# House of Roman {{#include ../../banners/hacktricks-training.md}} ## Basic Information Hii ilikuwa mbinu ya kuvutia sana ambayo iliruhusu RCE bila leaks kupitia fake fastbins, shambulio la unsorted_bin na overwrites za relative. Hata hivyo imekuwa [**patched**](https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=b90ddd08f6dd688e651df9ee89ca3a69ff88cd0c). ### Code - Unaweza kupata mfano katika [https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c) ### Goal - RCE kwa kutumia pointers za relative ### Requirements - Hariri fastbin na pointers za unsorted bin - Bits 12 za randomness lazima zishindwe (0.02% nafasi) kufanya kazi ## Attack Steps ### Part 1: Fastbin Chunk points to \_\_malloc_hook Unda chunks kadhaa: - `fastbin_victim` (0x60, offset 0): UAF chunk baadaye kuhariri pointer ya heap ili kuelekeza kwenye thamani ya LibC. - `chunk2` (0x80, offset 0x70): Kwa usawa mzuri - `main_arena_use` (0x80, offset 0x100) - `relative_offset_heap` (0x60, offset 0x190): relative offset kwenye chunk ya 'main_arena_use' Kisha `free(main_arena_use)` ambayo itaweka chunk hii kwenye orodha isiyo na mpangilio na itapata pointer kwa `main_arena + 0x68` katika pointers za `fd` na `bk`. Sasa inatolewa chunk mpya `fake_libc_chunk(0x60)` kwa sababu itakuwa na pointers kwa `main_arena + 0x68` katika `fd` na `bk`. Kisha `relative_offset_heap` na `fastbin_victim` zinatolewa. ```c /* Current heap layout: 0x0: fastbin_victim - size 0x70 0x70: alignment_filler - size 0x90 0x100: fake_libc_chunk - size 0x70 (contains a fd ptr to main_arena + 0x68) 0x170: leftover_main - size 0x20 0x190: relative_offset_heap - size 0x70 bin layout: fastbin: fastbin_victim -> relative_offset_heap unsorted: leftover_main */ ``` - `fastbin_victim` ina `fd` inayoelekeza kwenye `relative_offset_heap` - `relative_offset_heap` ni offset ya umbali kutoka `fake_libc_chunk`, ambayo ina pointer kwa `main_arena + 0x68` - Kubadilisha byte ya mwisho ya `fastbin_victim.fd` inawezekana kufanya `fastbin_victim points` kwa `main_arena + 0x68` Kwa hatua za awali, mshambuliaji anahitaji kuwa na uwezo wa kubadilisha pointer ya fd ya `fastbin_victim`. Kisha, `main_arena + 0x68` si ya kuvutia sana, hivyo hebu ibadilishe ili pointer ielekeze kwenye **`__malloc_hook`**. Kumbuka kwamba `__memalign_hook` kwa kawaida huanza na `0x7f` na sifuri kabla yake, kisha inawezekana kuificha kama thamani katika fast bin ya `0x70`. Kwa sababu bits 4 za mwisho za anwani ni **za nasibu** kuna `2^4=16` uwezekano wa thamani kuishia mahali tunapovutiwa. Hivyo shambulio la BF linafanywa hapa ili chunk iishie kama: **`0x70: fastbin_victim -> fake_libc_chunk -> (__malloc_hook - 0x23)`.** (Kwa maelezo zaidi kuhusu byte zingine angalia maelezo katika [how2heap](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c)[ mfano](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c)). Ikiwa BF haifanyi kazi programu inanguka tu (hivyo anza tena hadi ifanye kazi). Kisha, malloc 2 zinafanywa kuondoa chunks 2 za awali za fast bin na ya tatu inapatikana ili kupata chunk katika **`__malloc_hook:`** ```c malloc(0x60); malloc(0x60); uint8_t* malloc_hook_chunk = malloc(0x60); ``` ### Sehemu ya 2: Unsorted_bin shambulio Kwa maelezo zaidi unaweza kuangalia: {{#ref}} unsorted-bin-attack.md {{#endref}} Lakini kimsingi inaruhusu kuandika `main_arena + 0x68` kwenye eneo lolote lililoainishwa katika `chunk->bk`. Na kwa shambulio tunachagua `__malloc_hook`. Kisha, baada ya kuandika tena, tutatumia kuandika tena kwa uwiano ili kuelekeza kwenye `one_gadget`. Kwa hili tunaanza kupata chunk na kuuweka kwenye **unsorted bin**: ```c uint8_t* unsorted_bin_ptr = malloc(0x80); malloc(0x30); // Don't want to consolidate puts("Put chunk into unsorted_bin\n"); // Free the chunk to create the UAF free(unsorted_bin_ptr); ``` Tumia UAF katika kipande hiki kuonyesha `unsorted_bin_ptr->bk` kwa anwani ya `__malloc_hook` (tulifanya brute force hii hapo awali). > [!CAUTION] > Kumbuka kwamba shambulio hili linaharibu bin isiyo na mpangilio (hivyo ndogo na kubwa pia). Hivyo tunaweza tu **kutumia allocations kutoka kwa fast bin sasa** (programu ngumu zaidi inaweza kufanya allocations nyingine na kuanguka), na ili kuamsha hii lazima **tufanye alloc saizi sawa au programu itanguka.** Hivyo, ili kuamsha kuandika `main_arena + 0x68` katika `__malloc_hook` tunafanya baada ya kuweka `__malloc_hook` katika `unsorted_bin_ptr->bk` tunahitaji tu kufanya: **`malloc(0x80)`** ### Hatua ya 3: Weka \_\_malloc_hook kwa system Katika hatua ya kwanza tulimaliza kwa kudhibiti kipande kinachoshikilia `__malloc_hook` (katika variable `malloc_hook_chunk`) na katika hatua ya pili tulifanikiwa kuandika `main_arena + 0x68` hapa. Sasa, tunatumia kuandika sehemu katika `malloc_hook_chunk` kutumia anwani ya libc tuliyoandika hapo (`main_arena + 0x68`) ili **kuonyesha anwani ya `one_gadget`**. Hapa ndipo inahitajika **bruteforce bits 12 za nasibu** (maelezo zaidi katika [how2heap](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c)[ mfano](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c)). Hatimaye, mara anwani sahihi imeandikwa, **ita `malloc` na kuamsha `one_gadget`**. ## Marejeo - [https://github.com/shellphish/how2heap](https://github.com/shellphish/how2heap) - [https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c) - [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_roman/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_roman/) {{#include ../../banners/hacktricks-training.md}}