mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 20:53:37 +00:00
Translated ['binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc
This commit is contained in:
parent
4f50788598
commit
366a1f81b7
2 changed files with 88 additions and 62 deletions
|
@ -2,13 +2,13 @@
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Njia nyingine za kusaidia HackTricks:
|
||||
|
||||
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
|
||||
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
|
||||
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
|
||||
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
|
||||
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
|
||||
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
|
||||
|
||||
|
@ -16,9 +16,9 @@ Njia nyingine za kusaidia HackTricks:
|
|||
|
||||
## **Malloc Hook**
|
||||
|
||||
Kama unavyoweza [Tovuti Rasmi ya GNU](https://www.gnu.org/software/libc/manual/html\_node/Hooks-for-Malloc.html), kipengele cha **`__malloc_hook`** ni kidude kinachoelekeza kwenye **anwani ya kazi itakayoitwa** wakati wowote `malloc()` inaitwa **iliyohifadhiwa kwenye sehemu ya data ya maktaba ya libc**. Kwa hivyo, ikiwa anwani hii itaandikwa upya na **One Gadget** kwa mfano na `malloc` inaitwa, **One Gadget itaitwa**.
|
||||
Kama unavyoweza [Tovuti Rasmi ya GNU](https://www.gnu.org/software/libc/manual/html\_node/Hooks-for-Malloc.html), kipengele cha **`__malloc_hook`** ni kipande kinachoelekeza kwenye **anwani ya kazi itakayoitwa** wakati wowote `malloc()` inaitwa **imehifadhiwa kwenye sehemu ya data ya maktaba ya libc**. Kwa hivyo, ikiwa anwani hii itabadilishwa na **One Gadget** kwa mfano na `malloc` inaitwa, **One Gadget itaitwa**.
|
||||
|
||||
Kupiga simu kwa malloc inawezekana kusubiri programu ipige simu au kwa **kupiga simu `printf("%10000$c")`** ambayo inaendelea kubadilisha `libc` kuita malloc kuwahifadhi kwenye rundo.
|
||||
Kuita malloc inawezekana kusubiri programu iite au kwa **kuita `printf("%10000$c")`** ambayo inaendelea kuchukua nafasi nyingi kufanya `libc` iite malloc kuwapa kwenye rundo.
|
||||
|
||||
Maelezo zaidi kuhusu One Gadget katika:
|
||||
|
||||
|
@ -27,49 +27,58 @@ Maelezo zaidi kuhusu One Gadget katika:
|
|||
{% endcontent-ref %}
|
||||
|
||||
{% hint style="warning" %}
|
||||
Tafadhali elewa kuwa vitanzi vimelemazwa kwa **GLIBC >= 2.34**. Kuna njia nyingine za kutumia kwenye toleo za kisasa za GLIBC. Angalia: [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md).
|
||||
Tafadhali elewa kwamba hooks zimelemazwa kwa **GLIBC >= 2.34**. Kuna njia nyingine za kutumia kwenye toleo za kisasa za GLIBC. Angalia: [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md).
