House of Einherjar

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Basic Information

Code

Goal

  • The goal is to allocate memory in almost any specific address.

Requirements

  • Create a fake chunk when we want to allocate a chunk:

    • Set pointers to point to itself to bypass sanity checks

  • Off by one over from one chunk to another to modify the prev in use

  • Indicate in the prev_size of the off-by-one abused chunk the difference between itself and the fake chunk

    • The fake chunk size must also have been set the same size to bypass sanity checks

  • For constructing these chunks, you will need a heap leak.

Attack

  • A fake chunk is created inside a chunk controlled by the attacker pointing with fd and bk to the original chunk to bypass protections

  • 2 other chunks (B and C) are allocated

  • Abusing the off by one in the B one the prev in use bit is cleaned and the prev_size data is overwritten with the difference between the place where the C chunk is allocated, to the fake A chunk generated before

    • This prev_size and the size in the fake chunk A must be the same to bypass checks.

  • Then, the tcache is filled

  • Then, C is freed so it consolidates with the fake chunk A

  • Then, a new chunk D is created which will be starting in the fake A chunk and covering B chunk

    • The house of Einherjar finishes here

  • This can be continued with a fast bin attack:

    • Free B to add it to the fast bin

    • B's fd is overwritten making it point to the target address abusing the D chunk (as it contains B inside)

    • Then, 2 mallocs are done and the second one is going to be allocating the target address

References and other examples

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Last updated