Skip to main content
Maxwell Dulin - Glibc malloc heap exploitation $1,500 (Early $1,300)
Maxwell Dulin - Glibc malloc heap exploitation $1,500 (Early $1,300)

Maxwell Dulin - Glibc malloc heap exploitation $1,500 (Early $1,300)

Name of training:
- glibc malloc heap exploitation

Trainer information:

Full name of trainer(s):
- Maxwell Dulin

Trainer(s) bio:
- Maxwell Dulin (Strikeout) is a senior security consultant hacking all things under the sun, from garage doors to web applications to operating systems. Maxwell has published many articles/talks for a plethora of heap exploitation techniques, assorted web application exploits and IoT devices such as scoreboards. He has previously spoken at DEF CON 27s IoT Village, CanSecWest, Hackfest and DEF CON workshops. His research is focused on custom RF protocols and binary exploitation methods. In his free time, he plays with RF toys, hikes to fire lookouts and catches everything at dodgeball.

Trainer(s) social media links:
- @dooflin5 on twitter
- is my personal blog

Training information:

- Taught full training at CanSecWest in 2022. Taught the workshop version (4 hours) a twice at DEFCON, ToorCon some privately and Hackfest.

Do you have links to sites that promoted your past training so we can better understand how you presented it to the public?
- Video of me and co-instructor talking with Dragos about the training:
- CanSecWest:
- Previous year at DEFCON trainings as well.

Description of your class:

As exploit mitigation's, such as Nx and stack canaries, have made traditional binary exploitation more difficult, modern exploits have moved to the heap. But heap exploitation is a major increase in difficulty compared to traditional methods, making it a difficult wall on the binary exploitation journey. In this training, we will conquer the complexity and difficultly of heap exploitation by breaking it down directly.

To conquer the complexity, we'll learn all about the GLibC's malloc allocator by diving into the weeds of the allocator directly, explaining the how, what, and why. We'll use hands-on exercises to demonstrate techniques that are largely applicable, and cover the contexts which allow certain techniques to be used. Additionally, we will demonstrate how the victim program can add even more primitives that can be exploited and how to find these objects, allowing the information learned in the course to be widely applicable.

This training is specifically targeted at GLibC malloc, which is the default allocator on most Linux distributions. We will start by learning how the allocator functions and about heap specific vulnerability classes. From there, you will learn how to pwn with techniques in the allocator itself and how to find your own gadgets within victim programs to live off the land. Finally, we will attack a custom HTTP server stack by finding the vulnerabilities and exploiting them. This will require complicated heap feng shui and exploit techniques learned from the workshop in order to pull off. To make the content easy to grasp, the training includes many hands-on exercises for practicing the material, a large collection of visuals and an amazing virtual machine for pwnable challenges. After taking this course, you will be highly capable at finding heap related vulnerabilities and exploiting these bugs in a variety of ways.

Outline the class in enough detail that we can determine the hour-by-hour experience a student will experience:
- This is what I hope happens. I give some leway on the hours in case there are sections that are harder for some students than I anticipate.
- Day 1:
- Introductions + buffer (15)
- Introduction to Malloc (90 minutes)
- 40 minutes on slides
- 40 on exercises (fix chunk and ordering)
- 10 minutes for questions
- Vulnerability Classes (70 minutes):
- 20 minutes on slides
- 40 minutes on exercises (UAF and double free)
- 10 minutes on questions
- Fd Poison (70 minutes):
- 15 minutes on slides
- 45 minutes on exercise1 without & with pointer mangling
- 10 for questions
- Lunch
- Unlink (80 minutes):
- 15 minutes on slides
- 10 for questions
- 35 for exercise 1 & 2
- 20 Unsafe unlink demo
- Overlapping Chunks (60 minutes):
- 20 minutes on slides
- 10 on questions
- 30 on exercise
- Extra things (if needed or more time)
- House of Spirit
- Ordering exercises for introduction to malloc
- Extra challenge in 'fd' poison
- Break (40) - 10 between each module
- Day 2:
- House of Force (60 minutes):
- 20 minutes on slides
- 10 minutes on Qs
- 30 on exercise
- Unsorted Bin Attack (80 minutes):
- 15 minutes on slides
- 10 minutes on Qs
- 35 minutes on exercise
- 20 Tcache stashing demo
- Lunch
- Leaks & Grooming (75 minutes):
- 25 minutes on slides
- 10 minutes on Qs
- 40 on exercises
- Break in the middle, since it's long
- Final Challenge (240 minutes):
- 60 minutes on demo + slides
- 10 on Qs
- 110 on exercises
- 2 breaks in the middle, since this is very long
- Extra things (if needed):
- Exploitability slides
- Other vulnerabilities in HTTP server (over iteration exploitation and integer overflow)
- Mmap chunk module
- Breaks (40 minutes) - 10 between each module

Technical difficulty of the class (Beginner, Intermediate, Advanced) and any required experience or skills needed (Such as Python, knowledge of specific deep-learning algorithms, TCP dump analysis, Ghidra, etc.)
- Intermediate. Requires basic binary exploitation experience, GDB and Python.

Suggested prerequisites for the class. What should the student have read or prepared in advance to get the most out of your class? This could be videos to watch, books or white papers to read, etc.
- Refresher on GDB and pwntools.

Items students will need to provide:
- A reasonably powerful computer. Please don't bring ARM Macs, since virtualization doesn't work on these for x86 yet. If this is the only laptop they have, I've got a docker env that works within another server though.
- Virtualization platform, such as VirtualBox and VMWare, installed.
- Powerpoint or OpenLibre to view the slides

Training highlight:

- The final module is awesome. It takes the techniques, heap feng shui and puts it into a larger application to exploit. I'm super proud of this module :)

- The course '' is the pre-req knowledge for this course. Their final module is about the heap vulnerability classes, which is practically where my class starts. Although they are similar in nature, they have very different content.

DATE: November 2nd-3rd 2024
TIME: 8am to 5pm PDT
VENUE: Meydenbauer Center, Bellevue, WA
TRAINER: Maxwell Dunlin

- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included

Registration terms and conditions:

Trainings are refundable before September 16th, the processing fee is $250.

Trainings are non-refundable after September 26th, 2024.

Training tickets may be transferred. Please email us for specifics.

Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.

By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.