House of Force
Similar to 'House of Lore', this attack focuses on returning an arbitrary pointer from 'malloc'. Forging chunks attack was discussed for fastbins and the 'House of Lore' attack was discussed for small bins. The 'House of Force' exploits the 'top chunk'. The topmost chunk is also known as the 'wilderness'. It borders the end of the heap (i.e. it is at the maximum address within the heap) and is not present in any bin. It follows the same format of the chunk structure.
This attack assumes an overflow into the top chunk's header. The size
is modified to a very large value (-1
in this example). This ensures that all initial requests will be services using the top chunk, instead of relying on mmap
. On a 64 bit system, -1
evaluates to 0xFFFFFFFFFFFFFFFF
. A chunk with this size can cover the entire memory space of the program. Let us assume that the attacker wishes 'malloc' to return address P
. Now, any malloc call with the size of: &top_chunk
- P
will be serviced using the top chunk. Note that P
can be after or before the top_chunk
. If it is before, the result will be a large positive value (because size is unsigned). It will still be less than -1
. An integer overflow will occur and malloc will successfully service this request using the top chunk. Now, the top chunk will point to P
and any future requests will return P
!
Consider this sample code (download the complete version here):
'malloc' returned an address pointing to victim
.
Note the following things that we need to take care:
While deducing the exact pointer to
top_chunk
, 0 out the three lower bits of the previous chunk to obtain correct size.While calculating requestSize, an additional buffer of around
8
bytes was reduced. This was just to counter the rounding up malloc does while servicing chunks. Incidentally, in this case, malloc returns a chunk with8
additional bytes than requested. Notice that this is machine dependent.victim
can be any address (on heap, stack, bss, etc.).
Last updated