Merge pull request #1803 from HackTricks-wiki/research_update_src_binary-exploitation_libc-heap_house-of-spirit_20260124_125257

carlospolop · web-flow · commit 878a505bf5b9 · 2026-01-24T14:16:22.000+01:00
Research Update Enhanced src/binary-exploitation/libc-heap/h...
diff --git a/src/binary-exploitation/libc-heap/house-of-spirit.md b/src/binary-exploitation/libc-heap/house-of-spirit.md
@@ -64,6 +64,7 @@ int main() {
 ### Requirements
 
 - This attack requires an attacker to be able to create a couple of fake fast chunks indicating correctly the size value of it and then to be able to free the first fake chunk so it gets into the bin.
+- With **tcache (glibc ≥2.26)** the attack is even simpler: only one fake chunk is needed (no next-chunk size check is performed on the tcache path) as long as the fake chunk is 0x10-aligned and its size field falls in a valid tcache bin (0x20-0x410 on x64).
 
 ### Attack
 
@@ -72,6 +73,9 @@ int main() {
 
 **The code from** [**guyinatuxedo**](https://guyinatuxedo.github.io/39-house_of_spirit/house_spirit_exp/index.html) **is great to understand the attack.** Although this schema from the code summarises it pretty good:
 
+<details>
+<summary>Fake chunk layout</summary>
+
 ```c
 /*
     this will be the structure of our two fake chunks:
@@ -96,9 +100,30 @@ int main() {
 */
 ```
 
+</details>
+
 > [!TIP]
 > Note that it's necessary to create the second chunk in order to bypass some sanity checks.
 
+### Tcache house of spirit (glibc ≥2.26)
+
+- On modern glibc the **tcache fast-path** calls `tcache_put` before validating the next chunk size/`prev_inuse`, so only the current fake chunk has to look sane.
+- Requirements:
+  - Fake chunk must be **16-byte aligned** and not marked `IS_MMAPPED`/`NON_MAIN_ARENA`.
+  - `size` must belong to a tcache bin and include the **prev_inuse bit set** (`size | 1`).
+  - Tcache for that bin must not be full (default max 7 entries).
+- Minimal PoC (stack chunk):
+```c
+unsigned long long fake[6] __attribute__((aligned(0x10)));
+// chunk header at fake[0]; usable data starts at fake+2
+fake[1] = 0x41;              // fake size (0x40 bin, prev_inuse=1)
+void *p = &fake[2];          // points inside fake chunk
+free(p);                     // goes straight into tcache
+void *q = malloc(0x30);      // returns stack address fake+2
+```
+- **Safe-linking** is not a barrier here: the forward pointer stored in tcache is automatically encoded as `fd = ptr ^ (heap_base >> 12)` during `free`, so the attacker does not need to know the key when using a single fake chunk.
+- This variant is handy when glibc hooks were removed (≥2.34) and you want a fast arbitrary write or to overlap a target buffer (e.g., stack/BSS) with a tcache chunk without creating additional corruptions.
+
 ## Examples
 
 - **CTF** [**https://guyinatuxedo.github.io/39-house_of_spirit/hacklu14_oreo/index.html**](https://guyinatuxedo.github.io/39-house_of_spirit/hacklu14_oreo/index.html)
@@ -114,8 +139,6 @@ int main() {
 ## References
 
 - [https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit](https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit)
+- [https://github.com/shellphish/how2heap/blob/master/glibc_2.34/tcache_house_of_spirit.c](https://github.com/shellphish/how2heap/blob/master/glibc_2.34/tcache_house_of_spirit.c)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
