house-of-force.md

House of Force

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

Basic Information

Code

• This technique was patched (here) and produces this error: malloc(): corrupted top size
  • You can try the code from here to test it if you want.

Goal

• The goal of this attack is to be able to allocate a chunk in a specific address.

Requirements

• An overflow that allows to overwrite the size of the top chunk header (e.g. -1).
• Be able to control the size of the heap allocation

Attack

If an attacker wants to allocate a chunk in the address P to overwrite a value here. He starts by overwriting the top chunk size with -1 (maybe with an overflow). This ensures that malloc won't be using mmap for any allocation as the Top chunk will always have enough space.

Then, calculate the distance between the address of the top chunk and the target space to allocate. This is because a malloc with that size will be performed in order to move the top chunk to that position. This is how the difference/size can be easily calculated:

// From https://github.com/shellphish/how2heap/blob/master/glibc_2.27/house_of_force.c#L59C2-L67C5
/*
 * The evil_size is calulcated as (nb is the number of bytes requested + space for metadata):
 * new_top = old_top + nb
 * nb = new_top - old_top
 * req + 2sizeof(long) = new_top - old_top
 * req = new_top - old_top - 2sizeof(long)
 * req = target - 2sizeof(long) - old_top - 2sizeof(long)
 * req = target - old_top - 4*sizeof(long)
 */

Therefore, allocating a size of target - old_top - 4*sizeof(long) (the 4 longs are because of the metadata of the top chunk and of the new chunk when allocated) will move the top chunk to the address we want to overwrite.
Then, do another malloc to get a chunk at the target address.

References & Other Examples

• https://github.com/shellphish/how2heap/tree/master
• https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_force/
• https://heap-exploitation.dhavalkapil.com/attacks/house_of_force
• https://github.com/shellphish/how2heap/blob/master/glibc_2.27/house_of_force.c
• https://guyinatuxedo.github.io/41-house_of_force/house_force_exp/index.html
• https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_force/#hitcon-training-lab-11
  • The goal of this scenario is a ret2win where we need to modify the address of a function that is going to be called by the address of the ret2win function
  • The binary has an overflow that can be abused to modify the top chunk size, which is modified to -1 or p64(0xffffffffffffffff)
  • Then, it's calculated the address to the place where the pointer to overwrite exists, and the difference from the current position of the top chunk to there is alloced with malloc
  • Finally a new chunk is alloced which will contain this desired target inside which is overwritten by the ret2win function
• https://shift--crops-hatenablog-com.translate.goog/entry/2016/03/21/171249?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
  • In the Input your name: there is an initial vulnerability that allows to leak an address from the heap
  • Then in the Org: and Host: functionality its possible to fill the 64B of the s pointer when asked for the org name, which in the stack is followed by the address of v2, which is then followed by the indicated host name. As then, strcpy is going to be copying the contents of s to a chunk of size 64B, it's possible to overwrite the size of the top chunk with the data put inside the host name.
  • Now that arbitrary write it possible, the atoi's GOT was overwritten to the address of printf. the it as possible to leak the address of IO_2_1_stderr with %24$p. And with this libc leak it was possible to overwrite atoi's GOT again with the address to system and call it passing as param /bin/sh
    • An alternative method proposed in this other writeup, is to overwrite free with puts, and then add the address of atoi@got, in the pointer that will be later freed so it's leaked and with this leak overwrite again atoi@got with system and call it with /bin/sh.
• https://guyinatuxedo.github.io/41-house_of_force/bkp16_cookbook/index.html
  • There is a UAF allowing to reuse a chunk that was freed without clearing the pointer. Because there are some read methods, it's possible to leak a libc address writing a pointer to the free function in the GOT here and then calling the read function.
  • Then, House of force was used (abusing the UAF) to overwrite the size of the left space with a -1, allocate a chunk big enough to get tot he free hook, and then allocate another chunk which will contain the free hook. Then, write in the hook the address of system, write in a chunk "/bin/sh" and finally free the chunk with that string content.

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}