|
||||
{% endhint %}
|
||||
|
||||
## Free Hook
|
||||
|
||||
Hii ilidhulumiwa katika moja ya mifano kutoka kwenye ukurasa ikidhulumu shambulio la rundo la haraka baada ya kudhulumiwa shambulio la rundo lisilo na mpangilio:
|
||||
Hii ilidhulumiwa katika moja ya mfano kutoka kwenye ukurasa ukidhulumu shambulio la rundo la haraka baada ya kudhulumu shambulio la rundo lisilo na mpangilio:
|
||||
|
||||
{% content-ref url="../heap/unsorted-bin-attack.md" %}
|
||||
[unsorted-bin-attack.md](../heap/unsorted-bin-attack.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
Sasa shambulio la **rundo la haraka** linafanywa:
|
||||
Mbinu nzuri (kutoka [**hapa**](https://guyinatuxedo.github.io/41-house\_of\_force/bkp16\_cookbook/index.html)) ya kupata mahali pa kitanzi cha bure ikiwa binary ina alama ni **kufanya kitu kama**:
|
||||
```
|
||||
gef➤ set __free_hook = 0xfacade
|
||||
gef➤ search-pattern 0xfacade
|
||||
```
|
||||
Katika chapisho hilo hilo unaweza kupata mwongozo wa hatua kwa hatua juu ya jinsi ya kutambua anwani ya kitanzi cha bure bila alama. Kwa muhtasari, katika kazi ya bure:
|
||||
|
||||
* Kwanza kabisa inagundulika kuwa ni sawa kufanya kazi na **vipande vya haraka vya saizi 200** kwenye eneo la **`__free_hook`**:
|
||||
* <pre class="language-c"><code class="lang-c">gef➤ p &__free_hook
|
||||
$1 = (void (**)(void *, const void *)) 0x7ff1e9e607a8 <__free_hook>
|
||||
```armasm
|
||||
gef➤ x/20i free
|
||||
0xf75dedc0 <free>: push ebx
|
||||
0xf75dedc1 <free+1>: call 0xf768f625
|
||||
0xf75dedc6 <free+6>: add ebx,0x14323a
|
||||
0xf75dedcc <free+12>: sub esp,0x8
|
||||
0xf75dedcf <free+15>: mov eax,DWORD PTR [ebx-0x98]
|
||||
0xf75dedd5 <free+21>: mov ecx,DWORD PTR [esp+0x10]
|
||||
0xf75dedd9 <free+25>: mov eax,DWORD PTR [eax]
|
||||
0xf75deddb <free+27>: test eax,eax ;<--- BREAK HERE
|
||||
0xf75deddd <free+29>: jne 0xf75dee50 <free+144>
|
||||
```
|
||||
|
||||
Katika sehemu ya kuvunja iliyotajwa katika msimbo uliopita katika `$eax` kutakuwa na anwani ya kitanzi cha bure.
|
||||
|
||||
Sasa shambulio la **fast bin** linafanywa:
|
||||
|
||||
- Kwanza kabisa inagundulika kuwa ni rahisi kufanya kazi na **vipande vya kasi vya saizi 200** katika eneo la **`__free_hook`**:
|
||||
- ```c
|
||||
gef➤ p &__free_hook
|
||||
$1 = (void (**)(void *, const void *)) 0x7ff1e9e607a8 <__free_hook>
|
||||
gef➤ x/60gx 0x7ff1e9e607a8 - 0x59
|
||||
<strong>0x7ff1e9e6074f: 0x0000000000000000 0x0000000000000200
|
||||
</strong>0x7ff1e9e6075f: 0x0000000000000000 0x0000000000000000
|
||||
0x7ff1e9e6076f <list_all_lock+15>: 0x0000000000000000 0x0000000000000000
|
||||
0x7ff1e9e6077f <_IO_stdfile_2_lock+15>: 0x0000000000000000 0x0000000000000000
|
||||
</code></pre>
|
||||
* Ikiwa tunaweza kupata kipande cha haraka cha saizi 0x200 kwenye eneo hili, itawezekana kuandika upya kidude cha kazi ambacho kitatekelezwa
|
||||
* Kwa hili, kipande kipya cha saizi `0xfc` kinajengwa na kazi iliyohaririwa inaitwa na kidude hicho mara mbili, kwa njia hii tunapata kidude cha kuhifadhiwa cha saizi `0xfc*2 = 0x1f8` kwenye rundo la haraka.
|
||||
* Kisha, kazi ya hariri inaitwa kwenye kidude hiki kuhariri anwani ya **`fd`** ya kidude hiki cha haraka ili ielekee kwenye kazi ya awali ya **`__free_hook`**.
|
||||
* Kisha, kipande cha saizi `0x1f8` kinajengwa ili kurejesha kutoka kwenye rundo la haraka kidude cha awali kisichofaa ili kipande kingine cha saizi `0x1f8` kijengwe kupata kidude cha rundo la haraka kwenye **`__free_hook`** ambayo inaandikwa upya na anwani ya kazi ya **`system`**.
