House of Einherjar

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ

Basic Information

Code

Goal

  • ๋ชฉํ‘œ๋Š” ๊ฑฐ์˜ ๋ชจ๋“  ํŠน์ • ์ฃผ์†Œ์— ๋ฉ”๋ชจ๋ฆฌ๋ฅผ ํ• ๋‹นํ•˜๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค.

Requirements

  • ์ฒญํฌ๋ฅผ ํ• ๋‹นํ•˜๊ณ  ์‹ถ์„ ๋•Œ ๊ฐ€์งœ ์ฒญํฌ๋ฅผ ์ƒ์„ฑํ•ฉ๋‹ˆ๋‹ค:
  • ํฌ์ธํ„ฐ๋ฅผ ์ž๊ธฐ ์ž์‹ ์„ ๊ฐ€๋ฆฌํ‚ค๋„๋ก ์„ค์ •ํ•˜์—ฌ ๋ฌด๊ฒฐ์„ฑ ๊ฒ€์‚ฌ๋ฅผ ์šฐํšŒํ•ฉ๋‹ˆ๋‹ค.
  • ํ•œ ๋ฐ”์ดํŠธ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ํ•œ ์ฒญํฌ์—์„œ ๋‹ค์Œ ์ฒญํฌ๋กœ null ๋ฐ”์ดํŠธ๋ฅผ ์ „์†กํ•˜์—ฌ PREV_INUSE ํ”Œ๋ž˜๊ทธ๋ฅผ ์ˆ˜์ •ํ•ฉ๋‹ˆ๋‹ค.
  • null๋กœ ์˜คํ”„์…‹๋œ ์ฒญํฌ์˜ prev_size์— ์ž์‹ ๊ณผ ๊ฐ€์งœ ์ฒญํฌ ๊ฐ„์˜ ์ฐจ์ด๋ฅผ ํ‘œ์‹œํ•ฉ๋‹ˆ๋‹ค.
  • ๊ฐ€์งœ ์ฒญํฌ์˜ ํฌ๊ธฐ๋„ ๋ฌด๊ฒฐ์„ฑ ๊ฒ€์‚ฌ๋ฅผ ์šฐํšŒํ•˜๊ธฐ ์œ„ํ•ด ๋™์ผํ•œ ํฌ๊ธฐ๋กœ ์„ค์ •ํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.
  • ์ด๋Ÿฌํ•œ ์ฒญํฌ๋ฅผ ๊ตฌ์„ฑํ•˜๋ ค๋ฉด ํž™ ๋ˆ„์ˆ˜๊ฐ€ ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.

