mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-21 20:23:18 +00:00
4.6 KiB
4.6 KiB
House of Lore | Small bin Attack
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
Code
- Check the one from https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_lore/
- This isn't working
- Or: https://github.com/shellphish/how2heap/blob/master/glibc_2.39/house_of_lore.c
- This isn't working even if it tries to bypass some checks getting the error:
malloc(): unaligned tcache chunk detected
- This isn't working even if it tries to bypass some checks getting the error:
- This example is still working: https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html
Goal
- Insert a fake small chunk in the small bin so then it's possible to allocate it.
Note that the small chunk added is the fake one the attacker creates and not a fake one in an arbitrary position.
Requirements
- Create 2 fake chunks and link them together and with the legit chunk in the small bin:
fake0.bk
->fake1
fake1.fd
->fake0
fake0.fd
->legit
(you need to modify a pointer in the freed small bin chunk via some other vuln)legit.bk
->fake0
Then you will be able to allocate fake0
.
Attack
- A small chunk (
legit
) is allocated, then another one is allocated to prevent consolidating with top chunk. Then,legit
is freed (moving it to the unsorted bin list) and the a larger chunk is allocated, movinglegit
it to the small bin. - An attacker generates a couple of fake small chunks, and makes the needed linking to bypass sanity checks:
fake0.bk
->fake1
fake1.fd
->fake0
fake0.fd
->legit
(you need to modify a pointer in the freed small bin chunk via some other vuln)legit.bk
->fake0
- A small chunk is allocated to get legit, making
fake0
into the top list of small bins - Another small chunk is allocated, getting
fake0
as a chunk, allowing potentially to read/write pointers inside of it.
References
- https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_lore/
- https://heap-exploitation.dhavalkapil.com/attacks/house_of_lore
- https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.