Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
Init.png update HOF Dec 7, 2017

What's House-Of-Force?

I am so amazed with such kind of attack when I first time heared it, it is a kind of attack that we deceive the glibc!
What?Deceive the allocator?! I will explain it in the following.

Malloc More Memory

We should know that when malloc(nb) find there is no anymore chunk can be used in the bin, it will call TOP chunk for help!
First, we will check the size header of TOP.
If top_size - nb - 0x10(size of header) > 0, then we can get nb from the top chunk.

How do we Exploit

When we get our requested memory, we should also have the new address of top chunk.

new_top = old_top + nb + size_of_chunk_header
//In other hands >
nb = new_top - old_top - size_of_chunk_header

So in fact, we can control our address of top chunk through the rule!

Steps of Force

The keypoint of this attack is to make sure where you want to move your top and how much is your nb.

  1. Override TOP side to Big Value
    When the program has the vulnerability of heap overflow, we can override the header of the next chunk.
    In this case, we need to make sure that we can malloc() again from TOP chunk, so I would override the size of chunk with 0xffffffffffffffff.
    (Why we need to make sure the fact above? Because only malloc we can change again the address of top chunk😜
  2. malloc(new_top - old_top - size_of_chunk_header)
    We always want to hijack the function, so I can try to move our top close to the function ptr, then I can override the RIP.
    So, we may decide the new_top by ourselves.
    However, you must be confused that the value of nb is negative!😱
    In fact, nb can be a negative number because size-t in malloc() function is also a signed number.
    Then, we move our top chunk to our target site ><
  3. malloc() again
    In the end, when you malloc again, you can gain control over the target!

Make sure where you are now and we can start overriding our function ptr

Dive into the picture above, then you can understand more~


So, what are our requirements?

  1. We can overflow the size header of TOP chunk.
  2. We can control the size of our malloc()
  3. When you want to count nb, be sure that the target area is also placed in heap, just same as top chunk. Or, you would need to leak the heap base to get top chunk address first!  

Recommended articles

Pediy articles

Practice helps me a lot

CTF Links
NTU-CTF-2017 bamboofox1
NTU-CTF-2017 baby-heap-revenge
You can’t perform that action at this time.