House of Lore

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Basic Information

Code

Goal

  • Insert a fake small chunks in the small bin so then it's possible to allocate it.

Requirements

  • Create fake chunks

  • Know the address of the victim chunk and the fake chunks

  • Be able to modify the bk and fd pointers

Attack

  • A victim small chunk is allocated

  • An attacker generates a couple of fake small chunks, and makes the first fake chunk fd point to a real chunk and the bk point to the second fake chunk. Also make the second fake chunk bk point the first one.

    • The bk of the second should also point to the fake freelist to prevent a crash when small bin chunks are tried to be allocated in the tcache.

  • Then, a new large chunk is allocated to prevent the first one to being consolidate in the top chunk when freed

  • Then, the initial pointer is freed and a second pointer of a bigger size is allocated so the freed initial small chunk is placed in the small bin.

  • Vulnerability: The real small chunk freed is modified so it’s bk pointer points to the first fake chunk.

  • Then, when 2 chunks of this size are allocated they get the valid chunk first and then the invalid chunk somehow controlled by the attacker.

    • In the how2heap example the fake chunks are inside the stack so we would be getting a chunk from the stack, where it might be possible to write a ROP or something.

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Last updated