# House of Lore | Small bin Attack

{{#include ../../banners/hacktricks-training.md}}

## Basic Information

### Code

- Check the one from [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_lore/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_lore/)
  - This isn't working
- Or: [https://github.com/shellphish/how2heap/blob/master/glibc_2.39/house_of_lore.c](https://github.com/shellphish/how2heap/blob/master/glibc_2.39/house_of_lore.c)
  - This isn't working even if it tries to bypass some checks getting the error: `malloc(): unaligned tcache chunk detected`
- This example is still working: [**https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html**](https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html)

### Goal

- Insert a **fake small chunk in the small bin so then it's possible to allocate it**.\
  Note that the small chunk added is the fake one the attacker creates and not a fake one in an arbitrary position.

### Requirements

- Create 2 fake chunks and link them together and with the legit chunk in the small bin:
  - `fake0.bk` -> `fake1`
  - `fake1.fd` -> `fake0`
  - `fake0.fd` -> `legit` (you need to modify a pointer in the freed small bin chunk via some other vuln)
  - `legit.bk` -> `fake0`

Then you will be able to allocate `fake0`.

### Attack

- A small chunk (`legit`) is allocated, then another one is allocated to prevent consolidating with top chunk. Then, `legit` is freed (moving it to the unsorted bin list) and the a larger chunk is allocated, **moving `legit` it to the small bin.**
- An attacker generates a couple of fake small chunks, and makes the needed linking to bypass sanity checks:
  - `fake0.bk` -> `fake1`
  - `fake1.fd` -> `fake0`
  - `fake0.fd` -> `legit` (you need to modify a pointer in the freed small bin chunk via some other vuln)
  - `legit.bk` -> `fake0`
- A small chunk is allocated to get legit, making **`fake0`** into the top list of small bins
- Another small chunk is allocated, getting `fake0` as a chunk, allowing potentially to read/write pointers inside of it.

## References

- [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_lore/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_lore/)
- [https://heap-exploitation.dhavalkapil.com/attacks/house_of_lore](https://heap-exploitation.dhavalkapil.com/attacks/house_of_lore)
- [https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html](https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html)

{{#include ../../banners/hacktricks-training.md}}