Heap exploitation journey #1 — Tcache attack

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

Heap exploitation journey #1 — Tcache attack

Hi guys. It’s been months since I last played CTFs. Now I’m back at it to learn about heap exploitation. I will be making blogs like this about the techniques and the sample challenges to demonstrate them.

In this first episode of the journey, we will explore the poisoning of the pointers in the tcache linked list to allocate an arbitrary chunk (chunk that starts at any address we want).

To illustrate the concept, I’m gonna walk you through the challenge babyheap in DEFCON19 Qualifiers Round. Link to the challenge can be found here.

https://github.com/guyinatuxedo/nightmare/tree/master/modules/29-tcache/dcquals19_babyheapRecon

As usual, the first steps I always do are to checksec and decompile the binary in ghidra.

We can see that all protections are enabled:

Let’s also find out the version of libc:

Fire up ghidra, we can then see the function which handles the main menu:

Nothing interesting. Let’s check out the make function:

We can see from the “index_in_array” variable that we are only allowed to allocate at most 10 chunks. Also, this variable denotes the index given to the

Read the article