mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-20 01:55:46 +00:00
5.3 KiB
5.3 KiB
House of Einherjar
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
Code
- Check the example from https://github.com/shellphish/how2heap/blob/master/glibc_2.35/house_of_einherjar.c
- Or the one from https://guyinatuxedo.github.io/42-house_of_einherjar/house_einherjar_exp/index.html#house-of-einherjar-explanation (you might need to fill the tcache)
Goal
- The goal is to allocate memory in almost any specific address.
Requirements
- Create a fake chunk when we want to allocate a chunk:
- Set pointers to point to itself to bypass sanity checks
- One-byte overflow with a null byte from one chunk to the next one to modify the
PREV_INUSE
flag. - Indicate in the
prev_size
of the off-by-null abused chunk the difference between itself and the fake chunk- The fake chunk size must also have been set the same size to bypass sanity checks
- For constructing these chunks, you will need a heap leak.
Attack
A
fake chunk is created inside a chunk controlled by the attacker pointing withfd
andbk
to the original chunk to bypass protections- 2 other chunks (
B
andC
) are allocated - Abusing the off by one in the
B
one theprev in use
bit is cleaned and theprev_size
data is overwritten with the difference between the place where theC
chunk is allocated, to the fakeA
chunk generated before- This
prev_size
and the size in the fake chunkA
must be the same to bypass checks.
- This
- Then, the tcache is filled
- Then,
C
is freed so it consolidates with the fake chunkA
- Then, a new chunk
D
is created which will be starting in the fakeA
chunk and coveringB
chunk- The house of Einherjar finishes here
- This can be continued with a fast bin attack or Tcache poisoning:
- Free
B
to add it to the fast bin / Tcache B
'sfd
is overwritten making it point to the target address abusing theD
chunk (as it containsB
inside)- Then, 2 mallocs are done and the second one is going to be allocating the target address
- Free
References and other examples
- https://github.com/shellphish/how2heap/blob/master/glibc_2.35/house_of_einherjar.c
- CTF https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_einherjar/#2016-seccon-tinypad
- After freeing pointers their aren't nullified, so it's still possible to access their data. Therefore a chunk is placed in the unsorted bin and leaked the pointers it contains (libc leak) and then a new heap is places on the unsorted bin and leaked a heap address from the pointer it gets.
- baby-talk. DiceCTF 2024
- Null-byte overflow bug in
strtok
. - Use House of Einherjar to get an overlapping chunks situation and finish with Tcache poisoning ti get an arbitrary write primitive.
- Null-byte overflow bug in
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.