<\/span><\/h3>\n\n\n\n\u7531\u4e8e\u57282.24\u4e4b\u540e\uff0c\u65b0\u589e\u4e86\u5bf9vtable\u7684\u68c0\u67e5\u673a\u5236\uff08\u5373\u8c03\u7528vtable\u7684\u51fd\u6570\u4e4b\u524d\uff0c\u8981\u5148\u68c0\u67e5vtable\u6307\u9488\u662f\u5426\u5728__start___libc_IO_vtables\u548c__stop___libc_IO_vtables\u4e4b\u95f4\uff0c\u4e5f\u5c31\u662f\u53ea\u80fd\u8c03\u7528\u8005\u4e8c\u8005\u4e4b\u95f4\u6240\u5b58\u653e\u7684\u51fd\u6570\uff09\u6240\u4ee5\u57282.23\u7248\u672c\u4e2d\u7684FSOP\uff08\u5728\u5806\u4e2d\u4f2a\u9020_IO_file_jumps\uff0c\u5e76\u8ba9vtable\u6307\u5411\u6b64\u5904\uff09\u5229\u7528\u5c31\u5931\u6548\u4e86\uff0c\u6240\u4ee5emma\u662f\u4e00\u79cd\u4f2a\u9020vtable\u6307\u5411\u4e00\u4e2a\u5408\u6cd5\u5730\u5740\uff0c\u518d\u5229\u7528\u8fd9\u4e2a\u5408\u6cd5\u5730\u5740\u7684\u4e00\u4e9b\u5371\u9669\u51fd\u6570\u5b9e\u73b0\u653b\u51fb\u7684\u4e00\u79cd\u65b9\u6cd5<\/p>\n\n\n\n
\u9996\u5148\u7f57\u5217\u4e00\u4e0bemma\u4f1a\u7528\u5230\u7684\u7ed3\u6784\u4f53\u548c\u51fd\u6570<\/p>\n\n\n\n
static const struct _IO_jump_t _IO_cookie_jumps libio_vtable = {\n JUMP_INIT_DUMMY,\n JUMP_INIT(finish, _IO_file_finish),\n JUMP_INIT(overflow, _IO_file_overflow),\n JUMP_INIT(underflow, _IO_file_underflow),\n JUMP_INIT(uflow, _IO_default_uflow),\n JUMP_INIT(pbackfail, _IO_default_pbackfail),\n JUMP_INIT(xsputn, _IO_file_xsputn),\n JUMP_INIT(xsgetn, _IO_default_xsgetn),\n JUMP_INIT(seekoff, _IO_cookie_seekoff),\n JUMP_INIT(seekpos, _IO_default_seekpos),\n JUMP_INIT(setbuf, _IO_file_setbuf),\n JUMP_INIT(sync, _IO_file_sync),\n JUMP_INIT(doallocate, _IO_file_doallocate),\n JUMP_INIT(read, _IO_cookie_read),\n JUMP_INIT(write, _IO_cookie_write),\n JUMP_INIT(seek, _IO_cookie_seek),\n JUMP_INIT(close, _IO_cookie_close),\n JUMP_INIT(stat, _IO_default_stat),\n JUMP_INIT(showmanyc, _IO_default_showmanyc),\n JUMP_INIT(imbue, _IO_default_imbue),\n};<\/code><\/pre>\n\n\n\n\/* Special file type for fopencookie function. *\/\nstruct _IO_cookie_file\n{\n struct _IO_FILE_plus __fp;\n void *__cookie;\n cookie_io_functions_t __io_functions;\n};\n \ntypedef struct _IO_cookie_io_functions_t\n{\n cookie_read_function_t *read; \/* Read bytes. *\/\n cookie_write_function_t *write; \/* Write bytes. *\/\n cookie_seek_function_t *seek; \/* Seek\/tell file position. *\/\n cookie_close_function_t *close; \/* Close file. *\/\n} cookie_io_functions_t;<\/code><\/pre>\n\n\n\n\u5371\u9669\u7684\u51fd\u6570<\/p>\n\n\n\n