|
||||
* Na mwishowe kipande kinachojumuisha herufi `/bin/sh\x00` kinahaririwa kwa kuita kazi ya kufuta, kuzindua kazi ya **`__free_hook`** inayoelekeza kwa mfumo na `/bin/sh\x00` kama parameta.
|
||||
0x7ff1e9e6074f: 0x0000000000000000 0x0000000000000200
|
||||
0x7ff1e9e6075f: 0x0000000000000000 0x0000000000000000
|
||||
0x7ff1e9e6076f <list_all_lock+15>: 0x0000000000000000 0x0000000000000000
|
||||
0x7ff1e9e6077f <_IO_stdfile_2_lock+15>: 0x0000000000000000 0x0000000000000000
|
||||
```
|
||||
- Ikiwa tutaweza kupata kipande cha haraka cha saizi 0x200 katika eneo hili, itakuwa inawezekana kubadilisha kidole cha kazi ambacho kitatekelezwa
|
||||
- Kwa hili, kipande kipya cha saizi `0xfc` kinajengwa na kuitwa kwa mara mbili na kidole kilichounganishwa na hiyo, kwa njia hii tunapata kidole kwa kipande kilichofutwa cha saizi `0xfc*2 = 0x1f8` katika kikasha cha haraka.
|
||||
- Kisha, kazi ya hariri inaitwa katika kipande hiki kurekebisha anwani ya **`fd`** ya kikasha hiki cha haraka ili ielekee kwenye kazi ya awali ya **`__free_hook`**.
|
||||
- Kisha, kipande cha saizi `0x1f8` kinajengwa ili kurejesha kutoka kwenye kikasha cha haraka kipande kisichofaa cha awali hivyo kipande kingine cha saizi `0x1f8` kinajengwa ili kupata kipande cha haraka katika **`__free_hook`** ambacho kinaandikwa na anwani ya kazi ya **`system`**.
|
||||
- Na mwishowe kipande kinachojumuisha mfuatano wa herufi `/bin/sh\x00` kinawekwa huru kwa kuita kazi ya kufuta, kuzindua kazi ya **`__free_hook`** ambayo inaelekeza kwa mfumo na `/bin/sh\x00` kama parameta.
|
||||
|
||||
## Marejeo
|
||||
|
||||
* [https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook](https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook)
|
||||
* [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md).
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Njia nyingine za kusaidia HackTricks:
|
||||
|
||||
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
|
||||
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
|
||||
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
- [https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook](https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook)
|
||||
- [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md).
|
||||
|
|
|
@ -4,15 +4,15 @@
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Njia nyingine za kusaidia HackTricks:
|
||||
|
||||
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
|
||||
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
|
||||
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
|
||||
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
|
||||
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
|
||||
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
|
||||
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
|
||||
|
||||
</details>
|
||||
|
||||
|
@ -20,7 +20,8 @@ Njia nyingine za kusaidia HackTricks:
|
|||
|
||||
### Kanuni
|
||||
|
||||
* Mbinu hii ilifungiwa ([**hapa**](https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=30a17d8c95fbfb15c52d1115803b63aaa73a285c)) na husababisha kosa hili: `malloc(): corrupted top size`
|
||||
* Mbinu hii ilisahihishwa ([**hapa**](https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=30a17d8c95fbfb15c52d1115803b63aaa73a285c)) na kutoa kosa hili: `malloc(): corrupted top size`
|
||||
* Unaweza jaribu [**kanuni kutoka hapa**](https://guyinatuxedo.github.io/41-house\_of\_force/house\_force\_exp/index.html) kuitumia kwa majaribio.
|
||||
|
||||
### Lengo
|
||||
|
||||
|
@ -28,29 +29,45 @@ Njia nyingine za kusaidia HackTricks:
|
|||
|
||||
### Mahitaji
|
||||
|
||||
* Kujaza ambayo inaruhusu kubadilisha ukubwa wa kichwa cha kipande cha juu (k.m. -1).
