maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/binary-exploitation/libc-heap/house-of-force.md

63 lines
5.5 KiB
Markdown
Raw Blame History

# House of Force
{{#include ../../banners/hacktricks-training.md}}
## Basic Information
### Code
- Mbinu hii ilirekebishwa ([**hapa**](https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=30a17d8c95fbfb15c52d1115803b63aaa73a285c)) na inazalisha kosa hili: `malloc(): corrupted top size`
- Unaweza kujaribu [**kodii kutoka hapa**](https://guyinatuxedo.github.io/41-house_of_force/house_force_exp/index.html) ili kuijaribu ikiwa unataka.
### Goal
- Lengo la shambulio hili ni kuwa na uwezo wa kugawa kipande katika anwani maalum.
### Requirements
- Overflow inayoruhusu kuandika upya saizi ya kichwa cha kipande cha juu (e.g. -1).
- Kuwa na uwezo wa kudhibiti saizi ya ugawaji wa heap
### Attack
Ikiwa mshambuliaji anataka kugawa kipande katika anwani P ili kuandika upya thamani hapa. Anaanza kwa kuandika upya saizi ya kipande cha juu kwa `-1` (labda kwa kutumia overflow). Hii inahakikisha kwamba malloc haitatumia mmap kwa ugawaji wowote kwani kipande cha Juu kitakuwa na nafasi ya kutosha kila wakati.
Kisha, hesabu umbali kati ya anwani ya kipande cha juu na nafasi ya lengo kugawa. Hii ni kwa sababu malloc yenye saizi hiyo itafanywa ili kuhamasisha kipande cha juu katika nafasi hiyo. Hivi ndivyo tofauti/saizi inaweza kuhesabiwa kwa urahisi:
```c
// From https://github.com/shellphish/how2heap/blob/master/glibc_2.27/house_of_force.c#L59C2-L67C5
/*
* The evil_size is calulcated as (nb is the number of bytes requested + space for metadata):
* new_top = old_top + nb
* nb = new_top - old_top
* req + 2sizeof(long) = new_top - old_top
* req = new_top - old_top - 2sizeof(long)
* req = target - 2sizeof(long) - old_top - 2sizeof(long)
* req = target - old_top - 4*sizeof(long)
*/
```
Hivyo, kugawa saizi ya `target - old_top - 4*sizeof(long)` (long 4 ni kwa sababu ya metadata ya top chunk na ya chunk mpya wakati inagawiwa) itahamisha top chunk hadi anwani tunayotaka kuandika.\
Kisha, fanya malloc nyingine ili kupata chunk kwenye anwani ya lengo.
### Marejeleo na Mifano Mingine
- [https://github.com/shellphish/how2heap/tree/master](https://github.com/shellphish/how2heap/tree/master?tab=readme-ov-file)
- [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_force/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_force/)
- [https://heap-exploitation.dhavalkapil.com/attacks/house_of_force](https://heap-exploitation.dhavalkapil.com/attacks/house_of_force)
- [https://github.com/shellphish/how2heap/blob/master/glibc_2.27/house_of_force.c](https://github.com/shellphish/how2heap/blob/master/glibc_2.27/house_of_force.c)
- [https://guyinatuxedo.github.io/41-house_of_force/house_force_exp/index.html](https://guyinatuxedo.github.io/41-house_of_force/house_force_exp/index.html)
- [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_force/#hitcon-training-lab-11](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_force/#hitcon-training-lab-11)
- Lengo la hali hii ni ret2win ambapo tunahitaji kubadilisha anwani ya kazi ambayo itaitwa na anwani ya kazi ya ret2win
- Binary ina overflow ambayo inaweza kutumika kubadilisha saizi ya top chunk, ambayo inabadilishwa kuwa -1 au p64(0xffffffffffffffff)
- Kisha, inakokotwa anwani ya mahali ambapo kiashiria cha kuandika kipo, na tofauti kutoka kwa nafasi ya sasa ya top chunk hadi pale inagawiwa na `malloc`
- Hatimaye, chunk mpya inagawiwa ambayo itakuwa na lengo hili lililotakikana ndani ambayo inabadilishwa na kazi ya ret2win
- [https://shift--crops-hatenablog-com.translate.goog/entry/2016/03/21/171249?\_x_tr_sl=es&\_x_tr_tl=en&\_x_tr_hl=en&\_x_tr_pto=wapp](https://shift--crops-hatenablog-com.translate.goog/entry/2016/03/21/171249?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp)
- Katika `Input your name:` kuna udhaifu wa awali unaoruhusu kuvuja anwani kutoka kwenye heap
- Kisha katika `Org:` na `Host:` kazi inawezekana kujaza 64B ya kiashiria `s` wakati inapoombwa jina la **org**, ambalo katika stack linafuatiwa na anwani ya v2, ambayo kisha inafuatiwa na jina la **host** lililoonyeshwa. Kadri hivyo, strcpy itakuwa ikikopi maudhui ya s kwenye chunk ya saizi 64B, inawezekana **kuandika upya saizi ya top chunk** na data iliyowekwa ndani ya **jina la host**.
- Sasa kwamba kuandika kwa bahati nasibu kunawezekana, GOT ya `atoi` ilandikwa upya hadi anwani ya printf. kisha ilikuwa inawezekana kuvuja anwani ya `IO_2_1_stderr` _kwa_ `%24$p`. Na kwa kuvuja hii ya libc ilikuwa inawezekana kuandika upya GOT ya `atoi` tena na anwani ya `system` na kuitwa ikipita kama param `/bin/sh`
- Njia mbadala [iliyopendekezwa katika andiko hili lingine](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_force/#2016-bctf-bcloud), ni kuandika upya `free` na `puts`, na kisha kuongeza anwani ya `atoi@got`, katika kiashiria ambacho kitakuwa kimeachiliwa baadaye ili kuvuja na kwa kuvuja hii kuandika upya tena `atoi@got` na `system` na kuitwa na `/bin/sh`.
- [https://guyinatuxedo.github.io/41-house_of_force/bkp16_cookbook/index.html](https://guyinatuxedo.github.io/41-house_of_force/bkp16_cookbook/index.html)
- Kuna UAF inayoruhusu kutumia chunk ambayo iliachiliwa bila kufuta kiashiria. Kwa sababu kuna baadhi ya mbinu za kusoma, inawezekana kuvuja anwani ya libc kwa kuandika kiashiria kwenye kazi ya bure katika GOT hapa na kisha kuita kazi ya kusoma.
- Kisha, House of force ilitumika (ik abusing UAF) kuandika upya saizi ya nafasi iliyobaki kwa -1, kugawa chunk kubwa ya kutosha kufikia free hook, na kisha kugawa chunk nyingine ambayo itakuwa na free hook. Kisha, andika kwenye hook anwani ya `system`, andika kwenye chunk `"/bin/sh"` na hatimaye achilia chunk hiyo yenye maudhui hayo.
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink