mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-28 07:31:10 +00:00
GITBOOK-4358: No subject
This commit is contained in:
parent
75946c62a1
commit
c0343aa3d5
2 changed files with 29 additions and 1 deletions
|
@ -38,6 +38,29 @@ This was abused in one of the example from the page abusing a fast bin attack af
|
||||||
[unsorted-bin-attack.md](../heap/unsorted-bin-attack.md)
|
[unsorted-bin-attack.md](../heap/unsorted-bin-attack.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
A nice trick (from [**here**](https://guyinatuxedo.github.io/41-house\_of\_force/bkp16\_cookbook/index.html)) to find the location of the free hook if the binary has symbols is to **do something like**:
|
||||||
|
|
||||||
|
```
|
||||||
|
gef➤ set __free_hook = 0xfacade
|
||||||
|
gef➤ search-pattern 0xfacade
|
||||||
|
```
|
||||||
|
|
||||||
|
In the same post you can find a step by step guide on how to locate the address of the free hook without symbols. As summary, in the free function:
|
||||||
|
|
||||||
|
<pre class="language-armasm"><code class="lang-armasm">gef➤ x/20i free
|
||||||
|
0xf75dedc0 <free>: push ebx
|
||||||
|
0xf75dedc1 <free+1>: call 0xf768f625
|
||||||
|
0xf75dedc6 <free+6>: add ebx,0x14323a
|
||||||
|
0xf75dedcc <free+12>: sub esp,0x8
|
||||||
|
0xf75dedcf <free+15>: mov eax,DWORD PTR [ebx-0x98]
|
||||||
|
0xf75dedd5 <free+21>: mov ecx,DWORD PTR [esp+0x10]
|
||||||
|
0xf75dedd9 <free+25>: mov eax,DWORD PTR [eax]
|
||||||
|
<strong>0xf75deddb <free+27>: test eax,eax ;<--- BREAK HERE
|
||||||
|
</strong>0xf75deddd <free+29>: jne 0xf75dee50 <free+144>
|
||||||
|
</code></pre>
|
||||||
|
|
||||||
|
In the mentioned break in the previous code in `$eax` will be located the address of the free hook.
|
||||||
|
|
||||||
Now a **fast bin attack** is performed:
|
Now a **fast bin attack** is performed:
|
||||||
|
|
||||||
* First of all it's discovered that it's possible to work with fast **chunks of size 200** in the **`__free_hook`** location:
|
* First of all it's discovered that it's possible to work with fast **chunks of size 200** in the **`__free_hook`** location:
|
||||||
|
|
|
@ -21,6 +21,7 @@ Other ways to support HackTricks:
|
||||||
### Code
|
### Code
|
||||||
|
|
||||||
* This technique was patched ([**here**](https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=30a17d8c95fbfb15c52d1115803b63aaa73a285c)) and produces this error: `malloc(): corrupted top size`
|
* This technique was patched ([**here**](https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=30a17d8c95fbfb15c52d1115803b63aaa73a285c)) and produces this error: `malloc(): corrupted top size`
|
||||||
|
* You can try the [**code from here**](https://guyinatuxedo.github.io/41-house\_of\_force/house\_force\_exp/index.html) to test it if you want.
|
||||||
|
|
||||||
### Goal
|
### Goal
|
||||||
|
|
||||||
|
@ -33,7 +34,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
### Attack
|
### Attack
|
||||||
|
|
||||||
If an attacker wants to allocate a chunk in the address P to overwrite a value here, he can start by overwriting the top chunk size with `-1`. This ensures that malloc won't be using mmap for any allocation as the Top chunk will always have enough space.
|
If an attacker wants to allocate a chunk in the address P to overwrite a value here. He starts by overwriting the top chunk size with `-1` (maybe with an overflow). This ensures that malloc won't be using mmap for any allocation as the Top chunk will always have enough space.
