mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
113 lines
5.7 KiB
Markdown
113 lines
5.7 KiB
Markdown
# House of Roman
|
|
|
|
{{#include ../../banners/hacktricks-training.md}}
|
|
|
|
## Basic Information
|
|
|
|
Hii ilikuwa mbinu ya kuvutia sana ambayo iliruhusu RCE bila leaks kupitia fake fastbins, shambulio la unsorted_bin na overwrites za relative. Hata hivyo imekuwa [**patched**](https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=b90ddd08f6dd688e651df9ee89ca3a69ff88cd0c).
|
|
|
|
### Code
|
|
|
|
- Unaweza kupata mfano katika [https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c)
|
|
|
|
### Goal
|
|
|
|
- RCE kwa kutumia pointers za relative
|
|
|
|
### Requirements
|
|
|
|
- Hariri fastbin na pointers za unsorted bin
|
|
- Bits 12 za randomness lazima zishindwe (0.02% nafasi) kufanya kazi
|
|
|
|
## Attack Steps
|
|
|
|
### Part 1: Fastbin Chunk points to \_\_malloc_hook
|
|
|
|
Unda chunks kadhaa:
|
|
|
|
- `fastbin_victim` (0x60, offset 0): UAF chunk baadaye kuhariri pointer ya heap ili kuelekeza kwenye thamani ya LibC.
|
|
- `chunk2` (0x80, offset 0x70): Kwa usawa mzuri
|
|
- `main_arena_use` (0x80, offset 0x100)
|
|
- `relative_offset_heap` (0x60, offset 0x190): relative offset kwenye chunk ya 'main_arena_use'
|
|
|
|
Kisha `free(main_arena_use)` ambayo itaweka chunk hii kwenye orodha isiyo na mpangilio na itapata pointer kwa `main_arena + 0x68` katika pointers za `fd` na `bk`.
|
|
|
|
Sasa inatolewa chunk mpya `fake_libc_chunk(0x60)` kwa sababu itakuwa na pointers kwa `main_arena + 0x68` katika `fd` na `bk`.
|
|
|
|
Kisha `relative_offset_heap` na `fastbin_victim` zinatolewa.
|
|
```c
|
|
/*
|
|
Current heap layout:
|
|
0x0: fastbin_victim - size 0x70
|
|
0x70: alignment_filler - size 0x90
|
|
0x100: fake_libc_chunk - size 0x70 (contains a fd ptr to main_arena + 0x68)
|
|
0x170: leftover_main - size 0x20
|
|
0x190: relative_offset_heap - size 0x70
|
|
|
|
bin layout:
|
|
fastbin: fastbin_victim -> relative_offset_heap
|
|
unsorted: leftover_main
|
|
*/
|
|
```
|
|
- `fastbin_victim` ina `fd` inayoelekeza kwenye `relative_offset_heap`
|
|
- `relative_offset_heap` ni offset ya umbali kutoka `fake_libc_chunk`, ambayo ina pointer kwa `main_arena + 0x68`
|
|
- Kubadilisha byte ya mwisho ya `fastbin_victim.fd` inawezekana kufanya `fastbin_victim points` kwa `main_arena + 0x68`
|
|
|
|
Kwa hatua za awali, mshambuliaji anahitaji kuwa na uwezo wa kubadilisha pointer ya fd ya `fastbin_victim`.
|
|
|
|
Kisha, `main_arena + 0x68` si ya kuvutia sana, hivyo hebu ibadilishe ili pointer ielekeze kwenye **`__malloc_hook`**.
|
|
|
|
Kumbuka kwamba `__memalign_hook` kwa kawaida huanza na `0x7f` na sifuri kabla yake, kisha inawezekana kuificha kama thamani katika fast bin ya `0x70`. Kwa sababu bits 4 za mwisho za anwani ni **za nasibu** kuna `2^4=16` uwezekano wa thamani kuishia mahali tunapovutiwa. Hivyo shambulio la BF linafanywa hapa ili chunk iishie kama: **`0x70: fastbin_victim -> fake_libc_chunk -> (__malloc_hook - 0x23)`.**
|
|
|
|
(Kwa maelezo zaidi kuhusu byte zingine angalia maelezo katika [how2heap](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c)[ mfano](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c)). Ikiwa BF haifanyi kazi programu inanguka tu (hivyo anza tena hadi ifanye kazi).
