Download ubuntu package using link: https://launchpad.net/ubuntu/jammy/amd64/libc6-dbg/2.35-0ubuntu3.6 reuse this link and replace package name to get direct download links.. archive only shows latest patch version for reasons(tm). House of muney exploit: - allocate mmap'd heap chunk by making size larger than mmap_threshold allocated chunk has size 0x3d000, so we flip two bits to 0x5d000 (pew, pew) that gives us 0x40000 to libc base and 0x1d000 into the libc address space which is perfect for House of Muney exploit (after dynsym end, before plt etc) there is a heap chunk mapped by libc for thread-local variables between our chunk and the start of libc.. this prevents us from unmapping our modified heap chunk, since it would unmap thread-local variables such as errno (e.g. which is accessed right after munmap!) but.. maybe there is something interesting in thread local chunk.. maybe the exit handler is stored there? nope there is no info leak.. even puts() on the line_buf is called directly after read_line, meaning it has to be null-terminated (except if we close stdin.. but then we cant use the info-leak anymore) source analysis: - add_note assigns to sizes[i] the size of the buffer without its terminator, since the return value assignment happens after the internal one to the &sizes[i] pointer. - edit_note has a 1 byte (fixed-value) overwrite, since *size == sizes[index] + 2 is allowed. the trailing newline is removed in memcpy, meaning sizes[index]+1 bytes can be written to the field. but there is an implicit null terminator part of the string.. so it does not allow OOB write, just a 'clean' overwrite of the data without terminators. - remove_note is missing a sizes[index] == 0 and as such does not prevent a double free - flip_bit only checks wether the notes pointer != NULL, not wether it was freed.. this means we can flip a bit in a freed chunk use how2heap repo to find examples exploits for vulnerable libc version 2.35 - fastbin_dup: fastbin free(a) + free(b) + free(a) - fastbin_dup_consolidate: consolidate + double-free => chunk overlap - fastbin_dup + write => arbitrary malloc (fastbin_dup_into_stack / anywhere) - house of botcake: consolidate + double-free => chunk overlap with one in tcache - house of muney: mmap chunk in front of libc, modify size field, munmap + remap to write into libc - house of spirit: free artificial fake chunk into fastbin - mmap_overlapping_chunks: (could give more precise munmap control) - tcache_house_of_spirit: easier fake chunk into tcache - why do you see calloc() in some heap exploitation writeups / how2heap? => calloc has an optimization, where if the region above the top chunk has not been used yet, splitting the top chunk is preferred to getting a potentially dirty chunk from tcache that would need to be cleared.. - once we have rip control, we can use a one gadget from the libc - merge mmap chunk near heap, then free to tcache - maybe we flip a bit in the exit handler 0x1400 to jump back into main (e.g 0x1200) - the exit handler stays registered and we keep our pointers allowing us # Nomal House of Muney does not work here, because it would unmap errno. Perhaps we can use the fact that stdin buf is on the stack.. we could flip the pointer from libc RW section to overwrite stack variables and ROP?