mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-26 06:30:37 +00:00
4.6 KiB
4.6 KiB
House of Lore
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
Code
- Check the one from https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_lore/
- This isn't working
- Or: https://github.com/shellphish/how2heap/blob/master/glibc_2.39/house_of_lore.c
- This isn't working even if tries to bypass the checks getting the error:
malloc(): unaligned tcache chunk detectedwhich might mean that the fake free list should be aligned - This could be bypassed aligning properly that list of fixing the second fake chunk to point to the arena (need a leak). However, it looks like this attack have too many requisites and few benefits.
- This isn't working even if tries to bypass the checks getting the error:
Goal
- Insert a fake small chunks in the small bin so then it's possible to allocate it.
Requirements
- Create fake chunks
- Know the address of the victim chunk and the fake chunks
- Be able to modify the
bkandfdpointers
Attack
- A victim small chunk is allocated
- An attacker generates a couple of fake small chunks, and makes the first fake chunk
fdpoint to a real chunk and thebkpoint to the second fake chunk. Also make the second fake chunkbkpoint the first one.- The
bkof the second should also point to the fake freelist to prevent a crash when small bin chunks are tried to be allocated in the tcache.
- The
- Then, a new large chunk is allocated to prevent the first one to being consolidate in the top chunk when freed
- Then, the initial pointer is freed and a second pointer of a bigger size is allocated so the freed initial small chunk is placed in the small bin.
- Vulnerability: The real small chunk freed is modified so it’s
bkpointer points to the first fake chunk. - Then, when 2 chunks of this size are allocated they get the valid chunk first and then the invalid chunk somehow controlled by the attacker.
- In the how2heap example the fake chunks are inside the stack so we would be getting a chunk from the stack, where it might be possible to write a ROP or something.
References
- https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_lore/
- https://heap-exploitation.dhavalkapil.com/attacks/house_of_lore
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.