[Pwn] A Primer on House Of Muney
A few days ago, ZBR shared this repo. I hadn’t heard of it, but its exploitation power looked impressive, so here’s a brief analysis.
In short, House Of Muney bypasses ASLR and achieves code execution without any memory leak.
Its prerequisites are:
- Partial RELRO or No RELRO (we need to overwrite
.dynsym
to hijackdlresolve
) - Ability to allocate large chunks via
mmap
- Ability to forge a chunk’s
prev_size
andsize
fields to flip theIS_MMAPPED
bit
We’ll use glibc 2.31 in Docker. Here’s a sample Dockerfile:
FROM ubuntu:20.04
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -y && apt-get install -y socat gdb vim tmux python3 python3-pip
RUN apt-get install -y git build-essential libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev patchelf python3-dev
RUN pip3 install pwntools
RUN git clone https://github.com/pwndbg/pwndbg && cd pwndbg && ./setup.sh
RUN echo "set auto-load safe-path /" >> /root/.gdbinit
RUN git clone https://github.com/mdulin2/house-of-muney
RUN cd house-of-muney && ./compile.sh