# Heap Overflow
# 技術史
- House of Force
- <del>Fastbin attack</del>
{%hackmd theme-dark %}
---
## 分享原因
1. 對 Heap Overflow (HOF) 有興趣
2. 想要了解漏洞背後的原理
---
## HOF 的影響
- sudo -s
- mac < 10.14.4 subject to use after free vulnerability
<table>
<tr>
<td>
<!-- https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DbI6DmkK4wbM&psig=AOvVaw054tuL-LbKZeUhoKSL4C1E&ust=1682054979971000&source=images&cd=vfe&ved=2ahUKEwjtjO6d3bf-AhVjno4IHdp0A7YQjRx6BAgAEAw -->
<img src="https://hackmd.io/_uploads/HkQZAHCfh.png" alt="圖片1描述" width="100%" />
</td>
<td>
<!-- https://nvd.nist.gov/vuln/detail/CVE-2019-8526 -->
<img src="https://hackmd.io/_uploads/Sk2QgLCG3.png" alt="圖片2描述" width=1300px />
</td>
</tr>
</table>
<!-- https://www.youtube.com/watch?v=c2Qi7traPls -->
---
## HOF 首次出現的地方
![](https://hackmd.io/_uploads/H1_twWpz3.png)
<small style="position: absolute; bottom: 0px; right: 0;">Source: [MALLOC DES-MALEFICARUM](http://phrack.org/issues/66/10.html)</small>
----
## HOF 的攻擊類型
The house of X
X 包括:
- Prime
- Mind
- Force
- Lore
- Spirit
- Chaos
- Orange
----
## HOF 的攻擊類型
The house of X
X 包括:
- Prime
- Mind
- <span style="color:red">Force</span>
- Lore
- Spirit
- Chaos
- Orange
----
## HOF 的攻擊類型
The house of X
X 包括:
- Prime
- Mind
- Force
- Lore
- Spirit
- Chaos
- <span style="color:red">Orange</span>
---
## HOF = Heap + Overflow
----
## 程式儲存的地方
![](https://hackmd.io/_uploads/rk9gMU0G3.png)
<small style="position: absolute; bottom: 0px; right: 0;">Source: [Linux binary Exploitation - Basic knowledge](https://www.slideshare.net/AngelBoy1/linux-binary-exploitation-basic-knowledge)</small>
----
## 記憶體分佈
通常要倒過來看,高記憶體位址在下面
![](https://hackmd.io/_uploads/S1V3G-pfn.png =50%x)
<small style="position: absolute; bottom: 0px; right: 0;">Source: [memory-layout-of-c-program](https://blog.gtwang.org/programming/memory-layout-of-c-program/)</small>
----
## 舉個例子
![](https://hackmd.io/_uploads/HyaHNZpf2.png =80%x)
----
## Overflow 包括總類
1. Buffer Overflow
- Stack Overflow
- Heap Overflow
2. Integer Overflow
3. Format String Vulnerability
...
<small style="position: absolute; bottom: 0px; right: 0;">Source: [Overflows](https://www.techtarget.com/searchsecurity/definition/buffer-overflow)</small>
----
## 舉個例子 => Buffer Overflow
![](https://hackmd.io/_uploads/S1W6Lv0Mh.png)
<small style="position: absolute; bottom: 0px; right: 0;">Source: [Buffer Overflow Attack](https://www.prosec-networks.com/en/blog/buffer-overflow-angriff/)</small>
---
## Heap 簡單介紹
1. glibc
2. malloc()/free()
3. heap 分佈
----
## glibc
![](https://hackmd.io/_uploads/Sk8KdZTf2.png)
----
## malloc()/free()
![](https://hackmd.io/_uploads/By2SKWaGh.png)
----
## heap 分佈
![](https://hackmd.io/_uploads/ByI9F-6z2.png)
---
## House of Force
1. 攻擊原理
2. Demo
<small style="position: absolute; top: 250px; bottom: 0px; right: 0;">Source: [Max Kamper - Linux Heap Exploitation - Part 1
](https://www.udemy.com/course/linux-heap-exploitation-part-1/)</small>
----
## 漏洞成因
- glibc < 2.29,top chunk size 沒有檢查
----
## 攻擊原理
- top chunk size 填入系統上限 => `0xffffffffffffffff` 就可以繞過
![](https://hackmd.io/_uploads/HybaBNAfn.png =25%x)
<small style="position: absolute; bottom: 0px; right: 0;">Source: [Linux Heap Exploitation - Part 1
](https://www.udemy.com/course/linux-heap-exploitation-part-1/)</small>
----
## 例子 1 - 任意寫資料
- 目標:修改 Target 的值
![](https://hackmd.io/_uploads/ByUlzB0G2.png)
----
## 1. 先用 malloc(24, b"A"*24)
- 可以看到 top chunk 是 0x20fe1
![](https://hackmd.io/_uploads/rJAkt4CG3.png)
----
## 2. 用 0xffffffffffffffff 蓋 top chunk
- 可以看到 top chunk 是 `0xffffffffffffffff`
![](https://hackmd.io/_uploads/rkqptE0z2.png)
----
## 3. 計算 Target 距離
- distance = delta(heap+0x20, elf.sym.target-0x20)
- malloc(distance, b"")
- 下一個 malloc 就可以覆蓋資料
![](https://hackmd.io/_uploads/BkHTgHAz3.png)
----
## 4. malloc
- malloc(8, b"Hello, gg!")
----
## 5. Result
- 成功修改成 Hello, gg!
![](https://hackmd.io/_uploads/Skf_WrRG3.png)
----
## ./Demo1.py
----
## 例子 2 - 拿 shell
- 目標:執行任意程式
![](https://hackmd.io/_uploads/BJX7vHCfn.png)
----
## 補充
1. __malloc_hook: 自定義 malloc()
2. system(): 當前程式執行外部命令
----
## 1. 利用 top_chunk 漏洞
- 使用 0xffffffffffffffff
----
## 2. 計算到 __malloc_hook 的位址
- 塞我們要用的指令到這邊 `/bin/sh`
- 使用 `0xdeadbeef`
![](https://hackmd.io/_uploads/HkP1d8CGh.png)
----
## 3. 用 system() 覆蓋 __malloc_hook
- 使用 `libc.sym.system` 取得 system() 位址
![](https://hackmd.io/_uploads/rJjk2UCzh.png)
----
## 4. 呼叫 malloc() 觸發 system()
- 呼叫 system()
- 0x30 是放 /bin/sh 的地方
![](https://hackmd.io/_uploads/rkSLO8RMn.png =80%x)
----
## 5. Result: get shell!
- 把它關機
![](https://hackmd.io/_uploads/HJea5LCMh.png)
----
## ./Demo2.py
---
## 討論
1. 安全開發生命周期(SDLC):
- 如何在軟體開發過程中融入資訊安全考慮,已更好地預防安全漏洞和降低風險?
2. 漏洞披露與修復:
- 技術人員在發現漏洞後應該如何披露和修復?
- 以及如何與其他利益相關者(如軟體開發者、用戶和監管機構)協作?
3. 開源與資訊安全:
- 開源軟體在資訊安全領域的應用以及其優缺點?
{"metaMigratedAt":"2023-06-18T01:52:39.161Z","metaMigratedFrom":"YAML","title":"heap overflow","breaks":"true","contributors":"[{\"id\":\"6a610fe4-c967-47b5-84b7-1d26faef3c47\",\"add\":6700,\"del\":1588}]","description":"House of Force"}