Attack

  • ๊ณต๊ฒฉ์ž๊ฐ€ ์ œ์–ดํ•˜๋Š” ์ฒญํฌ ๋‚ด๋ถ€์— A ๊ฐ€์งœ ์ฒญํฌ๊ฐ€ ์ƒ์„ฑ๋˜์–ด fd์™€ bk๊ฐ€ ์›๋ž˜ ์ฒญํฌ๋ฅผ ๊ฐ€๋ฆฌํ‚ค๋„๋ก ํ•˜์—ฌ ๋ณดํ˜ธ๋ฅผ ์šฐํšŒํ•ฉ๋‹ˆ๋‹ค.
  • 2๊ฐœ์˜ ๋‹ค๋ฅธ ์ฒญํฌ(B์™€ C)๊ฐ€ ํ• ๋‹น๋ฉ๋‹ˆ๋‹ค.
  • B์—์„œ ํ•œ ๋ฐ”์ดํŠธ๋ฅผ ๋‚จ์šฉํ•˜์—ฌ prev in use ๋น„ํŠธ๋ฅผ ์ง€์šฐ๊ณ  prev_size ๋ฐ์ดํ„ฐ๋ฅผ C ์ฒญํฌ๊ฐ€ ํ• ๋‹น๋œ ์œ„์น˜์™€ ์ด์ „์— ์ƒ์„ฑ๋œ ๊ฐ€์งœ A ์ฒญํฌ ๊ฐ„์˜ ์ฐจ์ด๋กœ ๋ฎ์–ด์”๋‹ˆ๋‹ค.
  • ์ด prev_size์™€ ๊ฐ€์งœ ์ฒญํฌ A์˜ ํฌ๊ธฐ๋Š” ๊ฒ€์‚ฌ๋ฅผ ์šฐํšŒํ•˜๊ธฐ ์œ„ํ•ด ๋™์ผํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.
  • ๊ทธ๋Ÿฐ ๋‹ค์Œ, tcache๊ฐ€ ์ฑ„์›Œ์ง‘๋‹ˆ๋‹ค.
  • ๊ทธ๋Ÿฐ ๋‹ค์Œ, C๊ฐ€ ํ•ด์ œ๋˜์–ด ๊ฐ€์งœ ์ฒญํฌ A์™€ ํ†ตํ•ฉ๋ฉ๋‹ˆ๋‹ค.
  • ๊ทธ๋Ÿฐ ๋‹ค์Œ, ๊ฐ€์งœ A ์ฒญํฌ์—์„œ ์‹œ์ž‘ํ•˜์—ฌ B ์ฒญํฌ๋ฅผ ๋ฎ๋Š” ์ƒˆ๋กœ์šด ์ฒญํฌ D๊ฐ€ ์ƒ์„ฑ๋ฉ๋‹ˆ๋‹ค.
  • ์—ฌ๊ธฐ์„œ Einherjar์˜ ์ง‘์ด ๋๋‚ฉ๋‹ˆ๋‹ค.
  • ์ด๋Š” ๋น ๋ฅธ ๋นˆ ๊ณต๊ฒฉ ๋˜๋Š” Tcache ์ค‘๋…์œผ๋กœ ๊ณ„์†๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค:
  • B๋ฅผ ํ•ด์ œํ•˜์—ฌ ๋น ๋ฅธ ๋นˆ / Tcache์— ์ถ”๊ฐ€ํ•ฉ๋‹ˆ๋‹ค.
  • B์˜ fd๊ฐ€ ๋ฎ์–ด์”Œ์›Œ์ ธ ๋ชฉํ‘œ ์ฃผ์†Œ๋ฅผ ๊ฐ€๋ฆฌํ‚ค๋„๋ก ํ•˜์—ฌ D ์ฒญํฌ๋ฅผ ๋‚จ์šฉํ•ฉ๋‹ˆ๋‹ค(๋‚ด๋ถ€์— B๊ฐ€ ํฌํ•จ๋˜์–ด ์žˆ์Œ).
  • ๊ทธ๋Ÿฐ ๋‹ค์Œ, 2๊ฐœ์˜ malloc์ด ์ˆ˜ํ–‰๋˜๋ฉฐ ๋‘ ๋ฒˆ์งธ malloc์€ ๋ชฉํ‘œ ์ฃผ์†Œ๋ฅผ ํ• ๋‹นํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

References and other examples

  • https://github.com/shellphish/how2heap/blob/master/glibc_2.35/house_of_einherjar.c
  • CTF https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_einherjar/#2016-seccon-tinypad
  • ํฌ์ธํ„ฐ๋ฅผ ํ•ด์ œํ•œ ํ›„ nullํ™”๋˜์ง€ ์•Š์œผ๋ฏ€๋กœ ์—ฌ์ „ํžˆ ํ•ด๋‹น ๋ฐ์ดํ„ฐ์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋”ฐ๋ผ์„œ ์ฒญํฌ๊ฐ€ ์ •๋ ฌ๋˜์ง€ ์•Š์€ ๋นˆ์— ๋ฐฐ์น˜๋˜๊ณ  ํฌํ•จ๋œ ํฌ์ธํ„ฐ๊ฐ€ ๋ˆ„์ถœ๋ฉ๋‹ˆ๋‹ค(libc leak) ๊ทธ๋ฆฌ๊ณ  ์ƒˆ๋กœ์šด ํž™์ด ์ •๋ ฌ๋˜์ง€ ์•Š์€ ๋นˆ์— ๋ฐฐ์น˜๋˜์–ด ์–ป์€ ํฌ์ธํ„ฐ์—์„œ ํž™ ์ฃผ์†Œ๊ฐ€ ๋ˆ„์ถœ๋ฉ๋‹ˆ๋‹ค.
  • baby-talk. DiceCTF 2024
  • strtok์—์„œ null ๋ฐ”์ดํŠธ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ ๋ฒ„๊ทธ.
  • House of Einherjar๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ๊ฒน์น˜๋Š” ์ฒญํฌ ์ƒํ™ฉ์„ ๋งŒ๋“ค๊ณ  Tcache ์ค‘๋…์œผ๋กœ ์ž„์˜ ์“ฐ๊ธฐ ์›์‹œ๋ฅผ ์–ป์Šต๋‹ˆ๋‹ค.

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