|
||||
* Kuzidi ambayo inaruhusu kubadilisha ukubwa wa kichwa cha kipande cha juu (k.m. -1).
|
||||
* Kuweza kudhibiti ukubwa wa kutengwa kwa rundo
|
||||
|
||||
### Shambulio
|
||||
|
||||
Ikiwa muhusika anataka kuwa na kipande katika anwani P, baada ya kujaza ukubwa wa kichwa cha kipande cha juu na -1, kwanza kabisa inahitajika kutengwa kwa (\&top\_chunk - P). Kumbuka kuwa kidole hiki kinaweza kuwa kabla au baada ya top\_chunk kwani ukubwa wowote utakuwa chini ya -1 (0xFFFFFFFFFFFFFFFF). Kisha, baada ya kutenga kipande hiki cha awali, kipande cha juu kitahamishwa kwenye anwani ya P iliyotaka na kipande kinachofuata kitakuwa kutoka kwenye anwani hiyo.
|
||||
Ikiwa muhusika anataka kutenga kipande katika anwani P ili kubadilisha thamani hapa. Anza kwa kubadilisha ukubwa wa kichwa cha kipande cha juu na `-1` (labda kwa kuzidi). Hii inahakikisha kwamba malloc haitatumia mmap kwa kutengwa yoyote kwani Kipande cha Juu kitakuwa na nafasi ya kutosha.
|
||||
|
||||
### Marejeo
|
||||
Kisha, kuhesabu umbali kati ya anwani ya kipande cha juu na nafasi ya lengo ya kutenga. Hii ni kwa sababu malloc na ukubwa huo utafanywa ili kuhamisha kipande cha juu hadi nafasi hiyo. Hivi ndivyo tofauti/ukubwa unavyoweza kuhesabiwa kwa urahisi:
|
||||
```c
|
||||
// From https://github.com/shellphish/how2heap/blob/master/glibc_2.27/house_of_force.c#L59C2-L67C5
|
||||
/*
|
||||
* The evil_size is calulcated as (nb is the number of bytes requested + space for metadata):
|
||||
* new_top = old_top + nb
|
||||
* nb = new_top - old_top
|
||||
* req + 2sizeof(long) = new_top - old_top
|
||||
* req = new_top - old_top - 2sizeof(long)
|
||||
* req = target - 2sizeof(long) - old_top - 2sizeof(long)
|
||||
* req = target - old_top - 4*sizeof(long)
|
||||
*/
|
||||
```
|
||||
Kwa hivyo, kwa kualloca ukubwa wa `lengo - old_top - 4*sizeof(long)` (hizi long 4 ni kwa sababu ya metadata ya kipande cha juu na ya kipande kipya wakati wa kualloca) kutahamisha kipande cha juu kwenye anwani tunayotaka kubadilisha. Kisha, fanya malloc nyingine kupata kipande kinachohusisha mwanzoni mwa data ya kuandika anwani ya lengo.
