Giters

mdulin2 / house_of_io_many_more

Exploits for the house of IO class of vulnerabilities

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

House of IO - Heap Reuse

What Is This?

  • A heap exploitation technique that allows for returns an arbitrary memory address from Malloc.
  • An exploit primitive improvement for the House of IO - Underflow.
  • A bypass for pointer mangling.

How Does this Work?

  • Overwritting the TCache Bin struct pointers, since it is on the heap itself. This allows an arbitrary chunk to be returned from Malloc.

What Is the Primitive Improvement?

  • The original technique uses an out of bounds write going backwards in order to corrupt the TCache Bins data structure to add an arbitrary memory location to the data struture. The underflow is required because the TCache Bin struct is normally the first allocation of the heap.
  • By using careful manipulating of the heap memory via threading, it is possible to put the TCache Bin struct in the middle of the heap. This is because the TCache Bin struct is unique for threads and the heap memory can be reused between threads. By combining both of these properties, it is possible to corrupt the TCache Bin struct with a more common primitive, such as a use after free, buffer overflow or double free.

Damn, this sounds real complex

  • Yeah, this is!
  • I broke this down in an article on my blog called House of IO - Heap Reuse. This has an overview of everything about the allocator that is needed to understand the technique and a full explanation of how the technique works with pretty diagrams.

What's In this Repo Then?

  • A proof of concept of the House of IO - Heap Reuse on GLibC Malloc 2.31. Theoretically, this should work on all versions of Malloc 2.30+.
  • The reason for this difference in versions is that from GLibC Malloc 2.26-2.29 the counts array of the TCache Bin has slightly different storage size (char vs. uint16_t).

Pros and Cons

Pros

  • Bypasses pointer mangling for the classic fd poison attack.
  • Relative overwrites on the heap pointers in the TCache Bin data structures can be used to bypass heap ASLR.
  • Multiple fake pointers can be written to the TCache Bin, if NULLbytes can be used. This allows for multiple write primitives.
  • Added improvement and flexibility on the required exploit primitive when compared to the original House of IO - Underflow.

Cons

  • Practically, the settings for the arenas do not make it trivial to reuse heaps. This means that a way to exhaust threads for a process in the application is required. This is the highest bar of this technique.
  • A leak for another address, such as LibC, .bss or other sections of memory may be required.
  • If a continuous write is done from the bottom of the chunk, this destroys the TCache counts array. From this point on, all bins will have chunks in them, according to the allocator.

About

Exploits for the house of IO class of vulnerabilities

Languages

Language:C 100.0%