hacktricks/binary-exploitation/libc-heap/house-of-einherjar.md

76 lines
5.3 KiB
Markdown
Raw Permalink Normal View History

2024-05-14 11:10:13 +00:00
# House of Einherjar
2024-07-18 16:04:36 +00:00
{% hint style="success" %}
2024-07-18 16:14:56 +00:00
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2024-05-14 11:10:13 +00:00
2024-07-18 16:04:36 +00:00
<details>
2024-05-14 11:10:13 +00:00
2024-07-18 16:04:36 +00:00
<summary>Support HackTricks</summary>
2024-05-14 11:10:13 +00:00
2024-07-18 16:04:36 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
2024-05-14 11:10:13 +00:00
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
2024-07-18 16:04:36 +00:00
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2024-05-14 11:10:13 +00:00
</details>
2024-07-18 16:04:36 +00:00
{% endhint %}
2024-05-14 11:10:13 +00:00
## Basic Information
### Code
* Check the example from [https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c)
2024-06-13 15:08:26 +00:00
* Or the one from [https://guyinatuxedo.github.io/42-house\_of\_einherjar/house\_einherjar\_exp/index.html#house-of-einherjar-explanation](https://guyinatuxedo.github.io/42-house\_of\_einherjar/house\_einherjar\_exp/index.html#house-of-einherjar-explanation) (you might need to fill the tcache)
2024-05-14 11:10:13 +00:00
### Goal
* The goal is to allocate memory in almost any specific address.
### Requirements
2024-06-13 15:08:26 +00:00
* Create a fake chunk when we want to allocate a chunk:
* Set pointers to point to itself to bypass sanity checks
2024-07-11 13:17:24 +00:00
* One-byte overflow with a null byte from one chunk to the next one to modify the `PREV_INUSE` flag.
2024-07-11 13:10:36 +00:00
* Indicate in the `prev_size` of the off-by-null abused chunk the difference between itself and the fake chunk
2024-06-13 15:08:26 +00:00
* The fake chunk size must also have been set the same size to bypass sanity checks
* For constructing these chunks, you will need a heap leak.
2024-05-14 11:10:13 +00:00
### Attack
* `A` fake chunk is created inside a chunk controlled by the attacker pointing with `fd` and `bk` to the original chunk to bypass protections
2024-06-13 15:08:26 +00:00
* 2 other chunks (`B` and `C`) are allocated
2024-05-17 15:37:03 +00:00
* Abusing the off by one in the `B` one the `prev in use` bit is cleaned and the `prev_size` data is overwritten with the difference between the place where the `C` chunk is allocated, to the fake `A` chunk generated before
2024-06-13 15:08:26 +00:00
* This `prev_size` and the size in the fake chunk `A` must be the same to bypass checks.
2024-05-17 15:37:03 +00:00
* Then, the tcache is filled
2024-05-14 11:10:13 +00:00
* Then, `C` is freed so it consolidates with the fake chunk `A`
* Then, a new chunk `D` is created which will be starting in the fake `A` chunk and covering `B` chunk
2024-06-13 15:08:26 +00:00
* The house of Einherjar finishes here
2024-07-11 13:10:36 +00:00
* This can be continued with a fast bin attack or Tcache poisoning:
* Free `B` to add it to the fast bin / Tcache
2024-06-13 15:08:26 +00:00
* `B`'s `fd` is overwritten making it point to the target address abusing the `D` chunk (as it contains `B` inside)&#x20;
* Then, 2 mallocs are done and the second one is going to be **allocating the target address**
2024-05-14 11:10:13 +00:00
2024-05-17 15:37:03 +00:00
## References and other examples
2024-05-14 11:10:13 +00:00
* [https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c)
2024-07-11 13:10:36 +00:00
* **CTF** [**https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_einherjar/#2016-seccon-tinypad**](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_einherjar/#2016-seccon-tinypad)
2024-05-17 15:37:03 +00:00
* After freeing pointers their aren't nullified, so it's still possible to access their data. Therefore a chunk is placed in the unsorted bin and leaked the pointers it contains (libc leak) and then a new heap is places on the unsorted bin and leaked a heap address from the pointer it gets.
2024-07-11 13:10:36 +00:00
* [**baby-talk. DiceCTF 2024**](https://7rocky.github.io/en/ctf/other/dicectf/baby-talk/)
* Null-byte overflow bug in `strtok`.
* Use House of Einherjar to get an overlapping chunks situation and finish with Tcache poisoning ti get an arbitrary write primitive.
2024-05-14 11:10:13 +00:00
2024-07-18 16:04:36 +00:00
{% hint style="success" %}
2024-07-18 16:14:56 +00:00
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2024-05-14 11:10:13 +00:00
2024-07-18 16:04:36 +00:00
<details>
2024-05-14 11:10:13 +00:00
2024-07-18 16:04:36 +00:00
<summary>Support HackTricks</summary>
2024-05-14 11:10:13 +00:00
2024-07-18 16:04:36 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
2024-05-14 11:10:13 +00:00
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
2024-07-18 16:04:36 +00:00
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2024-05-14 11:10:13 +00:00
</details>
2024-07-18 16:04:36 +00:00
{% endhint %}