113 lines
5.7 KiB
Markdown

# House of Roman
{{#include ../../banners/hacktricks-training.md}}
## Basic Information
Hii ilikuwa mbinu ya kuvutia sana ambayo iliruhusu RCE bila leaks kupitia fake fastbins, shambulio la unsorted_bin na overwrites za relative. Hata hivyo imekuwa [**patched**](https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=b90ddd08f6dd688e651df9ee89ca3a69ff88cd0c).
### Code
- Unaweza kupata mfano katika [https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c)
### Goal
- RCE kwa kutumia pointers za relative
### Requirements
- Hariri fastbin na pointers za unsorted bin
- Bits 12 za randomness lazima zishindwe (0.02% nafasi) kufanya kazi
## Attack Steps
### Part 1: Fastbin Chunk points to \_\_malloc_hook
Unda chunks kadhaa:
- `fastbin_victim` (0x60, offset 0): UAF chunk baadaye kuhariri pointer ya heap ili kuelekeza kwenye thamani ya LibC.
- `chunk2` (0x80, offset 0x70): Kwa usawa mzuri
- `main_arena_use` (0x80, offset 0x100)
- `relative_offset_heap` (0x60, offset 0x190): relative offset kwenye chunk ya 'main_arena_use'
Kisha `free(main_arena_use)` ambayo itaweka chunk hii kwenye orodha isiyo na mpangilio na itapata pointer kwa `main_arena + 0x68` katika pointers za `fd` na `bk`.
Sasa inatolewa chunk mpya `fake_libc_chunk(0x60)` kwa sababu itakuwa na pointers kwa `main_arena + 0x68` katika `fd` na `bk`.
Kisha `relative_offset_heap` na `fastbin_victim` zinatolewa.
```c
/*
Current heap layout:
0x0: fastbin_victim - size 0x70
0x70: alignment_filler - size 0x90
0x100: fake_libc_chunk - size 0x70 (contains a fd ptr to main_arena + 0x68)
0x170: leftover_main - size 0x20
0x190: relative_offset_heap - size 0x70
bin layout:
fastbin: fastbin_victim -> relative_offset_heap
unsorted: leftover_main
*/
```
- `fastbin_victim` ina `fd` inayoelekeza kwenye `relative_offset_heap`
- `relative_offset_heap` ni offset ya umbali kutoka `fake_libc_chunk`, ambayo ina pointer kwa `main_arena + 0x68`
- Kubadilisha byte ya mwisho ya `fastbin_victim.fd` inawezekana kufanya `fastbin_victim points` kwa `main_arena + 0x68`
Kwa hatua za awali, mshambuliaji anahitaji kuwa na uwezo wa kubadilisha pointer ya fd ya `fastbin_victim`.
Kisha, `main_arena + 0x68` si ya kuvutia sana, hivyo hebu ibadilishe ili pointer ielekeze kwenye **`__malloc_hook`**.
Kumbuka kwamba `__memalign_hook` kwa kawaida huanza na `0x7f` na sifuri kabla yake, kisha inawezekana kuificha kama thamani katika fast bin ya `0x70`. Kwa sababu bits 4 za mwisho za anwani ni **za nasibu** kuna `2^4=16` uwezekano wa thamani kuishia mahali tunapovutiwa. Hivyo shambulio la BF linafanywa hapa ili chunk iishie kama: **`0x70: fastbin_victim -> fake_libc_chunk -> (__malloc_hook - 0x23)`.**
(Kwa maelezo zaidi kuhusu byte zingine angalia maelezo katika [how2heap](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c)[ mfano](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c)). Ikiwa BF haifanyi kazi programu inanguka tu (hivyo anza tena hadi ifanye kazi).
Kisha, malloc 2 zinafanywa kuondoa chunks 2 za awali za fast bin na ya tatu inapatikana ili kupata chunk katika **`__malloc_hook:`**
```c
malloc(0x60);
malloc(0x60);
uint8_t* malloc_hook_chunk = malloc(0x60);
```
### Sehemu ya 2: Unsorted_bin shambulio
Kwa maelezo zaidi unaweza kuangalia:
{{#ref}}
unsorted-bin-attack.md
{{#endref}}
Lakini kimsingi inaruhusu kuandika `main_arena + 0x68` kwenye eneo lolote lililoainishwa katika `chunk->bk`. Na kwa shambulio tunachagua `__malloc_hook`. Kisha, baada ya kuandika tena, tutatumia kuandika tena kwa uwiano ili kuelekeza kwenye `one_gadget`.
Kwa hili tunaanza kupata chunk na kuuweka kwenye **unsorted bin**:
```c
uint8_t* unsorted_bin_ptr = malloc(0x80);
malloc(0x30); // Don't want to consolidate
puts("Put chunk into unsorted_bin\n");
// Free the chunk to create the UAF
free(unsorted_bin_ptr);
```
Tumia UAF katika kipande hiki kuonyesha `unsorted_bin_ptr->bk` kwa anwani ya `__malloc_hook` (tulifanya brute force hii hapo awali).
> [!CAUTION]
> Kumbuka kwamba shambulio hili linaharibu bin isiyo na mpangilio (hivyo ndogo na kubwa pia). Hivyo tunaweza tu **kutumia allocations kutoka kwa fast bin sasa** (programu ngumu zaidi inaweza kufanya allocations nyingine na kuanguka), na ili kuamsha hii lazima **tufanye alloc saizi sawa au programu itanguka.**
Hivyo, ili kuamsha kuandika `main_arena + 0x68` katika `__malloc_hook` tunafanya baada ya kuweka `__malloc_hook` katika `unsorted_bin_ptr->bk` tunahitaji tu kufanya: **`malloc(0x80)`**
### Hatua ya 3: Weka \_\_malloc_hook kwa system
Katika hatua ya kwanza tulimaliza kwa kudhibiti kipande kinachoshikilia `__malloc_hook` (katika variable `malloc_hook_chunk`) na katika hatua ya pili tulifanikiwa kuandika `main_arena + 0x68` hapa.
Sasa, tunatumia kuandika sehemu katika `malloc_hook_chunk` kutumia anwani ya libc tuliyoandika hapo (`main_arena + 0x68`) ili **kuonyesha anwani ya `one_gadget`**.
Hapa ndipo inahitajika **bruteforce bits 12 za nasibu** (maelezo zaidi katika [how2heap](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c)[ mfano](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c)).
Hatimaye, mara anwani sahihi imeandikwa, **ita `malloc` na kuamsha `one_gadget`**.
## Marejeo
- [https://github.com/shellphish/how2heap](https://github.com/shellphish/how2heap)
- [https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c)
- [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_roman/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_roman/)
{{#include ../../banners/hacktricks-training.md}}