House of Einherjar
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Basic Information
Code
Check the example from https://github.com/shellphish/how2heap/blob/master/glibc_2.35/house_of_einherjar.c
Or the one from https://guyinatuxedo.github.io/42-house_of_einherjar/house_einherjar_exp/index.html#house-of-einherjar-explanation (you might need to fill the tcache)
Goal
The goal is to allocate memory in almost any specific address.
Requirements
Create a fake chunk when we want to allocate a chunk:
Set pointers to point to itself to bypass sanity checks
One-byte overflow with a null byte from one chunk to the next one to modify the
PREV_INUSE
flag.Indicate in the
prev_size
of the off-by-null abused chunk the difference between itself and the fake chunkThe fake chunk size must also have been set the same size to bypass sanity checks
For constructing these chunks, you will need a heap leak.
Attack
A
fake chunk is created inside a chunk controlled by the attacker pointing withfd
andbk
to the original chunk to bypass protections2 other chunks (
B
andC
) are allocatedAbusing the off by one in the
B
one theprev in use
bit is cleaned and theprev_size
data is overwritten with the difference between the place where theC
chunk is allocated, to the fakeA
chunk generated beforeThis
prev_size
and the size in the fake chunkA
must be the same to bypass checks.
Then, the tcache is filled
Then,
C
is freed so it consolidates with the fake chunkA
Then, a new chunk
D
is created which will be starting in the fakeA
chunk and coveringB
chunkThe house of Einherjar finishes here
This can be continued with a fast bin attack or Tcache poisoning:
Free
B
to add it to the fast bin / TcacheB
'sfd
is overwritten making it point to the target address abusing theD
chunk (as it containsB
inside)Then, 2 mallocs are done and the second one is going to be allocating the target address
References and other examples
CTF https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_einherjar/#2016-seccon-tinypad
After freeing pointers their aren't nullified, so it's still possible to access their data. Therefore a chunk is placed in the unsorted bin and leaked the pointers it contains (libc leak) and then a new heap is places on the unsorted bin and leaked a heap address from the pointer it gets.
Null-byte overflow bug in
strtok
.Use House of Einherjar to get an overlapping chunks situation and finish with Tcache poisoning ti get an arbitrary write primitive.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Last updated