hacktricks/binary-exploitation/libc-heap/house-of-force.md
2024-12-12 11:39:29 +01:00

7.8 KiB

House of Force

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Basic Information

Code

  • This technique was patched (here) and produces this error: malloc(): corrupted top size

Goal

  • The goal of this attack is to be able to allocate a chunk in a specific address.

Requirements

  • An overflow that allows to overwrite the size of the top chunk header (e.g. -1).
  • Be able to control the size of the heap allocation

Attack

If an attacker wants to allocate a chunk in the address P to overwrite a value here. He starts by overwriting the top chunk size with -1 (maybe with an overflow). This ensures that malloc won't be using mmap for any allocation as the Top chunk will always have enough space.

Then, calculate the distance between the address of the top chunk and the target space to allocate. This is because a malloc with that size will be performed in order to move the top chunk to that position. This is how the difference/size can be easily calculated:

// From https://github.com/shellphish/how2heap/blob/master/glibc_2.27/house_of_force.c#L59C2-L67C5
/*
 * The evil_size is calulcated as (nb is the number of bytes requested + space for metadata):
 * new_top = old_top + nb
 * nb = new_top - old_top
 * req + 2sizeof(long) = new_top - old_top
 * req = new_top - old_top - 2sizeof(long)
 * req = target - 2sizeof(long) - old_top - 2sizeof(long)
 * req = target - old_top - 4*sizeof(long)
 */

Therefore, allocating a size of target - old_top - 4*sizeof(long) (the 4 longs are because of the metadata of the top chunk and of the new chunk when allocated) will move the top chunk to the address we want to overwrite.
Then, do another malloc to get a chunk at the target address.

References & Other Examples

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}