House of Roman

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa za Msingi

Hii ilikuwa mbinu ya kuvutia sana ambayo iliruhusu RCE bila leaks kupitia fake fastbins, the unsorted_bin attack na relative overwrites. Hata hivyo, imerekebishwa patched.

Utumike mnamo 2026

• glibc window: Inafanya kazi kwa uhakika kwenye 2.23–2.28. Kwenye 2.29 ukaguzi wa ziada wa unsorted_chunks unafanya unsorted‑bin write kuwa tegemezi, kwa hivyo ufanisi unashuka kwa kiasi. Kuanzia 2.34 __malloc_hook/__free_hook ziliondolewa, na kufanya lengo la awali lisipatikane. Zitumia tu kwenye libc za zamani (au builds maalum zinazohifadhi hooks) au kwa changamoto za CTF zinazoambatisha libc ya zamani.
• Tcache era (≥2.26): Tcache itakula allocations zako za 0x70 na kusimamisha primitives za fastbin/unsorted. Zima (setenv("GLIBC_TUNABLES","glibc.malloc.tcache_count=0",1);) kabla ya allocation yoyote au jaza kila tcache bin ya 0x70 kwa frees 7 ili kuichosha.
• Safe-linking: Inatumika kwa tcache/fastbin katika ≥2.32, lakini House of Roman inahitaji tu partial pointer overwrite of a libc address already present in fd/bk, hivyo safe-linking hamsaidii mlinzi hapa (mshambuliaji kamwe hafungi pointer mpya). Kitu halisi kinachosimamisha ni kuondolewa kwa hook na ukaguzi wa unsorted-bin.

Code

• Unaweza kupata mfano katika https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c

Madhumuni

• RCE kwa kutumia relative pointers

Mahitaji

• Hariri pointers za fastbin na unsorted bin
• 12 bits za randomness zinapaswa kufanyiwa brute forced (0.02% nafasi) ya kufanikiwa

Hatua za Shambulio

Sehemu ya 1: Fastbin Chunk inalenga __malloc_hook

Unda chunks kadhaa:

• fastbin_victim (0x60, offset 0): UAF chunk baadaye ili kuhariri pointer ya heap ili kuelekeza kwenye thamani ya LibC.
• chunk2 (0x80, offset 0x70): Kwa alignment nzuri
• main_arena_use (0x80, offset 0x100)
• relative_offset_heap (0x60, offset 0x190): relative offset kwenye chunk ya ‘main_arena_use’

Kisha free(main_arena_use) ambayo itaweka chunk hii kwenye unsorted list na itapata pointer ya main_arena + 0x68 katika pointer za fd na bk.

Sasa imetengwa chunk mpya fake_libc_chunk(0x60) kwa sababu itakuwa na pointers za main_arena + 0x68 katika fd na bk.

Kisha relative_offset_heap na fastbin_victim zimefanywa free.

/*
Current heap layout:
0x0:   fastbin_victim       - size 0x70
0x70:  alignment_filler     - size 0x90
0x100: fake_libc_chunk      - size 0x70 (contains a fd ptr to main_arena + 0x68)
0x170: leftover_main        - size 0x20
0x190: relative_offset_heap - size 0x70

bin layout:
fastbin:  fastbin_victim -> relative_offset_heap
unsorted: leftover_main
*/

• fastbin_victim ina fd inayorejea relative_offset_heap
• relative_offset_heap ni offset ya umbali kutoka fake_libc_chunk, ambayo ina pointer kwa main_arena + 0x68
• Kubadilisha byte ya mwisho ya fastbin_victim.fd hufanya fastbin_victim kurejea kwa main_arena + 0x68.

Kwa vitendo vilivyotajwa hapo juu, attacker anahitaji kuwa na uwezo wa kubadilisha fd pointer ya fastbin_victim.

Kisha, main_arena + 0x68 sio ya kuvutia sana, kwa hivyo tubadilishe ili pointer ije kuelekea __malloc_hook.

Kumbuka kwamba __memalign_hook kawaida huanza na 0x7f na sifuri kabla yake, hivyo inawezekana kuiga kama thamani katika 0x70 fast bin. Kwa sababu bits 4 za mwisho za anwani ni nasibu kuna 2^4=16 uwezekano kwa thamani kumalizika ikielekea mahali tunavovutiwa. Kwa hivyo BF attack inafanywa hapa ili chunk itue kama: 0x70: fastbin_victim -> fake_libc_chunk -> (__malloc_hook - 0x23).