|
||||||
|
|
||||||
Then, calculate the distance between the address of the top chunk and the target space to allocate. This is because a malloc with that size will be performed in order to move the top chunk to that position. This is how the difference/size can be easily calculated:
|
Then, calculate the distance between the address of the top chunk and the target space to allocate. This is because a malloc with that size will be performed in order to move the top chunk to that position. This is how the difference/size can be easily calculated:
|
||||||
|
|
||||||
|
@ -59,6 +60,7 @@ Then, do another malloc to get a chunk containing the at the beginning of the da
|
||||||
* [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/)
|
* [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/)
|
||||||
* [https://heap-exploitation.dhavalkapil.com/attacks/house\_of\_force](https://heap-exploitation.dhavalkapil.com/attacks/house\_of\_force)
|
* [https://heap-exploitation.dhavalkapil.com/attacks/house\_of\_force](https://heap-exploitation.dhavalkapil.com/attacks/house\_of\_force)
|
||||||
* [https://github.com/shellphish/how2heap/blob/master/glibc\_2.27/house\_of\_force.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.27/house\_of\_force.c)
|
* [https://github.com/shellphish/how2heap/blob/master/glibc\_2.27/house\_of\_force.c](https://github.com/shellphish/how2heap/blob/master/glibc\_2.27/house\_of\_force.c)
|
||||||
|
* [https://guyinatuxedo.github.io/41-house\_of\_force/house\_force\_exp/index.html](https://guyinatuxedo.github.io/41-house\_of\_force/house\_force\_exp/index.html)
|
||||||
* [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/#hitcon-training-lab-11](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/#hitcon-training-lab-11)
|
* [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/#hitcon-training-lab-11](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/#hitcon-training-lab-11)
|
||||||
* The goal of this scenario is a ret2win where we need to modify the address of a function that is going to be called by the address of the ret2win function
|
* The goal of this scenario is a ret2win where we need to modify the address of a function that is going to be called by the address of the ret2win function
|
||||||
* The binary has an overflow that can be abused to modify the top chunk size, which is modified to -1 or p64(0xffffffffffffffff)
|
* The binary has an overflow that can be abused to modify the top chunk size, which is modified to -1 or p64(0xffffffffffffffff)
|
||||||
|
@ -69,6 +71,9 @@ Then, do another malloc to get a chunk containing the at the beginning of the da
|
||||||
* Then in the `Org:` and `Host:` functionality its possible to fill the 64B of the `s` pointer when asked for the **org name**, which in the stack is followed by the address of v2, which is then followed by the indicated **host name**. As then, strcpy is going to be copying the contents of s to a chunk of size 64B, it's possible to **overwrite the size of the top chunk** with the data put inside the **host name**.
|
* Then in the `Org:` and `Host:` functionality its possible to fill the 64B of the `s` pointer when asked for the **org name**, which in the stack is followed by the address of v2, which is then followed by the indicated **host name**. As then, strcpy is going to be copying the contents of s to a chunk of size 64B, it's possible to **overwrite the size of the top chunk** with the data put inside the **host name**.
|
||||||
* Now that arbitrary write it possible, the `atoi`'s GOT was overwritten to the address of printf. the it as possible to leak the address of `IO_2_1_stderr` _with_ `%24$p`. And with this libc leak it was possible to overwrite `atoi`'s GOT again with the address to `system` and call it passing as param `/bin/sh`
|
* Now that arbitrary write it possible, the `atoi`'s GOT was overwritten to the address of printf. the it as possible to leak the address of `IO_2_1_stderr` _with_ `%24$p`. And with this libc leak it was possible to overwrite `atoi`'s GOT again with the address to `system` and call it passing as param `/bin/sh`
|
||||||
* An alternative method [proposed in this other writeup](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/#2016-bctf-bcloud), is to overwrite `free` with `puts`, and then add the address of `atoi@got`, in the pointer that will be later freed so it's leaked and with this leak overwrite again `atoi@got` with `system` and call it with `/bin/sh`.
|
* An alternative method [proposed in this other writeup](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house\_of\_force/#2016-bctf-bcloud), is to overwrite `free` with `puts`, and then add the address of `atoi@got`, in the pointer that will be later freed so it's leaked and with this leak overwrite again `atoi@got` with `system` and call it with `/bin/sh`.
|
||||||
|
* [https://guyinatuxedo.github.io/41-house\_of\_force/bkp16\_cookbook/index.html](https://guyinatuxedo.github.io/41-house\_of\_force/bkp16\_cookbook/index.html)
|
||||||
|
* There is a UAF allowing to reuse a chunk that was freed without clearing the pointer. Because there are some read methods, it's possible to leak a libc address writing a pointer to the free function in the GOT here and then calling the read function.
|
||||||
|
* Then, House of force was used (abusing the UAF) to overwrite the size of the left space with a -1, allocate a chunk big enough to get tot he free hook, and then allocate another chunk which will contain the free hook. Then, write in the hook the address of `system`, write in a chunk `"/bin/sh"` and finally free the chunk with that string content.
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue