House of Force

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Basic Information

Code

  • This technique was patched (here) and produces this error: malloc(): corrupted top size

Goal

  • The goal of this attack is to be able to allocate a chunk in a specific address.

Requirements

  • An overflow that allows to overwrite the size of the top chunk header (e.g. -1).

  • Be able to control the size of the heap allocation

Attack

If an attacker wants to allocate a chunk in the address P to overwrite a value here, he can start by overwriting the top chunk size with -1. This ensures that malloc won't be using mmap for any allocation as the Top chunk will always have enough space.

Then, calculate the distance between the address of the top chunk and the target space to allocate. This is because a malloc with that size will be performed in order to move the top chunk to that position. This is how the difference/size can be easily calculated:

// From https://github.com/shellphish/how2heap/blob/master/glibc_2.27/house_of_force.c#L59C2-L67C5
/*
 * The evil_size is calulcated as (nb is the number of bytes requested + space for metadata):
 * new_top = old_top + nb
 * nb = new_top - old_top
 * req + 2sizeof(long) = new_top - old_top
 * req = new_top - old_top - 2sizeof(long)
 * req = target - 2sizeof(long) - old_top - 2sizeof(long)
 * req = target - old_top - 4*sizeof(long)
 */

Therefore, allocing a size of target - old_top - 4*sizeof(long) (the 4 longs are because of the metadata of the top chunk and of the new chunk when alloced) will move the top chunk to the address we want to overwrite. Then, do another malloc to get a chunk containing the at the beginning of the data to write the target address.

References & Other Examples

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Last updated