, and exploitation primitives to develop sophisticated techniques for identifying and exploiting vulnerabilities. Resources such as Azeria Labs’ malloc internals and various online guides are invaluable for gaining hands-on experience and enhancing one’s skills in navigating and overcoming modern security challenges.
