Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-16 14:08:26 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/binary-exploitation/heap/house-of-lore.md

66 lines
4.6 KiB
Markdown
Raw Normal View History

GITBOOK-4337: No subject
2024-05-14 11:10:13 +00:00
# House of Lore
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
## Basic Information
### Code
* Check the one from [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_lore/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_lore/)
GITBOOK-4340: No subject
2024-05-17 15:37:03 +00:00
* This isn't working
GITBOOK-4337: No subject
2024-05-14 11:10:13 +00:00
* Or: [https://github.com/shellphish/how2heap/blob/master/glibc\_2.39/house\_of\_lore.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.39/house\_of\_lore.c)
GITBOOK-4340: No subject
2024-05-17 15:37:03 +00:00
* This isn't working even if tries to bypass the checks getting the error: `malloc(): unaligned tcache chunk detected` which might mean that the fake free list should be aligned
* This could be bypassed aligning properly that list of fixing the second fake chunk to point to the arena (need a leak). However, it looks like this attack have too many requisites and few benefits.
GITBOOK-4337: No subject
2024-05-14 11:10:13 +00:00
### Goal
* Insert a fake small chunks in the small bin so then it's possible to allocate it.
### Requirements
* Create fake chunks
* Know the address of the victim chunk and the fake chunks
* Be able to modify the `bk` and `fd` pointers
### Attack
* A victim small chunk is allocated
* An attacker generates a couple of fake small chunks, and makes the first fake chunk `fd` point to a real chunk and the `bk` point to the second fake chunk. Also make the second fake chunk `bk` point the first one.
GITBOOK-4340: No subject
2024-05-17 15:37:03 +00:00
* The `bk` of the second should also point to the fake freelist to prevent a crash when small bin chunks are tried to be allocated in the tcache.
* Then, a new large chunk is allocated to prevent the first one to being consolidate in the top chunk when freed
GITBOOK-4337: No subject
2024-05-14 11:10:13 +00:00
* Then, the initial pointer is freed and a second pointer of a bigger size is allocated so the freed initial small chunk is placed in the small bin.
GITBOOK-4340: No subject
2024-05-17 15:37:03 +00:00
* Vulnerability: The real small chunk freed is modified so its `bk` pointer points to the first fake chunk.
GITBOOK-4337: No subject
2024-05-14 11:10:13 +00:00
* Then, when 2 chunks of this size are allocated they get the valid chunk first and then the invalid chunk somehow controlled by the attacker.
GITBOOK-4340: No subject
2024-05-17 15:37:03 +00:00
* In the how2heap example the fake chunks are inside the stack so we would be getting a chunk from the stack, where it might be possible to write a ROP or something.
GITBOOK-4337: No subject
2024-05-14 11:10:13 +00:00
## References
* [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_lore/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_lore/)
* [https://heap-exploitation.dhavalkapil.com/attacks/house\_of\_lore](https://heap-exploitation.dhavalkapil.com/attacks/house\_of\_lore)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
Reference in a new issue Copy permalink