static ssize_t\n_IO_cookie_read (FILE *fp, void *buf, ssize_t size)\n{\n struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;\n cookie_read_function_t *read_cb = cfile->__io_functions.read;\n#ifdef PTR_DEMANGLE\n PTR_DEMANGLE (read_cb);\n#endif\n \n if (read_cb == NULL)\n return -1;\n \n return read_cb (cfile->__cookie, buf, size);\n}\n \nstatic ssize_t\n_IO_cookie_write (FILE *fp, const void *buf, ssize_t size)\n{\n struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;\n cookie_write_function_t *write_cb = cfile->__io_functions.write;\n#ifdef PTR_DEMANGLE\n PTR_DEMANGLE (write_cb);\n#endif\n \n if (write_cb == NULL)\n {\n fp->_flags |= _IO_ERR_SEEN;\n return 0;\n }\n \n ssize_t n = write_cb (cfile->__cookie, buf, size);\n if (n < size)\n fp->_flags |= _IO_ERR_SEEN;\n \n return n;\n}\n \nstatic off64_t\n_IO_cookie_seek (FILE *fp, off64_t offset, int dir)\n{\n struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;\n cookie_seek_function_t *seek_cb = cfile->__io_functions.seek;\n#ifdef PTR_DEMANGLE\n PTR_DEMANGLE (seek_cb);\n#endif\n \n return ((seek_cb == NULL\n || (seek_cb (cfile->__cookie, &offset, dir)\n == -1)\n || offset == (off64_t) -1)\n ? _IO_pos_BAD : offset);\n}\n \nstatic int\n_IO_cookie_close (FILE *fp)\n{\n struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;\n cookie_close_function_t *close_cb = cfile->__io_functions.close;\n#ifdef PTR_DEMANGLE\n PTR_DEMANGLE (close_cb);\n#endif\n \n if (close_cb == NULL)\n return 0;\n \n return close_cb (cfile->__cookie);\n}<\/code><\/pre>\n\n\n\n\u90a3\u4e48emma\u7684\u5229\u7528\u6d41\u7a0b\u662f\u8fd9\u6837\u7684\uff1a<\/p>\n\n\n\n
\u5728\u7a0b\u5e8freturn 0\/exit\/\u8c03\u7528malloc assert\u65f6\uff0c\u7a0b\u5e8f\u4f1a\u8c03\u7528fflush(stderr)\uff0c\u8fd9\u4e2a\u51fd\u6570\u662f\u5728\u7a0b\u5e8f\u7ed3\u675f\u65f6\u5c06\u6240\u6709\u6587\u4ef6\u7ed3\u6784\u4f53\u5237\u65b0\u7684\u51fd\u6570\uff0c\u5b83\u4f1a\u6839\u636evtable\u627e\u5230overflow\u51fd\u6570\u53bb\u8c03\u7528overflow\uff08fp\uff09\u8fdb\u884c\u5237\u65b0\uff0c\u5728vtable\u6b63\u5e38\u6307\u5411_IO_file_jumps\u65f6\u7a0b\u5e8f\u4f1a\u6b63\u5e38\u8c03\u7528overflow\uff08fp\uff09\uff0c\u5982\u679c\u628avtable\u4f2a\u9020\u6210_IO_cookie_jumps\uff0c\u90a3\u4e48\u7a0b\u5e8f\u5c31\u4f1a\u8c03\u7528_IO_cookie_jumps\u91cc\u7684overflow\uff08fp\uff09\uff0c\u90a3\u4e48\u5982\u679c\u628avtable\u4f2a\u9020\u6210_IO_cookie_jumps+0x58\u5462<\/mark>\uff1f\u8fd9\u65f6\u5019\u6211\u4eec\u8981\u53bb\u770b\u4e00\u773c_IO_cookie_jumps\u7ed3\u6784\u4f53\u4e86<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u539f\u672c\u8c03\u7528overflow\u65f6\uff0c\u5e94\u8be5\u662f\u627e\u8fd9\u4e2a\u8868\u504f\u79fb\u4e3a3\u7684\u4f4d\u7f6e\uff0c\u73b0\u5728\u628avtable\u4f2a\u9020\u6210_IO_cookie_jumps+0x58\uff0c\u90a3\u5e94\u8be5\u5728\u6b64\u57fa\u7840\u4e4b\u4e0a\u518d\u5f80\u4e0b\u627e3\u4e2a\u504f\u79