hacktricks/binary-exploitation/heap/house-of-einherjar.md

# Nyumba ya Einherjar

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

## Taarifa Msingi

### Kanuni

* Angalia mfano kutoka [https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c)
* Au ule kutoka [https://guyinatuxedo.github.io/42-house\_of\_einherjar/house\_einherjar\_exp/index.html#house-of-einherjar-explanation](https://guyinatuxedo.github.io/42-house\_of\_einherjar/house\_einherjar\_exp/index.html#house-of-einherjar-explanation) (inaweza kuhitaji kujaza tcache)

### Lengo

* Lengo ni kutenga kumbukumbu katika anwani karibu yoyote maalum.

### Mahitaji

* Unda kikundi bandia tunapotaka kutenga kikundi:
* Weka pointers kuelekeza kwa yenyewe ili kuepuka ukaguzi wa usalama
* Kosa moja kwa moja kutoka kikundi kimoja hadi kingine kurekebisha prev inatumika
* Eleza katika `prev_size` ya kikundi kilichotumiwa kwa kosa moja kwa moja tofauti kati yake na kikundi bandia
* Ukubwa wa kikundi bandia lazima pia uwe umewekwa ukubwa sawa kuepuka ukaguzi wa usalama
* Kwa kujenga vikundi hivi, utahitaji uvujaji wa kumbukumbu ya kitalu.

### Shambulio

* Kikundi bandia `A` kinatengenezwa ndani ya kikundi kinachodhibitiwa na mshambuliaji kwa kuelekeza na `fd` na `bk` kwenye kikundi cha asili kuepuka ulinzi
* Vikundi vingine 2 (`B` na `C`) vinatengwa
* Kwa kutumia kosa moja kwa moja katika `B` moja, biti ya `prev inatumika` inasafishwa na data ya `prev_size` inaandikwa upya na tofauti kati ya mahali ambapo kikundi cha `C` kinatengwa, hadi kikundi bandia cha `A` kilichozalishwa awali
* `prev_size` hii na ukubwa katika kikundi bandia `A` lazima ziwe sawa kuepuka ukaguzi.
* Kisha, tcache inajazwa
* Kisha, `C` inaachiliwa ili iungane na kikundi bandia `A`
* Kisha, kikundi kipya `D` kinatengenezwa ambacho kitakuwa kuanzia kwenye kikundi cha bandia cha `A` na kufunika kikundi cha `B`
* Nyumba ya Einherjar inamalizika hapa
* Hii inaweza kuendelea na shambulio la benki ya haraka:
* Fungua `B` kuiongeza kwenye benki ya haraka
* `fd` ya `B` inaandikwa upya ikifanya ielekee kwenye anwani ya lengo ikidukua kikundi cha `D` (kwani ina `B` ndani)&#x20;
* Kisha, malloc 2 zinafanywa na ya pili itakuwa **kutenga anwani ya lengo**

## Marejeo na mifano mingine

* [https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c)
* [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_einherjar/#2016-seccon-tinypad](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_einherjar/#2016-seccon-tinypad)
* Baada ya kuachilia pointi, hazifutwi, kwa hivyo bado inawezekana kufikia data zao. Kwa hivyo kitalu kimoja kimewekwa kwenye benki isiyosortiwa na kuvuja pointi inayojumuisha (uvujaji wa libc) na kisha kitalu kipya cha kumbukumbu kinawekwa kwenye benki isiyosortiwa na kuvuja anwani ya kitalu kutoka kwa pointi inayopata.
*

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>
Translated ['binary-exploitation/heap/heap-functions-security-checks.md' 2024-05-14 11:15:08 +00:00			`# Nyumba ya Einherjar`

			`<details>`

			`<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>`

			`Njia nyingine za kusaidia HackTricks:`

			`* Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia [MIPANGO YA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Pata [bidhaa rasmi za PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Gundua [Familia ya PEASS](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au kikundi cha [telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos za github.`

			`</details>`

			`## Taarifa Msingi`

			`### Kanuni`

			`* Angalia mfano kutoka [https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c)`
Translated ['binary-exploitation/heap/house-of-einherjar.md', 'binary-ex 2024-06-13 15:11:52 +00:00			`* Au ule kutoka [https://guyinatuxedo.github.io/42-house\_of\_einherjar/house\_einherjar\_exp/index.html#house-of-einherjar-explanation](https://guyinatuxedo.github.io/42-house\_of\_einherjar/house\_einherjar\_exp/index.html#house-of-einherjar-explanation) (inaweza kuhitaji kujaza tcache)`
Translated ['binary-exploitation/heap/heap-functions-security-checks.md' 2024-05-14 11:15:08 +00:00
			`### Lengo`

