House of Roman-a "leakless" heap fengshui to achieve RCE on PIE Binaries

Presented at DEF CON 26 (2018), Aug. 11, 2018, 1:30 p.m. (20 minutes)

Regarding ptmalloc2, many heap exploitation techniques have been invented in the recent years, well documented on the famous how2heap repository, or as writeups of famous CTF challenges (like House of Orange). However, most of them require atleast a libc/heap leak , or fail in non-PIE binaries. My new technique titled House of Roman leverages a single bug to gain shell leaklessly on a PIE enabled Binary. I shall showcase the ease of aligning the heap to perform this attack, thus demonstrating its versatility.

Since this a 20 mins talk, attendees should be aware of basic heap exploitation techniques, like fastbin attacks and unsorted bin attacks, and have a general idea of how the ptmalloc2 algorithm works. As a bonus, I also discuss how to land a fastbin chunk in memory regions with no size alignment (like __free_hook ).

Presenters:

• Sanat Sharma - Hacker
  Sanat (@romanking98) is a 19 y o Junior Security Engineer at GoRoot GmbH in Berlin, Germany. He regularly plays CTFs with "dcua" , globally ranked in the world top 10 teams on ctftime.org , qualified for multiple prestigious onsite finals, including an invitation for DEF CON China offline CTF. @romanking98

Links:

• https://defcon.org/html/defcon-26/dc-26-speakers.html#Sharma
• https://infocon.org/cons/DEF CON/DEF CON 26/DEF CON 26 video and slides/DEF CON 26 - Sanat Sharma - House of Roman a leakless Heap Fengshui to Achieve RCE on PIE Binaries.mp4
• https://infocon.org/cons/DEF CON/DEF CON 26/DEF CON 26 video and slides/DEF CON 26 - Sanat Sharma - House of Roman a leakless Heap Fengshui to Achieve RCE on PIE Binaries.srt (subtitles)
• https://www.youtube.com/watch?v=bFHvcAWlfNA

Similar Presentations:

• Black Hat USA 2011 / Heap Spray Detection with Heap Inspector
• ToorCon San Diego 2021 / House of Heap Exploitation (Workshop)
• 44CON 2019 / Introduction to GLIBC heap exploitation Workshop