hacktricks/binary-exploitation/heap/house-of-einherjar.md

# House of Einherjar

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

## Basic Information

### Code

* Check the example from [https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c)

### Goal

* The goal is to allocate memory in almost any specific address.

### Requirements

* Off by one over the header of the next chunk to modify the prev in use
* Be able to modify the `prev_size` data, which is part of the current chunk (at the end)
* Heap leak

### Attack

* `A` fake chunk is created inside a chunk controlled by the attacker pointing with `fd` and `bk` to the original chunk to bypass protections
* 2 other chunks (`B` and `C`) are created
* Abusing the off by one in the `B` one the `prev in use` bit is cleaned and the `prev_size` data is overwritten with the difference between the place where the `C` chunk is allocated, to the fake `A` chunk generated before
  * This `prev_size` and the size of the fake chunk `A` must be the same to bypass checks.
* Then, the tcache is filled
* Then, `C` is freed so it consolidates with the fake chunk `A`
* Then, a new chunk `D` is created which will be starting in the fake `A` chunk and covering `B` chunk
* Then, `B`'s `fd` is overwritten making it point to the target address abusing the `D` chunk (as it contains `B` inside) and `B` is freed to add the target to the fast bin
  * This is the common fast bin attack
* Then, 2 mallocs are done and the second one id going to be allocating the target address

## References and other examples

* [https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c)
* [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_einherjar/#2016-seccon-tinypad](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_einherjar/#2016-seccon-tinypad)
  * After freeing pointers their aren't nullified, so it's still possible to access their data. Therefore a chunk is placed in the unsorted bin and leaked the pointers it contains (libc leak) and then a new heap is places on the unsorted bin and leaked a heap address from the pointer it gets.
  *

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
GITBOOK-4337: No subject 2024-05-14 11:10:13 +00:00			`# House of Einherjar`

			`<details>`

			`<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`

			`Other ways to support HackTricks:`

			`* If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share your hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`

			`</details>`

			`## Basic Information`

			`### Code`

			`* Check the example from [https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c)`

			`### Goal`

			`* The goal is to allocate memory in almost any specific address.`

			`### Requirements`

			`* Off by one over the header of the next chunk to modify the prev in use`
			* Be able to modify the `prev_size` data, which is part of the current chunk (at the end)
			`* Heap leak`

			`### Attack`

			* `A` fake chunk is created inside a chunk controlled by the attacker pointing with `fd` and `bk` to the original chunk to bypass protections
GITBOOK-4340: No subject 2024-05-17 15:37:03 +00:00			* 2 other chunks (`B` and `C`) are created
			* Abusing the off by one in the `B` one the `prev in use` bit is cleaned and the `prev_size` data is overwritten with the difference between the place where the `C` chunk is allocated, to the fake `A` chunk generated before
GITBOOK-4337: No subject 2024-05-14 11:10:13 +00:00			* This `prev_size` and the size of the fake chunk `A` must be the same to bypass checks.
GITBOOK-4340: No subject 2024-05-17 15:37:03 +00:00			`* Then, the tcache is filled`
GITBOOK-4337: No subject 2024-05-14 11:10:13 +00:00			* Then, `C` is freed so it consolidates with the fake chunk `A`
			* Then, a new chunk `D` is created which will be starting in the fake `A` chunk and covering `B` chunk
GITBOOK-4340: No subject 2024-05-17 15:37:03 +00:00			* Then, `B`'s `fd` is overwritten making it point to the target address abusing the `D` chunk (as it contains `B` inside) and `B` is freed to add the target to the fast bin
			`* This is the common fast bin attack`
			`* Then, 2 mallocs are done and the second one id going to be allocating the target address`
GITBOOK-4337: No subject 2024-05-14 11:10:13 +00:00
GITBOOK-4340: No subject 2024-05-17 15:37:03 +00:00			`## References and other examples`
GITBOOK-4337: No subject 2024-05-14 11:10:13 +00:00
			`* [https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.35/house\_of\_einherjar.c)`
GITBOOK-4340: No subject 2024-05-17 15:37:03 +00:00			`* [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_einherjar/#2016-seccon-tinypad](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_einherjar/#2016-seccon-tinypad)`
			`* After freeing pointers their aren't nullified, so it's still possible to access their data. Therefore a chunk is placed in the unsorted bin and leaked the pointers it contains (libc leak) and then a new heap is places on the unsorted bin and leaked a heap address from the pointer it gets.`
			`*`
GITBOOK-4337: No subject 2024-05-14 11:10:13 +00:00
			`<details>`

			`<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`

			`Other ways to support HackTricks:`

			`* If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share your hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`

			`</details>`