House of Einherjar

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Basic Information

Code

Goal

  • The goal is to allocate memory in almost any specific address.

Requirements

  • Off by one over the header of the next chunk to modify the prev in use

  • Be able to modify the prev_size data, which is part of the current chunk (at the end)

  • Heap leak

Attack

  • A fake chunk is created inside a chunk controlled by the attacker pointing with fd and bk to the original chunk to bypass protections

  • 2 other chunks (B and C) are created

  • Abusing the off by one in the B one the prev in use bit is cleaned and the prev_size data is overwritten with the difference between the place where the C chunk is allocated, to the fake A chunk generated before

    • This prev_size and the size of the fake chunk A must be the same to bypass checks.

  • Then, the tcache is filled

  • Then, C is freed so it consolidates with the fake chunk A

  • Then, a new chunk D is created which will be starting in the fake A chunk and covering B chunk

  • Then, B's fd is overwritten making it point to the target address abusing the D chunk (as it contains B inside) and B is freed to add the target to the fast bin

    • This is the common fast bin attack

  • Then, 2 mallocs are done and the second one id going to be allocating the target address

References and other examples

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Last updated