Translated ['binary-exploitation/heap/house-of-einherjar.md', 'binary-ex 2024-06-13 15:11:52 +00:00			`* Lengo ni kutenga kumbukumbu katika anwani karibu yoyote maalum.`
Translated ['binary-exploitation/heap/heap-functions-security-checks.md' 2024-05-14 11:15:08 +00:00
			`### Mahitaji`

Translated ['binary-exploitation/heap/house-of-einherjar.md', 'binary-ex 2024-06-13 15:11:52 +00:00			`* Unda kikundi bandia tunapotaka kutenga kikundi:`
			`* Weka pointers kuelekeza kwa yenyewe ili kuepuka ukaguzi wa usalama`
			`* Kosa moja kwa moja kutoka kikundi kimoja hadi kingine kurekebisha prev inatumika`
			* Eleza katika `prev_size` ya kikundi kilichotumiwa kwa kosa moja kwa moja tofauti kati yake na kikundi bandia
			`* Ukubwa wa kikundi bandia lazima pia uwe umewekwa ukubwa sawa kuepuka ukaguzi wa usalama`
			`* Kwa kujenga vikundi hivi, utahitaji uvujaji wa kumbukumbu ya kitalu.`
Translated ['binary-exploitation/heap/heap-functions-security-checks.md' 2024-05-14 11:15:08 +00:00
			`### Shambulio`

Translated ['binary-exploitation/heap/house-of-einherjar.md', 'binary-ex 2024-06-13 15:11:52 +00:00			* Kikundi bandia `A` kinatengenezwa ndani ya kikundi kinachodhibitiwa na mshambuliaji kwa kuelekeza na `fd` na `bk` kwenye kikundi cha asili kuepuka ulinzi
			* Vikundi vingine 2 (`B` na `C`) vinatengwa
			* Kwa kutumia kosa moja kwa moja katika `B` moja, biti ya `prev inatumika` inasafishwa na data ya `prev_size` inaandikwa upya na tofauti kati ya mahali ambapo kikundi cha `C` kinatengwa, hadi kikundi bandia cha `A` kilichozalishwa awali
			* `prev_size` hii na ukubwa katika kikundi bandia `A` lazima ziwe sawa kuepuka ukaguzi.
			`* Kisha, tcache inajazwa`
			* Kisha, `C` inaachiliwa ili iungane na kikundi bandia `A`
			* Kisha, kikundi kipya `D` kinatengenezwa ambacho kitakuwa kuanzia kwenye kikundi cha bandia cha `A` na kufunika kikundi cha `B`
			`* Nyumba ya Einherjar inamalizika hapa`
			`* Hii inaweza kuendelea na shambulio la benki ya haraka:`
			* Fungua `B` kuiongeza kwenye benki ya haraka
			* `fd` ya `B` inaandikwa upya ikifanya ielekee kwenye anwani ya lengo ikidukua kikundi cha `D` (kwani ina `B` ndani)
			`* Kisha, malloc 2 zinafanywa na ya pili itakuwa kutenga anwani ya lengo`

			`## Marejeo na mifano mingine`
Translated ['binary-exploitation/heap/heap-functions-security-checks.md' 2024-05-14 11:15:08 +00:00
			`* [https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c)`
Translated ['binary-exploitation/heap/house-of-einherjar.md', 'binary-ex 2024-06-13 15:11:52 +00:00			`* [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_einherjar/#2016-seccon-tinypad](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_einherjar/#2016-seccon-tinypad)`
			`* Baada ya kuachilia pointi, hazifutwi, kwa hivyo bado inawezekana kufikia data zao. Kwa hivyo kitalu kimoja kimewekwa kwenye benki isiyosortiwa na kuvuja pointi inayojumuisha (uvujaji wa libc) na kisha kitalu kipya cha kumbukumbu kinawekwa kwenye benki isiyosortiwa na kuvuja anwani ya kitalu kutoka kwa pointi inayopata.`
			`*`
Translated ['binary-exploitation/heap/heap-functions-security-checks.md' 2024-05-14 11:15:08 +00:00
			`<details>`

			`<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>`

			`Njia nyingine za kusaidia HackTricks:`

			`* Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia [MIPANGO YA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Pata [bidhaa rasmi za PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Gundua [Familia ya PEASS](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au kikundi cha [telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos za github.`

			`</details>`