House of Roman—a "leakless" heap fengshui to achieve RCE on PIE Binaries

Conference:  Defcon 26



The presentation discusses a technique called partial overwrite to achieve a complete RCE on vine leaves. The technique is versatile and applicable to many different scenarios.
  • The technique involves using a seed or partial overwrites to achieve a complete RCE on vine leaves
  • The sword is not needed to send any data back, even if SCDF was closed
  • The program has no UF, pointer, or off by one, making it easy to exploit
  • The attack plan involves partial overwriting the heap to control three chunks, writing a Lipsy address and malloc hook, and triggering a double free to call the magic gadget
  • The presenter posted a detailed analysis on their GitHub page
The presenter demonstrated the technique on a simple UAF bug, but found it to be a severe bug. They then created a basic binary with three functions: malloc, writing, and free. The program takes a size for malloc and marks it, then enters a bunch of aids and stores them on the heap. The presenter explained how the algorithm works and how to exploit it using the partial overwrite technique.


Regarding ptmalloc2, many heap exploitation techniques have been invented in the recent years, well documented on the famous how2heap repository, or as writeups of famous CTF challenges (like House of Orange). However, most of them require atleast a libc/heap leak , or fail in non-PIE binaries. My new technique titled House of Roman leverages a single bug to gain shell leaklessly on a PIE enabled Binary. I shall showcase the ease of aligning the heap to perform this attack, thus demonstrating its versatility. Since this a 20 mins talk, attendees should be aware of basic heap exploitation techniques, like fastbin attacks and unsorted bin attacks, and have a general idea of how the ptmalloc2 algorithm works. As a bonus, I also discuss how to land a fastbin chunk in memory regions with no size alignment (like __free_hook ).



Post a comment