house-of-lore.md

House of Lore | Small bin Attack

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

Basic Information

Code

• Check the one from https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_lore/
  • This isn't working
• Or: https://github.com/shellphish/how2heap/blob/master/glibc_2.39/house_of_lore.c
  • This isn't working even if it tries to bypass some checks getting the error: malloc(): unaligned tcache chunk detected
• This example is still working: https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html

Goal

• Insert a fake small chunk in the small bin so then it's possible to allocate it.
  Note that the small chunk added is the fake one the attacker creates and not a fake one in an arbitrary position.

Requirements

• Create 2 fake chunks and link them together and with the legit chunk in the small bin:
  • fake0.bk -> fake1
  • fake1.fd -> fake0
  • fake0.fd -> legit (you need to modify a pointer in the freed small bin chunk via some other vuln)
  • legit.bk -> fake0

Then you will be able to allocate fake0.

Attack

• A small chunk (legit) is allocated, then another one is allocated to prevent consolidating with top chunk. Then, legit is freed (moving it to the unsorted bin list) and the a larger chunk is allocated, moving legit it to the small bin.
• An attacker generates a couple of fake small chunks, and makes the needed linking to bypass sanity checks:
  • fake0.bk -> fake1
  • fake1.fd -> fake0
  • fake0.fd -> legit (you need to modify a pointer in the freed small bin chunk via some other vuln)
  • legit.bk -> fake0
• A small chunk is allocated to get legit, making fake0 into the top list of small bins
• Another small chunk is allocated, getting fake0 as a chunk, allowing potentially to read/write pointers inside of it.

References

• https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_lore/
• https://heap-exploitation.dhavalkapil.com/attacks/house_of_lore
• https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}