(For more info about the rest of the bytes check the explanation in the how2heap example). Ikiwa brute force inashindwa programu inang’ara tu (anzisha tena hadi ifanikiwe).

Kisha, 2 mallocs zinafanywa kuondoa fast bin chunks 2 za awali na malloc ya tatu inatolewa kupata chunk kwenye __malloc_hook.

malloc(0x60);
malloc(0x60);
uint8_t* malloc_hook_chunk = malloc(0x60);

Part 2: Unsorted_bin attack

Kwa maelezo zaidi unaweza kuangalia:

Unsorted Bin Attack

Lakini kwa kifupi inaruhusu kuandika main_arena + 0x68 kwa mahali popote yaliyoainishwa ndani ya chunk->bk. Kwa shambulio tunachagua __malloc_hook. Kisha, baada ya overwrite yake, tutatumia relative overwrite ili kuelekeza kwenye one_gadget.

Kwa hili tunaanza kupata chunk na kuiweka katika unsorted bin:

uint8_t* unsorted_bin_ptr = malloc(0x80);
malloc(0x30); // Don't want to consolidate

puts("Put chunk into unsorted_bin\n");
// Free the chunk to create the UAF
free(unsorted_bin_ptr);

Use an UAF in this chunk to point unsorted_bin_ptr->bk to the address of __malloc_hook (we brute forced this previously).

Caution

Kumbuka kwamba shambulio hili linaharibu unsorted bin (hivyo small na large pia). Kwa hivyo tunaweza tu kutumia allocations kutoka fast bin sasa (programu ngumu zaidi inaweza kufanya allocations nyingine na kucrasha), na ili kuanzisha hili lazima alloc ukubwa uleule au programu itacrash.

So, to trigger the write of main_arena + 0x68 in __malloc_hook we perform after setting __malloc_hook in unsorted_bin_ptr->bk we just need to do: malloc(0x80)

Hatua 3: Weka __malloc_hook kuwa system

Katika hatua ya kwanza tulidhibiti chunk iliyo na __malloc_hook (katika variable malloc_hook_chunk) na katika hatua ya pili tuliweza kuandika main_arena + 0x68 huko.

Sasa, tunatumia partial overwrite katika malloc_hook_chunk kutumia anuani ya libc tuliyoandika huko (main_arena + 0x68) ili kuonyesha kwa anuani ya one_gadget.

Hapa inahitajika bruteforce 12 bits of randomness (more info in the how2heap example).

Hatimaye, mara anuani sahihi inapobadilishwa, piga malloc na chochea one_gadget.

Vidokezo vya kisasa & variants

• Unsorted-bin check in 2.29+: Ikiwa lazima uendeshe kwenye 2.29–2.33, corrupt both fd and bk ili kukidhi integrity check kabla ya kusababisha uandishi; vinginevyo _int_malloc aborts. Kiwango cha mafanikio ni cha chini sana na kawaida kinatikiswa tu katika mazingira ya brute-force CTF.
• Hook removal (2.34+): Wakati __malloc_hook iko mbali, adapt the primitive ili kuingia kwenye GOT/global yoyote inayoweza kuandikwa ambayo unaweza kutumia baadaye (mfano, overwrite exit@GOT katika non-PIE binaries) au pivot kwa mtindo wa House of Pie wa top‑chunk hijack ili kudhibiti top badala ya hook.
• Any‑address fastbin alloc (2024 gist): Maelezo ya hivi karibuni yanaonyesha kutumia grooming ile ile ili fastbin‑allocate juu ya __free_hook au globals nyingine kwa kwanza kuweka pointer ya libc katika fastbin na kisha kure-point kabla ya fixup. Hii inafanya kazi kwenye 2.24–2.28 lakini bado inashindwa kwenye integrity checks za 2.29.

Marejeo

• https://github.com/shellphish/how2heap
• https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c
• https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_roman/
• https://halloween.synacktiv.com/publications/heap-tricks-never-get-old-insomnihack-teaser-2022.html
• https://gist.github.com/romanking98/9aab2804832c0fb46615f025e8ffb0bc

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.