Ukarabati Hatari wa Uhamisho katika Walezi wa Mali

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Kwanini uhamisho wa mali ni muhimu

Engines nyingi za michezo za zamani (Granny 3D, Gamebryo, n.k.) hupakia mali tata kwa:

  1. Kuchambua kichwa cha faili na jedwali la sehemu.
  2. Kuweka buffer moja ya heap kwa kila sehemu.
  3. Inajenga SectionArray inayohifadhi base pointer ya kila sehemu.
  4. Kutumia relocation tables ili pointers zilizowekwa ndani ya section data zipate kusahihishwa kwa target section inayofaa + offset.

Wakati relocation handler inamwamini bila kuchunguza metadata inayodhibitiwa na mshambuliaji, kila relocation inaweza kuwa potential arbitrary read/write primitive. In Anno 1404: Venice, granny2.dll inamleta helper ifuatayo:

`GrannyGRNFixUp_0` (trimmed) ```c int *__cdecl GrannyGRNFixUp_0(DWORD RelocationCount, Relocation *PointerFixupArray, int *SectionArray, char *destination) { while (RelocationCount--) { int target_base = SectionArray[PointerFixupArray->SectionNumber]; // unchecked index int *patch_site = (int *)(destination + PointerFixupArray->SectionOffset); // unchecked offset *patch_site = target_base ; if (target_base) *patch_site = target_base + PointerFixupArray->Offset; ++PointerFixupArray; } return SectionArray; } ```

SectionNumber haijawahi kukaguliwa kwa upeo na SectionOffset haijawahi kuthibitishwa dhidi ya ukubwa wa section ya sasa. Kutengeneza relocation entries zenye negative offsets au oversized indices kunakuwezesha kutembea nje ya section unayodhibiti na stomp allocator metadata kama section pointer array yenyewe.

Stage 1 – Kuandika nyuma katika loader metadata

Lengo ni kufanya relocation table ya section 0 ioverwrite entries za SectionContentArray (ambazo zinaakisi SectionArray na zinahifadhiwa moja kabla ya buffer ya section ya kwanza). Kwa sababu Granny’s custom allocator inaongeza awali 0x1F bytes na NT heap inaongeza header yake ya 0x10-byte pamoja na alignment, mshambuliaji anaweza kuhesabu mapema umbali kati ya mwanzo wa section ya kwanza (destination) na section-pointer array.

Kwenye build iliyotestwa, kulazimisha loader allocate muundo wa GrannyFile ambao ni kabisa 0x4000 bytes kunafanya section-pointer arrays kuishia moja kwa moja kabla ya buffer ya section ya kwanza. Kutatua

0x20 (header) + 0x20 (section descriptors)
+ n * 1 (section types) + n * 1 (flags)
+ n * 4 (pointer table) = 0x4000

hutoa n = 2720 sehemu. Kipengee cha relocation chenye SectionOffset = -0x3FF0 ( 0x4000 - 0x20 - 0x20 + 0x30 ) sasa kinarejelea SectionContentArray[1] ingawa sehemu ya kusafirishwa inaona kuwa inarekebisha pointers za ndani.

Stage 2 – Deterministic heap layout on Windows 10

Windows 10 NT Heap inaelekeza allocations ≤ RtlpLargestLfhBlock (0x4000) kwa randomized LFH na zile kubwa zaidi kwa deterministic backend allocator. Kwa kuweka metadata ya GrannyFile kidogo juu ya kikomo hicho (ukiwa unatumia hila ya 2720 sections) na ku-preload mali kadhaa zenye .gr2 zenye madhara, unaweza kufanya:

  • Allocation #1 (metadata + section pointer arrays) iwekewe ndani ya backend chunk >0x4000.
  • Allocation #2 (section 0 contents) iwe immediately baada ya allocation #1.
  • Allocation #3 (section 1 contents) iwe karibu kabisa baada ya allocation #2, ikikupa lengo linalotarajiwa kwa subsequent relocations.

Process Monitor ilithibitisha kuwa assets husambazwa kwa mahitaji, kwa hivyo kuomba mara kwa mara units/buildings zilizotengenezwa vya makusudi inatosha “ku-prime” mpangilio wa heap bila kuingia kwenye executable image.

Stage 3 – Converting the primitive into RCE

  1. Corrupt SectionContentArray[1]. Jedwali la relocation la Section 0 linalibadilisha kwa kutumia offset -0x3FF0. Lielekeze kwenye eneo lolote linaloweza kuandikwa ulilodhibiti (kwa mfano, data ya section ya baadaye).
  2. Recycle the corrupted pointer. Jedwali la relocation la Section 1 sasa linaona SectionNumber = 1 kama pointer uliouingiza. Handler inaandika SectionArray[1] + Offset kwenye destination + SectionOffset, ikikupa arbitrary 4-byte write kwa kila entry ya relocation.
  3. Hit reliable dispatchers. Katika Anno 1404 lengo lililochaguliwa lilikuwa callbacks za allocator katika granny2.dll (no ASLR, DEP disabled). Kuandikisha function pointer ambayo granny2.dll inatumia kwa wito ujao wa Malloc/Free mara moja kunageuza utekelezaji kwenda kwenye code inayodhibitiwa na mshambulizi iliyopakiwa kutoka kwenye asset iliyotoroshwa.

Kwa kuwa granny2.dll na buffers za .gr2 zilizowekwa pia zinaishi kwenye anwani thabiti wakati ASLR/DEP zimezimwa, shambulio linapungua kuwa kujenga ROP chain ndogo au raw shellcode na kuelekeza callback kwake.

Practical checklist

  • Tafuta asset loaders zinazohifadhi SectionArray / relocation tables.
  • Linganisha relocation handlers kwa ajili ya ukosefu wa mipaka juu ya indices/offsets.
  • Pima allocator headers zinazoongezwa na wrapper ya allocator ya game na OS heap ya msingi ili kuhesabu offsets nyuma kwa usahihi.
  • Force deterministic placement by:
  • inflating metadata (many empty sections) until allocation size > RtlpLargestLfhBlock;
  • repeatedly loading the malicious asset to fill backend holes.
  • Tumia jedwali la relocation lenye hatua mbili (ya kwanza kuretarget SectionArray, ya pili kusambaza writes) na andika function pointers ambazo zitatumika wakati wa rendering ya kawaida (allocator callbacks, virtual tables, animation dispatchers, n.k.).

Mara unapopewa arbitrary file write (kwa mfano, kupitia path traversal katika multiplayer save transfer), kurepack archives za RDA na .gr2 zilizotengenezwa kunakupa vector safi ya delivery ambayo hufunguliwa kiotomatiki na wateja wa mbali.

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks