House of Lore | Small bin Attack

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Basic Information

Code

Goal

  • Insert a fake small chunk in the small bin so then it's possible to allocate it. Note that the small chunk added is the fake one the attacker creates a not a fake one in a arbitrary position.

Requirements

  • Create 2 fake chunks and link them with them and with the legit chunk in the small bin:

    • fake0.bk -> fake1

    • fake1.fd -> fake0

    • fake0.fd -> legit (you need to modify a pointer in the freed small bin chunk via some other vuln)

    • legit.bk -> fake0

The you will be able to allocate fake0.

Attack

  • A small chunk (legit) is allocated, then another one is allocated to prevent consolidating with top chunk. Then, legit is freed (moving it to the unsorted list) and the a larger chunk is allocated, moving legit it to the small bin.

  • An attacker generates a couple of fake small chunks, and makes the need linking to bypass sanity checks:

    • fake0.bk -> fake1

    • fake1.fd -> fake0

    • fake0.fd -> legit (you need to modify a pointer in the freed small bin chunk via some other vuln)

    • legit.bk -> fake0

  • A small chunk is allocated to get legit, making fake0 into the top list of small bins

  • Another small chunk is allocated, getting fake0 as a chunk, allowing potentially to read/write pointers inside of it.

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Last updated