|
|
|
|
Kisha, malloc 2 zinafanywa kuondoa chunks 2 za awali za fast bin na ya tatu inapatikana ili kupata chunk katika **`__malloc_hook:`**
|
|
```c
|
|
malloc(0x60);
|
|
malloc(0x60);
|
|
uint8_t* malloc_hook_chunk = malloc(0x60);
|
|
```
|
|
### Sehemu ya 2: Unsorted_bin shambulio
|
|
|
|
Kwa maelezo zaidi unaweza kuangalia:
|
|
|
|
{{#ref}}
|
|
unsorted-bin-attack.md
|
|
{{#endref}}
|
|
|
|
Lakini kimsingi inaruhusu kuandika `main_arena + 0x68` kwenye eneo lolote lililoainishwa katika `chunk->bk`. Na kwa shambulio tunachagua `__malloc_hook`. Kisha, baada ya kuandika tena, tutatumia kuandika tena kwa uwiano ili kuelekeza kwenye `one_gadget`.
|
|
|
|
Kwa hili tunaanza kupata chunk na kuuweka kwenye **unsorted bin**:
|
|
```c
|
|
uint8_t* unsorted_bin_ptr = malloc(0x80);
|
|
malloc(0x30); // Don't want to consolidate
|
|
|
|
puts("Put chunk into unsorted_bin\n");
|
|
// Free the chunk to create the UAF
|
|
free(unsorted_bin_ptr);
|
|
```
|
|
Tumia UAF katika kipande hiki kuonyesha `unsorted_bin_ptr->bk` kwa anwani ya `__malloc_hook` (tulifanya brute force hii hapo awali).
|
|
|
|
> [!CAUTION]
|
|
> Kumbuka kwamba shambulio hili linaharibu bin isiyo na mpangilio (hivyo ndogo na kubwa pia). Hivyo tunaweza tu **kutumia allocations kutoka kwa fast bin sasa** (programu ngumu zaidi inaweza kufanya allocations nyingine na kuanguka), na ili kuamsha hii lazima **tufanye alloc saizi sawa au programu itanguka.**
|
|
|
|
Hivyo, ili kuamsha kuandika `main_arena + 0x68` katika `__malloc_hook` tunafanya baada ya kuweka `__malloc_hook` katika `unsorted_bin_ptr->bk` tunahitaji tu kufanya: **`malloc(0x80)`**
|
|
|
|
### Hatua ya 3: Weka \_\_malloc_hook kwa system
|
|
|
|
Katika hatua ya kwanza tulimaliza kwa kudhibiti kipande kinachoshikilia `__malloc_hook` (katika variable `malloc_hook_chunk`) na katika hatua ya pili tulifanikiwa kuandika `main_arena + 0x68` hapa.
|
|
|
|
Sasa, tunatumia kuandika sehemu katika `malloc_hook_chunk` kutumia anwani ya libc tuliyoandika hapo (`main_arena + 0x68`) ili **kuonyesha anwani ya `one_gadget`**.
|
|
|
|
Hapa ndipo inahitajika **bruteforce bits 12 za nasibu** (maelezo zaidi katika [how2heap](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c)[ mfano](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c)).
|
|
|
|
Hatimaye, mara anwani sahihi imeandikwa, **ita `malloc` na kuamsha `one_gadget`**.
|
|
|
|
## Marejeo
|
|
|
|
- [https://github.com/shellphish/how2heap](https://github.com/shellphish/how2heap)
|
|
- [https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c)
|
|
- [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_roman/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_roman/)
|
|
|
|
{{#include ../../banners/hacktricks-training.md}}
|