House of Einherjar

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!

• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.

• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

Code

• Check the example from https://github.com/shellphish/how2heap/blob/master/glibc_2.35/house_of_einherjar.c

• Or the one from https://guyinatuxedo.github.io/42-house_of_einherjar/house_einherjar_exp/index.html#house-of-einherjar-explanation (you might need to fill the tcache)

Goal

• The goal is to allocate memory in almost any specific address.

Requirements

• Create a fake chunk when we want to allocate a chunk:

  • Set pointers to point to itself to bypass sanity checks

• One-byte overflow with a null byte from one chunk to the next one to modify the PREV_INUSE flag.

• Indicate in the prev_size of the off-by-null abused chunk the difference between itself and the fake chunk

  • The fake chunk size must also have been set the same size to bypass sanity checks

• For constructing these chunks, you will need a heap leak.

Attack

• A fake chunk is created inside a chunk controlled by the attacker pointing with fd and bk to the original chunk to bypass protections

• 2 other chunks (B and C) are allocated

• Abusing the off by one in the B one the prev in use bit is cleaned and the prev_size data is overwritten with the difference between the place where the C chunk is allocated, to the fake A chunk generated before

  • This prev_size and the size in the fake chunk A must be the same to bypass checks.

• Then, the tcache is filled

• Then, C is freed so it consolidates with the fake chunk A

• Then, a new chunk D is created which will be starting in the fake A chunk and covering B chunk

  • The house of Einherjar finishes here

• This can be continued with a fast bin attack or Tcache poisoning:

  • Free B to add it to the fast bin / Tcache

  • B's fd is overwritten making it point to the target address abusing the D chunk (as it contains B inside)

  • Then, 2 mallocs are done and the second one is going to be allocating the target address

References and other examples

• https://github.com/shellphish/how2heap/blob/master/glibc_2.35/house_of_einherjar.c

• CTF https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_einherjar/#2016-seccon-tinypad

  • After freeing pointers their aren't nullified, so it's still possible to access their data. Therefore a chunk is placed in the unsorted bin and leaked the pointers it contains (libc leak) and then a new heap is places on the unsorted bin and leaked a heap address from the pointer it gets.

• baby-talk. DiceCTF 2024

  • Null-byte overflow bug in strtok.

  • Use House of Einherjar to get an overlapping chunks situation and finish with Tcache poisoning ti get an arbitrary write primitive.

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!

• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.

• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.