GITBOOK-4358: No subject

binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md

@@ -38,6 +38,29 @@ This was abused in one of the example from the page abusing a fast bin attack af
 [unsorted-bin-attack.md](../heap/unsorted-bin-attack.md)
 {% endcontent-ref %}
 
+A nice trick (from [**here**](https://guyinatuxedo.github.io/41-house\_of\_force/bkp16\_cookbook/index.html)) to find the location of the free hook if the binary has symbols is to **do something like**:
+
+```
+gef➤  set __free_hook = 0xfacade
+gef➤  search-pattern 0xfacade
+```
+
+In the same post you can find a step by step guide on how to locate the address of the free hook without symbols. As summary, in the free function:
+
+<pre class="language-armasm"><code class="lang-armasm">gef➤  x/20i free
+0xf75dedc0 &#x3C;free>: push   ebx
+0xf75dedc1 &#x3C;free+1>: call   0xf768f625
+0xf75dedc6 &#x3C;free+6>: add    ebx,0x14323a
+0xf75dedcc &#x3C;free+12>:  sub    esp,0x8
+0xf75dedcf &#x3C;free+15>:  mov    eax,DWORD PTR [ebx-0x98]
+0xf75dedd5 &#x3C;free+21>:  mov    ecx,DWORD PTR [esp+0x10]
+0xf75dedd9 &#x3C;free+25>:  mov    eax,DWORD PTR [eax]
+<strong>0xf75deddb &#x3C;free+27>:  test   eax,eax ;&#x3C;--- BREAK HERE
+</strong>0xf75deddd &#x3C;free+29>:  jne    0xf75dee50 &#x3C;free+144>
+</code></pre>
+
+In the mentioned break in the previous code in `$eax` will be located the address of the free hook.
+
 Now a **fast bin attack** is performed:
 
 * First of all it's discovered that it's possible to work with fast **chunks of size 200** in the **`__free_hook`** location:

binary-exploitation/heap/house-of-force.md

@@ -21,6 +21,7 @@ Other ways to support HackTricks:
 ### Code
 
 * This technique was patched ([**here**](https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=30a17d8c95fbfb15c52d1115803b63aaa73a285c)) and produces this error: `malloc(): corrupted top size`
+  * You can try the [**code from here**](https://guyinatuxedo.github.io/41-house\_of\_force/house\_force\_exp/index.html) to test it if you want.
 
 ### Goal
 
@@ -33,7 +34,7 @@ Other ways to support HackTricks:
 
 ### Attack
 
-If an attacker wants to allocate a chunk in the address P to overwrite a value here, he can start by overwriting the top chunk size with `-1`. This ensures that malloc won't be using mmap for any allocation as the Top chunk will always have enough space.
+If an attacker wants to allocate a chunk in the address P to overwrite a value here. He starts by overwriting the top chunk size with `-1` (maybe with an overflow). This ensures that malloc won't be using mmap for any allocation as the Top chunk will always have enough space.
 
 Then, calculate the distance between the address of the top chunk and the target space to allocate. This is because a malloc with that size will be performed in order to move the top chunk to that position. This is how the difference/size can be easily calculated:
 
@@ -59,6 +60,7 @@ Then, do another malloc to get a chunk containing the at the beginning of the da
 * [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/)
 * [https://heap-exploitation.dhavalkapil.com/attacks/house\_of\_force](https://heap-exploitation.dhavalkapil.com/attacks/house\_of\_force)
 * [https://github.com/shellphish/how2heap/blob/master/glibc\_2.27/house\_of\_force.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.27/house\_of\_force.c)
+* [https://guyinatuxedo.github.io/41-house\_of\_force/house\_force\_exp/index.html](https://guyinatuxedo.github.io/41-house\_of\_force/house\_force\_exp/index.html)
 * [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/#hitcon-training-lab-11](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/#hitcon-training-lab-11)
   * The goal of this scenario is a ret2win where we need to modify the address of a function that is going to be called by the address of the ret2win function
   * The binary has an overflow that can be abused to modify the top chunk size, which is modified to -1 or p64(0xffffffffffffffff)
@@ -69,6 +71,9 @@ Then, do another malloc to get a chunk containing the at the beginning of the da
   * Then in the `Org:` and `Host:` functionality its possible to fill the 64B of the `s` pointer when asked for the **org name**, which in the stack is followed by the address of v2, which is then followed by the indicated **host name**. As then, strcpy is going to be copying the contents of s to a chunk of size 64B, it's possible to **overwrite the size of the top chunk** with the data put inside the **host name**.
   * Now that arbitrary write it possible, the `atoi`'s GOT was overwritten to the address of printf. the it as possible to leak the address of `IO_2_1_stderr` _with_ `%24$p`. And with this libc leak it was possible to overwrite `atoi`'s GOT again with the address to `system` and call it passing as param `/bin/sh`
     * An alternative method [proposed in this other writeup](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/#2016-bctf-bcloud), is to overwrite `free` with `puts`, and then add the address of `atoi@got`,  in the pointer that will be later freed so it's leaked and with this leak overwrite again `atoi@got` with `system` and call it with `/bin/sh`.
+* [https://guyinatuxedo.github.io/41-house\_of\_force/bkp16\_cookbook/index.html](https://guyinatuxedo.github.io/41-house\_of\_force/bkp16\_cookbook/index.html)
+  * There is a UAF allowing to reuse a chunk that was freed without clearing the pointer. Because there are some read methods, it's possible to leak a libc address writing a pointer to the free function in the GOT here and then calling the read function.
+  * Then, House of force was used (abusing the UAF) to overwrite the size of the left space with a -1, allocate a chunk big enough to get tot he free hook, and then allocate another chunk which will contain the free hook. Then, write in the hook the address of `system`, write in a chunk `"/bin/sh"` and finally free the chunk with that string content.
 
 <details>