4.8 KiB
Kufungua Mara Mbili
Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!
Njia nyingine za kusaidia HackTricks:
- Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA USAJILI!
- Pata bidhaa rasmi za PEASS & HackTricks
- Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs ya kipekee
- Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Taarifa Msingi
Ikiwa unafungua kibeti cha kumbukumbu mara zaidi ya mara moja, inaweza kuharibu data ya mpangishaji na kufungua mlango kwa mashambulizi. Hapa ndio jinsi inavyotokea: unapofungua kibeti cha kumbukumbu, kinarudi kwenye orodha ya vipande vilivyofunguliwa (k.m. "fastbin"). Ikiwa unafungua kibeti kile kile mara mbili mfululizo, mpangishaji anagundua hili na kutupa kosa. Lakini ikiwa unafungua kibeti kingine kati yake, ukaguzi wa kufungua mara mbili unapuuzwa, kusababisha uharibifu.
Sasa, unapoomba kumbukumbu mpya (ukitumia malloc), mpangishaji anaweza kukupa kibeti ambacho kimefunguliwa mara mbili. Hii inaweza kusababisha viashiria viwili tofauti kuelekeza kwenye eneo moja la kumbukumbu. Ikiwa mvamizi anadhibiti kimoja cha viashiria hivyo, wanaweza kubadilisha maudhui ya kumbukumbu hiyo, ambayo inaweza kusababisha masuala ya usalama au hata kuwaruhusu kutekeleza nambari.
Mfano:
#include <stdio.h>
#include <stdlib.h>
int main() {
// Allocate memory for three chunks
char *a = (char *)malloc(10);
char *b = (char *)malloc(10);
char *c = (char *)malloc(10);
char *d = (char *)malloc(10);
char *e = (char *)malloc(10);
char *f = (char *)malloc(10);
char *g = (char *)malloc(10);
char *h = (char *)malloc(10);
char *i = (char *)malloc(10);
// Print initial memory addresses
printf("Initial allocations:\n");
printf("a: %p\n", (void *)a);
printf("b: %p\n", (void *)b);
printf("c: %p\n", (void *)c);
printf("d: %p\n", (void *)d);
printf("e: %p\n", (void *)e);
printf("f: %p\n", (void *)f);
printf("g: %p\n", (void *)g);
printf("h: %p\n", (void *)h);
printf("i: %p\n", (void *)i);
// Fill tcache
free(a);
free(b);
free(c);
free(d);
free(e);
free(f);
free(g);
// Introduce double-free vulnerability in fast bin
free(h);
free(i);
free(h);
// Reallocate memory and print the addresses
char *a1 = (char *)malloc(10);
char *b1 = (char *)malloc(10);
char *c1 = (char *)malloc(10);
char *d1 = (char *)malloc(10);
char *e1 = (char *)malloc(10);
char *f1 = (char *)malloc(10);
char *g1 = (char *)malloc(10);
char *h1 = (char *)malloc(10);
char *i1 = (char *)malloc(10);
char *i2 = (char *)malloc(10);
// Print initial memory addresses
printf("After reallocations:\n");
printf("a1: %p\n", (void *)a1);
printf("b1: %p\n", (void *)b1);
printf("c1: %p\n", (void *)c1);
printf("d1: %p\n", (void *)d1);
printf("e1: %p\n", (void *)e1);
printf("f1: %p\n", (void *)f1);
printf("g1: %p\n", (void *)g1);
printf("h1: %p\n", (void *)h1);
printf("i1: %p\n", (void *)i1);
printf("i2: %p\n", (void *)i1);
return 0;
}
Katika mfano huu, baada ya kujaza tcache na vipande kadhaa vilivyofutwa, msimbo huru chunk h, kisha chunk i, na kisha h tena, kusababisha kosa la double-free. Hii inafungua uwezekano wa kupokea anwani za kumbukumbu zinazopishana wakati wa kurekebisha upya, maana pointers mbili au zaidi zinaweza kuelekeza kwenye eneo moja la kumbukumbu. Kudhibiti data kupitia pointer moja kunaweza kuathiri nyingine, ikiumba hatari kubwa ya usalama na uwezekano wa kutumia.
Ukitenda hivyo, angalia jinsi i1 na i2 zilipata anwani ile ile:
Uwekaji wa awali:
a: 0xaaab0f0c22a0
b: 0xaaab0f0c22c0
c: 0xaaab0f0c22e0
d: 0xaaab0f0c2300
e: 0xaaab0f0c2320
f: 0xaaab0f0c2340
g: 0xaaab0f0c2360
h: 0xaaab0f0c2380
i: 0xaaab0f0c23a0
Baada ya urekebishaji upya:
a1: 0xaaab0f0c2360
b1: 0xaaab0f0c2340
c1: 0xaaab0f0c2320
d1: 0xaaab0f0c2300
e1: 0xaaab0f0c22e0
f1: 0xaaab0f0c22c0
g1: 0xaaab0f0c22a0
h1: 0xaaab0f0c2380
i1: 0xaaab0f0c23a0
i2: 0xaaab0f0c23a0