# House of Lore | Small bin Attack

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Basic Information

### Code

* Check the one from <https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_lore/>
  * This isn't working
* Or: <https://github.com/shellphish/how2heap/blob/master/glibc_2.39/house_of_lore.c>
  * This isn't working even if it tries to bypass some checks getting the error: `malloc(): unaligned tcache chunk detected`
* This example is still working: [**https://guyinatuxedo.github.io/40-house\_of\_lore/house\_lore\_exp/index.html**](https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html)

### Goal

* Insert a **fake small chunk in the small bin so then it's possible to allocate it**.\
  Note that the small chunk added is the fake one the attacker creates and not a fake one in an arbitrary position.

### Requirements

* Create 2 fake chunks and link them together and with the legit chunk in the small bin:
  * `fake0.bk` -> `fake1`
  * `fake1.fd` -> `fake0`
  * `fake0.fd` -> `legit` (you need to modify a pointer in the freed small bin chunk via some other vuln)
  * `legit.bk` -> `fake0`

Then you will be able to allocate `fake0`.

### Attack

* A small chunk (`legit`) is allocated, then another one is allocated to prevent consolidating with top chunk. Then, `legit` is freed (moving it to the unsorted bin list) and the a larger chunk is allocated, **moving `legit` it to the small bin.**
* An attacker generates a couple of fake small chunks, and makes the needed linking to bypass sanity checks:
  * `fake0.bk` -> `fake1`
  * `fake1.fd` -> `fake0`
  * `fake0.fd` -> `legit` (you need to modify a pointer in the freed small bin chunk via some other vuln)
  * `legit.bk` -> `fake0`
* A small chunk is allocated to get legit, making **`fake0`** into the top list of small bins
* Another small chunk is allocated, getting `fake0` as a chunk, allowing potentially to read/write pointers inside of it.

## References

* <https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_lore/>
* <https://heap-exploitation.dhavalkapil.com/attacks/house_of_lore>
* <https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html>

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://angelica.gitbook.io/hacktricks/binary-exploitation/libc-heap/house-of-lore.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.