GNU obstack function-pointer hijack

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Muhtasari

GNU obstacks huhifadhi hali ya allocator pamoja na malengo mawili ya simu isiyo ya moja kwa moja:

  • chunkfun (offset +0x38) with signature void *(*chunkfun)(void *, size_t)
  • freefun (offset +0x40) with signature void (*freefun)(void *, void *)
  • extra_arg na flag ya use_extra_arg huchagua kama _obstack_newchunk itaita chunkfun(new_size) au chunkfun(extra_arg, new_size)

Ikiwa mshambulizi anaweza kuharibu struct obstack * inayomilikiwa na programu au nyaya zake, ukuaji ufuatao wa obstack (wakati next_free == chunk_limit) unasababisha simu isiyo ya moja kwa moja kupitia chunkfun, ikiruhusu primitives za utekelezaji wa msimbo.

Primitive: size_t desync → 0-byte allocation → pointer OOB write

Mfumo wa mdudu unaojirudia ni kutumia rejista ya 32-bit kuhesabu sizeof(ptr) * count huku ukihifadhi urefu wa mantiki katika size_t ya 64-bit.

  • Mfano: elements = obstack_alloc(obs, sizeof(void *) * size); ina undwa kama SHL EAX,0x3 kwa size << 3.
  • Kwa size = 0x20000000 na sizeof(void *) = 8, mno mbili zinazidisha zinafunga hadi 0x0 katika 32-bit, hivyo array ya pointer inakuwa 0 bytes, lakini size iliyorekodiwa inabaki 0x20000000.
  • Kufuatia elements[curr++] = ptr; inafanya store za pointer za 8-byte OOB katika vitu vingine za heap karibu, ikitoa primitive ya overwrite kati ya vitu yenye udhibiti.

Leaking libc via obstack.chunkfun

  1. Weka vitu viwili vya heap karibu (mfano, stacks mbili zilizojengwa kwa obstacks tofauti).
  2. Tumia pointer-array OOB write kutoka kitu A kuandika juu pointer ya elements ya kitu B ili pop/kusoma kutoka B kufikia anwani ndani ya obstack ya kitu A.
  3. Soma chunkfun (malloc kwa default) katika offset 0x38 ili kupata pointer ya function ya libc, kisha hesabu libc_base = leak - malloc_offset na toka mahesabu ya vitengo vingine (mfano, system, "/bin/sh").

Hijacking chunkfun with a fake obstack

Fanya overwrite ya struct obstack * iliyohifadhiwa ya mwathirika ili ionyeshe data inayodhibitiwa na mshambulizi inayoiga header ya obstack. Nyaya ndogo zinazohitajika:

  • next_free == chunk_limit ili kulazimisha _obstack_newchunk kwenye push inayofuata
  • chunkfun = system_addr
  • extra_arg = binsh_addr, use_extra_arg = 1 kuchagua fomu ya wito wa hoja mbili

Kisha chochea allocation kwenye obstack ya mwathirika ili kutekeleza system("/bin/sh") kupitia wito isiyo ya moja kwa moja.

Example fake obstack layout (glibc 2.42 offsets):

fake  = b""
fake += p64(0x1000)          # chunk_size
fake += p64(heap_leak)       # chunk
fake += p64(heap_leak)       # object_base
fake += p64(heap_leak)       # next_free == chunk_limit
fake += p64(heap_leak)       # chunk_limit
fake += p64(0xF)             # alignment_mask
fake += p64(0)               # temp
fake += p64(system_addr)     # chunkfun
fake += p64(0)               # freefun
fake += p64(binsh_addr)      # extra_arg
fake += p64(1)               # use_extra_arg flag set

Hatua za shambulio

  1. Trigger size wrap ili kuunda 0-byte pointer array yenye urefu mkubwa wa kimantiki.
  2. Groom adjacency ili OOB pointer store ifikie neighbor object yenye obstack pointer.
  3. Leak libc kwa kurekebisha victim pointer kwenye neighbor obstack’s chunkfun na kusoma function pointer.
  4. Forge obstack data na controlled chunkfun/extra_arg na kusababisha _obstack_newchunk kuingia kwenye header iliyotengenezwa kwa bandia, na kusababisha function-pointer call ya uchaguzi wa mshambulizi.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks