You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/binary-exploitation/libc-heap/house-of-roman.md
+5-3Lines changed: 5 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,7 +8,7 @@ This was a very interesting technique that allowed for RCE without leaks via fak
8
8
9
9
### Applicability in 2026
10
10
11
-
-**glibc window:** Works reliably on **2.23–2.28**. On**2.29** the additional `unsorted_chunks`integrity checks make the unsorted‑bin write unreliable, so success drops sharply. From **2.34** onward `__malloc_hook/__free_hook` were removed, making the original target unavailable. Use it only on old libc’s (or custom builds that keep the hooks) or for CTF challenges that ship an old libc.
11
+
-**glibc window:** Works reliably on **2.23–2.27** (the how2heap PoC tested 2.23–2.25). Starting**2.28**, the "additional checks for unsorted bin integrity" patch makes the unsorted‑bin write unreliable, so success drops sharply. From **2.34** onward `__malloc_hook/__free_hook` were removed, making the original target unavailable. Use it only on old libc's (or custom builds that keep the hooks) or for CTF challenges that ship an old libc.
12
12
-**Tcache era (≥2.26):** Tcache will eat your 0x70 allocations and stop the fastbin/unsorted primitives. Disable it (`setenv("GLIBC_TUNABLES","glibc.malloc.tcache_count=0",1);`) **before** any allocation or fill each 0x70 tcache bin with 7 frees to drain it.
13
13
-**Safe-linking:** It applies to tcache/fastbin in ≥2.32, but House of Roman only needs **partial pointer overwrite of a libc address already present in fd/bk**, so safe-linking does not help the defender here (the attacker never forges a fresh pointer). The real stopper is the hook removal and the unsorted-bin checks.
14
14
@@ -117,9 +117,9 @@ Finally, once the correct address is overwritten, **call `malloc` and trigger th
117
117
118
118
## Modern tips & variants
119
119
120
-
-**Unsorted-bin check in 2.29+:**If you must run on 2.29–2.33, corrupt both `fd`**and**`bk` to satisfy the integrity check before triggering the write; otherwise `_int_malloc` aborts. Success rate is very low and usually only viable in brute-force CTF settings.
120
+
-**Unsorted-bin hardening (2.28+):**The extra integrity checks on unsorted chunks (size sanity + list linkage) make the classic unsorted‑bin write fragile. To survive `_int_malloc`, you must keep `fd/bk` links consistent and sizes plausible, which usually requires stronger primitives than a simple partial overwrite.
121
121
-**Hook removal (2.34+):** With `__malloc_hook` gone, adapt the primitive to land on any writable GOT/global you can later reuse (e.g., overwrite `exit@GOT` in non-PIE binaries) or pivot to a **House of Pie** style top‑chunk hijack to control `top` instead of a hook.
122
-
-**Any‑address fastbin alloc (2024 gist):**A recent writeup shows reusing the same grooming to fastbin‑allocate over `__free_hook` or other globals by first landing a libc pointer in fastbin and then re‑pointing it before the fixup. This works on 2.24–2.28 but still dies on 2.29 integrity checks.
122
+
-**Any‑address fastbin alloc (romanking98 writeup):**The second part shows repairing the 0x71 freelist and using the unsorted‑bin write to land a fastbin allocation over `__free_hook`, then placing `system("/bin/sh")` and triggering it via `free()`on libc‑2.24 (pre-hook removal).
123
123
124
124
## References
125
125
@@ -128,5 +128,7 @@ Finally, once the correct address is overwritten, **call `malloc` and trigger th
0 commit comments