House of Einherjar

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

Code

Check the example from https://github.com/shellphish/how2heap/blob/master/glibc_2.35/house_of_einherjar.c
Or the one from https://guyinatuxedo.github.io/42-house_of_einherjar/house_einherjar_exp/index.html#house-of-einherjar-explanation (you might need to fill the tcache)

Goal

The goal is to allocate memory in almost any specific address.

Requirements

Create a fake chunk when we want to allocate a chunk:
- Set pointers to point to itself to bypass sanity checks
One-byte overflow with a null byte from one chunk to the next one to modify the PREV_INUSE flag.
Indicate in the prev_size of the off-by-null abused chunk the difference between itself and the fake chunk
- The fake chunk size must also have been set the same size to bypass sanity checks
For constructing these chunks, you will need a heap leak.

Attack

A fake chunk is created inside a chunk controlled by the attacker pointing with fd and bk to the original chunk to bypass protections
2 other chunks (B and C) are allocated
Abusing the off by one in the B one the prev in use bit is cleaned and the prev_size data is overwritten with the difference between the place where the C chunk is allocated, to the fake A chunk generated before
- This prev_size and the size in the fake chunk A must be the same to bypass checks.
Then, the tcache is filled
Then, C is freed so it consolidates with the fake chunk A
Then, a new chunk D is created which will be starting in the fake A chunk and covering B chunk
- The house of Einherjar finishes here
This can be continued with a fast bin attack or Tcache poisoning:
- Free B to add it to the fast bin / Tcache
- B's fd is overwritten making it point to the target address abusing the D chunk (as it contains B inside)
- Then, 2 mallocs are done and the second one is going to be allocating the target address

References and other examples

https://github.com/shellphish/how2heap/blob/master/glibc_2.35/house_of_einherjar.c
CTF https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_einherjar/#2016-seccon-tinypad
- After freeing pointers their aren't nullified, so it's still possible to access their data. Therefore a chunk is placed in the unsorted bin and leaked the pointers it contains (libc leak) and then a new heap is places on the unsorted bin and leaked a heap address from the pointer it gets.
baby-talk. DiceCTF 2024
- Null-byte overflow bug in strtok.
- Use House of Einherjar to get an overlapping chunks situation and finish with Tcache poisoning ti get an arbitrary write primitive.

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousHouse of Lore | Small bin Attack NextHouse of Force

Last updated 4 months ago

Basic Information

Code

Goal

The goal is to allocate memory in almost any specific address.

Requirements

Create a fake chunk when we want to allocate a chunk:

Set pointers to point to itself to bypass sanity checks

One-byte overflow with a null byte from one chunk to the next one to modify the PREV_INUSE flag.

Indicate in the prev_size of the off-by-null abused chunk the difference between itself and the fake chunk

The fake chunk size must also have been set the same size to bypass sanity checks

For constructing these chunks, you will need a heap leak.

Attack

A fake chunk is created inside a chunk controlled by the attacker pointing with fd and bk to the original chunk to bypass protections

2 other chunks (B and C) are allocated

Abusing the off by one in the B one the prev in use bit is cleaned and the prev_size data is overwritten with the difference between the place where the C chunk is allocated, to the fake A chunk generated before

This prev_size and the size in the fake chunk A must be the same to bypass checks.

Then, the tcache is filled

Then, C is freed so it consolidates with the fake chunk A

Then, a new chunk D is created which will be starting in the fake A chunk and covering B chunk

The house of Einherjar finishes here

This can be continued with a fast bin attack or Tcache poisoning:

Free B to add it to the fast bin / Tcache
B's fd is overwritten making it point to the target address abusing the D chunk (as it contains B inside)
Then, 2 mallocs are done and the second one is going to be allocating the target address

References and other examples

https://github.com/shellphish/how2heap/blob/master/glibc_2.35/house_of_einherjar.c

CTF https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_einherjar/#2016-seccon-tinypad

After freeing pointers their aren't nullified, so it's still possible to access their data. Therefore a chunk is placed in the unsorted bin and leaked the pointers it contains (libc leak) and then a new heap is places on the unsorted bin and leaked a heap address from the pointer it gets.

baby-talk. DiceCTF 2024

Null-byte overflow bug in strtok.
Use House of Einherjar to get an overlapping chunks situation and finish with Tcache poisoning ti get an arbitrary write primitive.