A few days ago, ZBR shared this repo. I hadn’t heard of it, but its exploitation power looked impressive, so here’s a brief analysis.

In short, House Of Muney bypasses ASLR and achieves code execution without any memory leak.

Its prerequisites are:

• Partial RELRO or No RELRO (we need to overwrite .dynsym to hijack dlresolve)
• Ability to allocate large chunks via mmap
• Ability to forge a chunk’s prev_size and size fields to flip the IS_MMAPPED bit

We’ll use glibc 2.31 in Docker. Here’s a sample Dockerfile:

FROM ubuntu:20.04
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -y && apt-get install -y socat gdb vim tmux python3 python3-pip
RUN apt-get install -y git build-essential libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev patchelf python3-dev
RUN pip3 install pwntools
RUN git clone https://github.com/pwndbg/pwndbg && cd pwndbg && ./setup.sh
RUN echo "set auto-load safe-path /" >> /root/.gdbinit
RUN git clone https://github.com/mdulin2/house-of-muney
RUN cd house-of-muney && ./compile.sh

For some reason, I never documented these techniques before, and every time I solve them I forget to start from scratch.

This post will focus on exploits in glibc versions 2.23 and 2.31. Version 2.27 is similar to 2.23 (just fill one extra tcache), and 2.29 is similar to 2.31 (adds one extra key).

Therefore, you should already have a solid foundation in heap allocation. This article emphasizes methods over theory.

The challenges covered here share these features:

• An off-by-null vulnerability
• Almost unlimited number of allocations
• Allocation size is virtually unlimited or can reach largebin range
• No edit function or only a single edit allowed
• Only one show (view) operation—technically you can skip it, but setting up the heap becomes too tedious, better to sleep