fb\uff0c\u4e5f\u5c31\u662f\u5728\u539f\u6765\u7684\u57fa\u7840\u4e4b\u4e0a\u627e11\uff080x58\u5bf9\u5e94\u7684\u504f\u79fb\uff09+3\u7684\u504f\u79fb\uff0c\u6570\u4e00\u6570\u53d1\u73b0\u521a\u597d\u5c31\u662f_IO_cookie_read\uff0c\u8fd9\u4e0d\u6b63\u597d\u5c31\u662f\u6211\u4eec\u63d0\u5230\u7684\u5371\u9669\u51fd\u6570\u5417\uff1f\u6240\u4ee5\u73b0\u5728\u4f60\u5e94\u8be5\u6e05\u695a\u5230\u5e95\u8be5\u5982\u4f55\u8c03\u7528\u8fd9\u4e2a\u5371\u9669\u51fd\u6570\u4e86\u3002<\/p>\n\n\n\n
\u90a3\u4e48\u8fd9\u4e9b\u51fd\u6570\u4e3a\u4ec0\u4e48\u662f\u5371\u9669\u51fd\u6570\u5462\uff1f\u8fd9\u91cc\u4ee5read\u4e3a\u4f8b\u3002\u8bf4\u5230\u8fd9\u91cc\uff0c\u6211\u4eec\u4e0d\u5f97\u4e0d\u53bb\u5206\u6790\u4e00\u4e0b\u4ed6\u7684\u6e90\u7801\u4e86<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u5728\u8fd9\u91cc\u6211\u4eec\u91cd\u70b9\u5173\u6ce8\u8fd9\u4e09\u4e2a\u7bad\u5934\u6307\u5411\u7684\u4f4d\u7f6e\uff0c\u65b9\u4fbf\u8d77\u89c1\uff0c\u4e09\u4e2a\u7bad\u5934\u4ece\u4e0a\u5230\u4e0b\u6211\u4eec\u4f9d\u6b21\u8bb0\u4e3a1,2,3.\u9996\u5148\u770b\u7bad\u59341\uff0c\u4ed6\u4f1a\u628afp\u5f3a\u5236\u7c7b\u578b\u8f6c\u6362\u6210_IO_cookie_file\u7c7b\u578b\uff0c\u5e76\u8d4b\u503c\u7ed9cfile\u53d8\u91cf\uff0c_IO_cookie_file\u957f\u5565\u6837\uff1f\u56de\u5230\u4e0a\u9762\u7684\u7ed3\u6784\u4f53\u6211\u4eec\u770b\u4e00\u4e0b<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u5b83\u662f\u7531\u4e00\u4e2a_IO_file_plus\u6307\u9488\u52a0\u4e00\u4e2acookie\u6307\u9488\u52a0\u4e00\u4e2a\u51fd\u6570\u8868\u7ec4\u6210\uff0c\u7b80\u5355\u753b\u4e00\u4e0b\u5927\u6982\u957f\u8fd9\u6837<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u63a5\u7740\u770b\u5230\u7bad\u59342\u6307\u5411\u7684\u4ee3\u7801\uff0c\u627e\u5230cfile->__io_functions.read\u5e76\u8d4b\u503c\u7ed9read_cb\uff0c\u800ccfile->__io_functions.read\u4e0d\u5c31\u662f\u7bad\u5934\u6307\u5411\u7684\u4f4d\u7f6e\u5417\uff1f\u4e5f\u5c31\u662f\u8bf4\uff0c\u5982\u679c\u6211\u80fd\u591f\u4f2a\u9020\u4e00\u4e2a_IO_cookie_file\uff0c\u5728__io_functions.read\u91cc\u653e\u4e0a\u6211\u81ea\u5df1\u60f3\u8981\u8df3\u8f6c\u7684\u51fd\u6570\u6216\u8005gadget\uff0c\u4e0d\u5c31\u53ef\u4ee5\u5b9e\u73b0\u8c03\u7528\u4e86\u5417\uff1f<\/p>\n\n\n\n
\u90a3\u4e48\u7bad\u5934\u4e09\u53c8\u662f\u4ec0\u4e48\u610f\u601d\u5462\uff1f\u6211\u4eec\u5df2\u7ecf\u77e5\u9053\uff0c\u6b64\u65f6\u7684read_cb\u5df2\u7ecf\u662f\u6211\u4eec\u81ea\u5df1\u7684\u51fd\u6570\u4e86\uff0c\u90a3\u4e48\u8fd9\u53e5\u8bdd\u7684\u4f5c\u7528\u8bf4\u767d\u4e86\u5c31\u662f\u8bbe\u7f6erdi\uff0crsi\u548crdx\uff0c\u5176\u4e2d\uff0ccookie\u7684\u503c\u5c31\u662frdi\u7684\u503c\uff0c\u6240\u4ee5\u7ecf\u8fc7\u9002\u5