House of Lore | Small bin Attack

Taarifa Msingi

Kanuni

• Angalia kutoka https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_lore/

• Hii haifanyi kazi

• Au: https://github.com/shellphish/how2heap/blob/master/glibc_2.39/house_of_lore.c

• Hii haifanyi kazi hata kama inajaribu kukiuka baadhi ya ukaguzi ikipata kosa: malloc(): unaligned tcache chunk detected

• Mfano huu bado unafanya kazi: https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html

Lengo

• Ingiza kipande kidogo bandia kwenye bin ndogo ili kisha kiwezekane kukitenga. Tambua kuwa kipande kidogo kilichoongezwa ni kipande bandia ambacho muhusika anajenga na sio kipande bandia kwenye nafasi ya kupita.

Mahitaji

• Unda vipande 2 bandia na uwalinganishe pamoja na kipande halali kwenye bin ndogo:

• fake0.bk -> fake1

• fake1.fd -> fake0

• fake0.fd -> legit (unahitaji kurekebisha kiashiria kwenye kipande cha bin ndogo kilichofutwa kupitia kasoro nyingine)

• legit.bk -> fake0

Kisha utaweza kutenga fake0.

Shambulio

• Kipande kidogo (legit) kinatengwa, kisha kingine kinatengwa kuzuia kulinganisha na kipande cha juu. Kisha, legit inafutwa (ikihamisha kwenye orodha ya bin isiyosortiwa) na kipande kikubwa zaidi kinatengwa, ikihamisha legit kwenye bin ndogo.

• Mshambuliaji anazalisha vipande viwili vya bandia vidogo, na kufanya uunganishaji unaohitajika kupita ukaguzi wa akili:

• fake0.bk -> fake1

• fake1.fd -> fake0

• fake0.fd -> legit (unahitaji kurekebisha kiashiria kwenye kipande cha bin ndogo kilichofutwa kupitia kasoro nyingine)

• legit.bk -> fake0

• Kipande kidogo kinatengwa kupata legit, ikifanya fake0 kuwa kwenye orodha ya juu ya mabakuli madogo

• Kipande kingine kidogo kinatengwa, kupata fake0 kama kipande, kuruhusu uwezekano wa kusoma/kuandika viashiria ndani yake.

Marejeo

• https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_lore/

• https://heap-exploitation.dhavalkapil.com/attacks/house_of_lore

• https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html