GNU obstack function-pointer hijack

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

Pregled

GNU obstacks ugrađuju stanje alokatora zajedno sa dva indirektna cilja poziva:

  • chunkfun (offset +0x38) sa potpisom void *(*chunkfun)(void *, size_t)
  • freefun (offset +0x40) sa potpisom void (*freefun)(void *, void *)
  • extra_arg i zastavica use_extra_arg biraju da li _obstack_newchunk poziva chunkfun(new_size) ili chunkfun(extra_arg, new_size)

Ako napadač može da korumpira aplikaciji-pripadajući struct obstack * ili njegova polja, sledeći rast obstack-a (kad je next_free == chunk_limit) pokreće indirektni poziv kroz chunkfun, omogućavajući primitiv za izvršavanje koda.

Primitiv: size_t desync → 0-byte allocation → pointer OOB write

Uobičajen obrazac buga je korišćenje 32-bit registra za računanje sizeof(ptr) * count dok se logička dužina čuva u 64-bitnom size_t.

  • Primer: elements = obstack_alloc(obs, sizeof(void *) * size); se kompajlira kao SHL EAX,0x3 za size << 3.
  • Sa size = 0x20000000 i sizeof(void *) = 8, množenje se preljeva u 32-bit i rezultuje 0x0, pa je niz pokazivača 0 bajtova, ali upisani size ostaje 0x20000000.
  • Naredna elements[curr++] = ptr; pisanja vrše 8-bajtne OOB upise pokazivača u susedne heap objekte, dajući kontrolisan cross-object overwrite primitiv.

Leaking libc via obstack.chunkfun

  1. Place two heap objects adjacent (e.g., two stacks built with separate obstacks).
  2. Use the pointer-array OOB write from object A to overwrite object B’s elements pointer so that a pop/read from B dereferences an address inside object A’s obstack.
  3. Read chunkfun (malloc by default) at offset 0x38 to disclose a libc function pointer, then compute libc_base = leak - malloc_offset and derive other symbols (e.g., system, "/bin/sh").

Hijacking chunkfun with a fake obstack

Overwrite a victim’s stored struct obstack * to point at attacker-controlled data that mimics the obstack header. Minimal fields needed:

  • next_free == chunk_limit to force _obstack_newchunk on next push
  • chunkfun = system_addr
  • extra_arg = binsh_addr, use_extra_arg = 1 to select the two-argument call form

Then trigger an allocation on the victim obstack to execute system("/bin/sh") through the indirect call.

Example fake obstack layout (glibc 2.42 offsets):

fake  = b""
fake += p64(0x1000)          # chunk_size
fake += p64(heap_leak)       # chunk
fake += p64(heap_leak)       # object_base
fake += p64(heap_leak)       # next_free == chunk_limit
fake += p64(heap_leak)       # chunk_limit
fake += p64(0xF)             # alignment_mask
fake += p64(0)               # temp
fake += p64(system_addr)     # chunkfun
fake += p64(0)               # freefun
fake += p64(binsh_addr)      # extra_arg
fake += p64(1)               # use_extra_arg flag set

Recept napada

  1. Trigger size wrap da bi se kreirao 0-byte pointer array sa ogromnom logičkom dužinom.
  2. Groom adjacency tako da OOB pointer store dopre do susednog objekta koji sadrži obstack pointer.
  3. Leak libc preusmeravanjem victim pointer-a na susedni obstack-ov chunkfun i čitanjem function pointer-a.
  4. Forge obstack podatke sa kontrolisanim chunkfun/extra_arg i prisiliti _obstack_newchunk da se smesti u lažni header, što dovodi do poziva function-pointer po izboru napadača.

Reference

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks