Skip to content

House of Eggs#227

Closed
4f3rg4n wants to merge 1 commit intoshellphish:masterfrom
4f3rg4n:patch-5
Closed

House of Eggs#227
4f3rg4n wants to merge 1 commit intoshellphish:masterfrom
4f3rg4n:patch-5

Conversation

@4f3rg4n
Copy link
Copy Markdown
Contributor

@4f3rg4n 4f3rg4n commented Jan 17, 2026

Implement House of Eggs, a newer heap technique that leverages a UAF write primitive for RCE.

@4f3rg4n
Add a House of Eggs implementation for glibc 2.39
f1799aa 
Implement House of Eggs leveraging UAF write primitive for RCE.
@Kyle-Kyle
Copy link
Copy Markdown
Contributor

Kyle-Kyle commented Jan 17, 2026

A few comments:

  • we discourage doing things like free(large_end-0x10);, because this is an implicit invalid free primitive. We made an exception for house-of-water because 1.it is achievable from a double-free primitive 2. the technique abuses the tcache_perthread_struct in a smart way that may inspire other techniques. So we document the simulation of the arbitrary-free/invalid-free primitive clearly in the technique
  • FSOP is out-of-scope for this repo: there are so many heap techniques and FSOP techniques, if we track the combination of them, this repo will not be maintainable. We usually stop at arbitrary allocation or chunk overlapping. For how to obtain shell after overwriting IO_FILE, I recommend removing the details from the technique and just mention that you can use FSOP to get shell (I think the wide_data vtable variant is quite well-known, there is no need to stress it again in this repo).

@4f3rg4n
Copy link
Copy Markdown
Contributor Author

4f3rg4n commented Jan 18, 2026

Thanks for the really fast response, I appreciate it.

I'll focus on the FSOP since I've seen you did something similar in the House of Orange code, so I'm just wondering which FSOP techniques you prefer to use and which ones you avoid...

@Kyle-Kyle
Copy link
Copy Markdown
Contributor

Kyle-Kyle commented Jan 18, 2026
edited
Loading

The house-of-orange technique is there because that was the only FSOP technique back then, so we kept it for historical reasons. After that, FSOP exploded and it became hard to track the combinations of heap techniques and FSOP techniques, so we want to avoid it in this repo.
I'd be nice to have a separate repo that tracks FSOP techniques though.

@4f3rg4n
Copy link
Copy Markdown
Contributor Author

4f3rg4n commented Jan 18, 2026

Thanks! really appreciate your work guys.
closing PR.

@4f3rg4n 4f3rg4n closed this Jan 18, 2026
@oliness
Copy link
Copy Markdown

oliness commented Jan 18, 2026

The house-of-orange technique is there because that was the only FSOP technique back then, so we kept it for historical reasons. After that, FSOP exploded and it became hard to track the combinations of heap techniques and FSOP techniques, so we want to avoid it in this repo. I'd be nice to have a separate repo that tracks FSOP techniques though.

I've made a new repo: https://github.com/oliness/fsop2shell

That can become a repository of FSOP techniques. @4f3rg4n do you want to put House of Eggs code there, we can fill out the repo for different libc's, architectures, etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@4f3rg4n @Kyle-Kyle @oliness