2024-06-13 21:22:44 +00:00
# 强制之屋
2024-05-14 11:14:37 +00:00
< details >
2024-06-13 21:22:44 +00:00
< summary > < strong > 从零开始学习AWS黑客技术, < / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE( ) < / strong > < / a > < strong > ! < / strong > < / summary >
2024-05-14 11:14:37 +00:00
支持HackTricks的其他方式:
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
2024-06-13 21:22:44 +00:00
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[NFT收藏品](https://opensea.io/collection/the-peass-family)
2024-05-14 11:14:37 +00:00
* **加入** 💬 [**Discord群组** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群组** ](https://t.me/peass ) 或在**Twitter**上关注我们 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
< / details >
## 基本信息
### 代码
2024-06-13 21:22:44 +00:00
* 这种技术已被修补([**在此处**](https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=30a17d8c95fbfb15c52d1115803b63aaa73a285c)),并产生此错误:`malloc(): corrupted top size`
* 您可以尝试[**这里的代码**](https://guyinatuxedo.github.io/41-house\_of\_force/house\_force\_exp/index.html)进行测试。
2024-05-14 11:14:37 +00:00
### 目标
* 此攻击的目标是能够在特定地址分配一个块。
### 要求
2024-06-13 21:22:44 +00:00
* 允许覆盖顶部块头部大小(例如-1)
* 能够控制堆分配的大小
2024-05-14 11:14:37 +00:00
### 攻击
2024-06-13 21:22:44 +00:00
如果攻击者想要在地址P中分配一个块以覆盖这里的值。他首先通过覆盖顶部块大小为`-1`( ) ,
然后,
```c
// From https://github.com/shellphish/how2heap/blob/master/glibc_2.27/house_of_force.c#L59C2-L67C5
/*
* The evil_size is calulcated as (nb is the number of bytes requested + space for metadata):
* new_top = old_top + nb
* nb = new_top - old_top
* req + 2sizeof(long) = new_top - old_top
* req = new_top - old_top - 2sizeof(long)
* req = target - 2sizeof(long) - old_top - 2sizeof(long)
* req = target - old_top - 4*sizeof(long)
*/
```
因此,分配大小为`target - old_top - 4*sizeof(long)`( )
然后,
### 参考资料和其他示例
2024-05-14 11:14:37 +00:00
* [https://github.com/shellphish/how2heap/tree/master ](https://github.com/shellphish/how2heap/tree/master?tab=readme-ov-file )
* [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/ ](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/ )
* [https://heap-exploitation.dhavalkapil.com/attacks/house\_of\_force ](https://heap-exploitation.dhavalkapil.com/attacks/house\_of\_force )
2024-06-13 21:22:44 +00:00
* [https://github.com/shellphish/how2heap/blob/master/glibc\_2.27/house\_of\_force.c ](https://github.com/shellphish/how2heap/blob/master/glibc\_2.27/house\_of\_force.c )
* [https://guyinatuxedo.github.io/41-house\_of\_force/house\_force\_exp/index.html ](https://guyinatuxedo.github.io/41-house\_of\_force/house\_force\_exp/index.html )
* [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/#hitcon-training-lab-11 ](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/#hitcon-training-lab-11 )
* 该场景的目标是进行ret2win攻击,
* 二进制文件存在一个溢出漏洞,可以被滥用以修改顶部块的大小,将其修改为-1或p64(0xffffffffffffffff)
* 然后,计算要覆盖的指针存在的位置的地址,并从当前顶部块的位置到那里的差异被`malloc`分配
* 最后, , ,
* [https://shift--crops-hatenablog-com.translate.goog/entry/2016/03/21/171249?\_x\_tr\_sl=es&\_x\_tr\_tl=en&\_x\_tr\_hl=en&\_x\_tr\_pto=wapp ](https://shift--crops-hatenablog-com.translate.goog/entry/2016/03/21/171249?\_x\_tr\_sl=es&\_x\_tr\_tl=en&\_x\_tr\_hl=en&\_x\_tr\_pto=wapp )
* 在`Input your name:`中存在一个初始漏洞,允许从堆中泄漏一个地址
* 然后在`Org:`和`Host:`功能中,当要求输入**org name**时,可以填充`s`指针的64B, , , ,
* 现在可以进行任意写入,`atoi`的GOT表已被覆盖为printf的地址。可以使用`%24$p`泄漏`IO_2_1_stderr`的地址。有了这个libc泄漏, ,
* 另一种方法[在这篇其他文章中提出](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/#2016-bctf-bcloud),是将`free`覆盖为`puts`,然后在稍后将被释放的指针中添加`atoi@got`的地址,以便泄漏,然后使用此泄漏再次覆盖`atoi@got`为`system`并调用它并传递`/bin/sh`。
* [https://guyinatuxedo.github.io/41-house\_of\_force/bkp16\_cookbook/index.html ](https://guyinatuxedo.github.io/41-house\_of\_force/bkp16\_cookbook/index.html )
* 存在一种UAF漏洞, , ,
* 然后, ( ) , , ,
