house_of_rabbit

[m1ghtym0]

Saw this today: http://shift-crops.hatenablog.com/entry/2017/09/17/213235
Will try to create an example here when I find the time

[n30m1nd]

There is already a PoC in the webpage itself (just in case you haven't seen it): House of Rabbit.
It seems quite impractical without a scripting environment as you would need to write three times to the variable you control but really interesting however. Kudos for the creativity!

[n30m1nd]

I have been doing further analysis on this and it is a very similar vector to the house of force in the sense that it will trick the allocator to let us do a malloc of a huge size which will wrap around to our desired position.
However, it does not really defeat ASLR as the variables are always to the same offset from one another, and they are sitting on non-randomised data sections (.BSS and .data).
In this asciinema you can see the program running for a few seconds where target and gbuf are always on the same positions and offsets.
Other than overwriting variables in the global data sections (which already are not randomised), I don't see any ASLR bypass as all other addresses are randomised properly.

[Eterna1]

House of rabbit won't be included here because there is some POC on the internet or that the attack is impractical? Asking because I've found a POC of another (very interesting for me) attack.

[m1ghtym0]

No, I simply didn't had the time to deal with it yet. In general there is nothing that would speak against including it, if it is a novel way of exploiting the heap. However, I'm not super happy about attacks like house_of_orange, because even though they are super awesome techniques, they result from some specific exploit case and include multiple techniques to achieve certain states and most of them are not really novel by themselves. Still they are super fun and astonishing attacks, but maybe we should split them up more clearly to fit better into the idea of how2heap.