hacktricks/binary-exploitation/libc-heap/house-of-einherjar.md

# House of Einherjar

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

## Basic Information

### Code

* Check the example from [https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c)
* Or the one from [https://guyinatuxedo.github.io/42-house\_of\_einherjar/house\_einherjar\_exp/index.html#house-of-einherjar-explanation](https://guyinatuxedo.github.io/42-house\_of\_einherjar/house\_einherjar\_exp/index.html#house-of-einherjar-explanation) (you might need to fill the tcache)

### Goal

* The goal is to allocate memory in almost any specific address.

### Requirements

* Create a fake chunk when we want to allocate a chunk:
  * Set pointers to point to itself to bypass sanity checks
* One-byte overflow with a null byte over from one chunk to another to modify the `PREV_INUSE` flag.
* Indicate in the `prev_size` of the off-by-null abused chunk the difference between itself and the fake chunk
  * The fake chunk size must also have been set the same size to bypass sanity checks
* For constructing these chunks, you will need a heap leak.

### Attack

* `A` fake chunk is created inside a chunk controlled by the attacker pointing with `fd` and `bk` to the original chunk to bypass protections
* 2 other chunks (`B` and `C`) are allocated
* Abusing the off by one in the `B` one the `prev in use` bit is cleaned and the `prev_size` data is overwritten with the difference between the place where the `C` chunk is allocated, to the fake `A` chunk generated before
  * This `prev_size` and the size in the fake chunk `A` must be the same to bypass checks.
* Then, the tcache is filled
* Then, `C` is freed so it consolidates with the fake chunk `A`
* Then, a new chunk `D` is created which will be starting in the fake `A` chunk and covering `B` chunk
  * The house of Einherjar finishes here
* This can be continued with a fast bin attack or Tcache poisoning:
  * Free `B` to add it to the fast bin / Tcache
  * `B`'s `fd` is overwritten making it point to the target address abusing the `D` chunk (as it contains `B` inside)&#x20;
  * Then, 2 mallocs are done and the second one is going to be **allocating the target address**

## References and other examples

* [https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c)
* **CTF** [**https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_einherjar/#2016-seccon-tinypad**](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_einherjar/#2016-seccon-tinypad)
  * After freeing pointers their aren't nullified, so it's still possible to access their data. Therefore a chunk is placed in the unsorted bin and leaked the pointers it contains (libc leak) and then a new heap is places on the unsorted bin and leaked a heap address from the pointer it gets.
* [**baby-talk. DiceCTF 2024**](https://7rocky.github.io/en/ctf/other/dicectf/baby-talk/)
  * Null-byte overflow bug in `strtok`.
  * Use House of Einherjar to get an overlapping chunks situation and finish with Tcache poisoning ti get an arbitrary write primitive.

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
GITBOOK-4337: No subject 2024-05-14 11:10:13 +00:00			`# House of Einherjar`

			`<details>`

			`<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`

			`Other ways to support HackTricks:`

			`* If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share your hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`

			`</details>`

			`## Basic Information`

			`### Code`

			`* Check the example from [https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c)`
GITBOOK-4357: No subject 2024-06-13 15:08:26 +00:00			`* Or the one from [https://guyinatuxedo.github.io/42-house\_of\_einherjar/house\_einherjar\_exp/index.html#house-of-einherjar-explanation](https://guyinatuxedo.github.io/42-house\_of\_einherjar/house\_einherjar\_exp/index.html#house-of-einherjar-explanation) (you might need to fill the tcache)`
GITBOOK-4337: No subject 2024-05-14 11:10:13 +00:00
			`### Goal`

			`* The goal is to allocate memory in almost any specific address.`

			`### Requirements`

GITBOOK-4357: No subject 2024-06-13 15:08:26 +00:00			`* Create a fake chunk when we want to allocate a chunk:`
			`* Set pointers to point to itself to bypass sanity checks`
Glibc heap review 2024-07-11 13:10:36 +00:00			* One-byte overflow with a null byte over from one chunk to another to modify the `PREV_INUSE` flag.
			* Indicate in the `prev_size` of the off-by-null abused chunk the difference between itself and the fake chunk
GITBOOK-4357: No subject 2024-06-13 15:08:26 +00:00			`* The fake chunk size must also have been set the same size to bypass sanity checks`
			`* For constructing these chunks, you will need a heap leak.`
GITBOOK-4337: No subject 2024-05-14 11:10:13 +00:00
			`### Attack`

			* `A` fake chunk is created inside a chunk controlled by the attacker pointing with `fd` and `bk` to the original chunk to bypass protections
GITBOOK-4357: No subject 2024-06-13 15:08:26 +00:00			* 2 other chunks (`B` and `C`) are allocated
GITBOOK-4340: No subject 2024-05-17 15:37:03 +00:00			* Abusing the off by one in the `B` one the `prev in use` bit is cleaned and the `prev_size` data is overwritten with the difference between the place where the `C` chunk is allocated, to the fake `A` chunk generated before
GITBOOK-4357: No subject 2024-06-13 15:08:26 +00:00			* This `prev_size` and the size in the fake chunk `A` must be the same to bypass checks.
GITBOOK-4340: No subject 2024-05-17 15:37:03 +00:00			`* Then, the tcache is filled`
GITBOOK-4337: No subject 2024-05-14 11:10:13 +00:00			* Then, `C` is freed so it consolidates with the fake chunk `A`
			* Then, a new chunk `D` is created which will be starting in the fake `A` chunk and covering `B` chunk
GITBOOK-4357: No subject 2024-06-13 15:08:26 +00:00			`* The house of Einherjar finishes here`
Glibc heap review 2024-07-11 13:10:36 +00:00			`* This can be continued with a fast bin attack or Tcache poisoning:`
			* Free `B` to add it to the fast bin / Tcache
GITBOOK-4357: No subject 2024-06-13 15:08:26 +00:00			* `B`'s `fd` is overwritten making it point to the target address abusing the `D` chunk (as it contains `B` inside)
			`* Then, 2 mallocs are done and the second one is going to be allocating the target address`
GITBOOK-4337: No subject 2024-05-14 11:10:13 +00:00
GITBOOK-4340: No subject 2024-05-17 15:37:03 +00:00			`## References and other examples`
GITBOOK-4337: No subject 2024-05-14 11:10:13 +00:00
			`* [https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c)`
Glibc heap review 2024-07-11 13:10:36 +00:00			`* CTF [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_einherjar/#2016-seccon-tinypad](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_einherjar/#2016-seccon-tinypad)`
GITBOOK-4340: No subject 2024-05-17 15:37:03 +00:00			`* After freeing pointers their aren't nullified, so it's still possible to access their data. Therefore a chunk is placed in the unsorted bin and leaked the pointers it contains (libc leak) and then a new heap is places on the unsorted bin and leaked a heap address from the pointer it gets.`
Glibc heap review 2024-07-11 13:10:36 +00:00			`* [baby-talk. DiceCTF 2024](https://7rocky.github.io/en/ctf/other/dicectf/baby-talk/)`
			* Null-byte overflow bug in `strtok`.
			`* Use House of Einherjar to get an overlapping chunks situation and finish with Tcache poisoning ti get an arbitrary write primitive.`
GITBOOK-4337: No subject 2024-05-14 11:10:13 +00:00
			`<details>`

			`<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`

			`Other ways to support HackTricks:`

			`* If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share your hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`

			`</details>`