|
||||
|
||||
### Marejeo & Mifano Mingine
|
||||
|
||||
* [https://github.com/shellphish/how2heap/tree/master](https://github.com/shellphish/how2heap/tree/master?tab=readme-ov-file)
|
||||
* [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/)
|
||||
* [https://heap-exploitation.dhavalkapil.com/attacks/house\_of\_force](https://heap-exploitation.dhavalkapil.com/attacks/house\_of\_force)
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Njia nyingine za kusaidia HackTricks:
|
||||
|
||||
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
|
||||
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
|
||||
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
|
||||
|
||||
</details>
|
||||
* [https://github.com/shellphish/how2heap/blob/master/glibc\_2.27/house\_of\_force.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.27/house\_of\_force.c)
|
||||
* [https://guyinatuxedo.github.io/41-house\_of\_force/house\_force\_exp/index.html](https://guyinatuxedo.github.io/41-house\_of\_force/house\_force\_exp/index.html)
|
||||
* [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/#hitcon-training-lab-11](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/#hitcon-training-lab-11)
|
||||
* Lengo la hali hii ni ret2win ambapo tunahitaji kubadilisha anwani ya kazi ambayo itaitwa na anwani ya kazi ya ret2win
|
||||
* Binary ina overflow ambayo inaweza kutumika kubadilisha ukubwa wa kipande cha juu, ambacho kimebadilishwa kuwa -1 au p64(0xffffffffffffffff)
|
||||
* Kisha, inahesabiwa anwani mahali ambapo pointer ya kubadilisha ipo, na tofauti kutoka kwa nafasi ya sasa ya kipande cha juu hadi hapo ina alokwa na `malloc`
|
||||
* Hatimaye kipande kipya kina alokwa ambacho kitahusisha lengo lililohitajika ndani yake ambalo linabadilishwa na kazi ya ret2win
|
||||
* [https://shift--crops-hatenablog-com.translate.goog/entry/2016/03/21/171249?\_x\_tr\_sl=es&\_x\_tr\_tl=en&\_x\_tr\_hl=en&\_x\_tr\_pto=wapp](https://shift--crops-hatenablog-com.translate.goog/entry/2016/03/21/171249?\_x\_tr\_sl=es&\_x\_tr\_tl=en&\_x\_tr\_hl=en&\_x\_tr\_pto=wapp)
|
||||
* Katika `Ingiza jina lako:` kuna udhaifu wa awali ambao unaruhusu kuvuja kwa anwani kutoka kwa rundo
|
||||
* Kisha katika kazi za `Org:` na `Host:` ni rahisi kujaza 64B ya pointer ya `s` wakati unapoombwa **jina la org**, ambayo kwenye rundo inafuatwa na anwani ya v2, ambayo kisha inafuatwa na **jina la mwenyeji** lililotajwa. Kwa hivyo, strcpy itakuwa inakopi yaliyomo ya s kwa kipande cha ukubwa wa 64B, inawezekana **kubadilisha ukubwa wa kipande cha juu** na data iliyowekwa ndani ya **jina la mwenyeji**.
|
||||
* Sasa kwamba kuandika ya kiholela kunawezekana, GOT ya `atoi` ilibadilishwa na anwani ya printf. basi inawezekana kuvuja anwani ya `IO_2_1_stderr` _na_ `%24$p`. Na kuvuja huku kwa libc ilikuwa inawezekana kubadilisha tena GOT ya `atoi` na anwani ya `system` na kuipiga kwa paramu `/bin/sh`
|
||||
* Njia mbadala [iliyopendekezwa katika andiko hili lingine](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/#2016-bctf-bcloud), ni kubadilisha `free` na `puts`, na kisha kuongeza anwani ya `atoi@got`, kwenye pointer ambayo baadaye itaachiliwa ili ivujike na kwa kuvuja hii kubadilisha tena `atoi@got` na `system` na kuipiga na `/bin/sh`.
|
||||
* [https://guyinatuxedo.github.io/41-house\_of\_force/bkp16\_cookbook/index.html](https://guyinatuxedo.github.io/41-house\_of\_force/bkp16\_cookbook/index.html)
|
||||
* Kuna UAF inayoruhusu kutumia tena kipande kilichoachiliwa bila kufuta pointer. Kwa sababu kuna njia za kusoma, inawezekana kuvuja anwani ya libc kwa kuandika pointer kwa kazi ya bure katika GOT hapa na kisha kuita kazi ya kusoma.
|
||||
* Kisha, House of force ilitumiwa (kwa kudhuru UAF) kubadilisha ukubwa wa nafasi iliyobaki na -1, kualloca kipande kikubwa cha kutosha kufikia kitanzi cha bure, na kisha kualloca kipande kingine ambacho kitahusisha kitanzi cha bure. Kisha, andika kwenye kitanzi anwani ya `system`, andika kwenye kipande `"/bin/sh"` na mwishowe fungua kipande hicho na yaliyomo ya herufi hizo.
|
||||
|
|
Loading…
Reference in a new issue