f53\u7684\u4f2a\u9020\uff0c\u6211\u4eec\u4e5f\u53ef\u4ee5\u63a7\u5236rdi\u4e3a\u6211\u4eec\u60f3\u8981\u7684\u503c\uff0c\u5982\u679c\u9898\u76ee\u6ca1\u5f00\u6c99\u7bb1\uff0c\u90a3\u4e48\u8fd9\u91cc\u628a__io_functions.read\u672a\u9020\u6210systemaddr\uff0c\u628acookie\u4f2a\u9020\u6210binshaddr\uff0c\u6b64\u65f6\u5c31\u53ef\u4ee5getshell\uff0c\u5982\u679c\u662forw\uff0c\u90a3\u4e48\u53ef\u4ee5\u53c2\u8003\u6211house of apple\u91cc\u7684apple1\u6253\u6cd5<\/p>\n\n\n\n
\u7136\u800c\uff0c\u8fd9\u90fd\u662f\u7406\u60f3\u4e16\u754c\uff0c\u73b0\u5b9e\u7ec8\u5f52\u662f\u6b8b\u9177\u7684\u3002<\/p>\n\n\n\n
\u5728_IO_cookie_read\u5904\uff0c\u6709\u8fd9\u6837\u4e00\u6bb5\u4ee3\u7801<\/p>\n\n\n\n
#ifdef PTR_DEMANGLE
\u8fd9\u6bb5\u4ee3\u7801\u5176\u5b9e\u662f\u4e00\u4e2a\u5c0f\u52a0\u5bc6\uff0c\u5728tls<\/a>\u6bb5\u6709\u4e00\u4e2apoint_chk_guard\uff0c\u5b83\u76f8\u5f53\u4e8e\u4e00\u4e2a\u52a0\u5bc6\u7684\u5bc6\u94a5\uff0c\u6240\u6709__io_functions\u91cc\u7684\u51fd\u6570\u6307\u9488\uff0c\u8981\u7ecf\u8fc7\u4e00\u5b9a\u7684\u52a0\u5bc6\uff0c\u8fd9\u4e2a\u52a0\u5bc6\u5c31\u662fpoint_chk_guard\u5f02\u6216\u76ee\u6807\u51fd\u6570\u6307\u9488\u5728\u53f3\u79fb0x11\uff08\u5373target^guard>>0x11\uff09\uff0c\u6240\u4ee5\u6211\u5728\u586b\u5199\u6211\u7684\u51fd\u6570\u5730\u5740\u65f6\uff0c\u4e5f\u8981\u8fdb\u884c\u52a0\u5bc6\u7684\u4f2a\u9020\uff0c\u7136\u800c\u6211\u5e76\u4e0d\u77e5\u9053point_chk_guard\u662f\u591a\u5c11\uff0c\u8fd9\u91cc\u5c31\u6709\u4e24\u79cd\u7ed5\u8fc7\u65b9\u5f0f<\/p>\n\n\n\n1.\u6cc4\u9732\u51fapoint_chk_guard<\/p>\n\n\n\n
2.\u6539\u5199point_chk_guard\u4e3a\u5df2\u77e5\u91cf<\/p>\n\n\n\n
\u65b9\u6cd51\u4e0d\u5fc5\u591a\u8bf4\uff0c\u65b9\u6cd52\u600e\u4e48\u53bb\u627e\u5230point_chk_guard\u5728\u54ea\u5462\uff1f\u5982\u679c\u7a0b\u5e8f\u5f00\u4e86canary\uff0c\u6211\u4eec\u53ef\u4ee5\u5148\u67e5\u770bcanary\u7684\u503c<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u63a5\u4e0b\u6765\u5229\u7528search -p\u547d\u4ee4\u641c\u7d22canary\u5bf9\u5e94\u7684\u503c<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u7bad\u5934\u6307\u5411\u7684\u4f4d\u7f6e+8\u5c31\u662fpoint_chk_guard\u7684\u5b58\u653e\u5730\u5740\u5566<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u6240\u4ee5\u5229\u7528\u4efb\u610f\u4e00\u79cd\u4efb\u610f\u5199\u7684\u624b\u6bb5\u628a\u8fd9\u91cc\u4fee\u6539\u6210\u5df2\u77e5\u91cf\u5373\u53ef<\/p>\n","protected":false},"excerpt":{"rendered":"
\u7f51\u4e0a\u5404\u79cd\u6587\u7ae0\u90fd\u8bf4emma\u662fkwwi\u7684\u5ef6\u4f38\uff0c\u8bb2\u7684\u90fd\u6709\u70b9\u6a21\u7cca\uff0c\u4f46\u6211\u6ca1\u5b66\u8fc7kwwi\uff0c\u597d\u4e0d\u5bb9\u6613\u624d\u5b66\u4f1a\uff0c\u6240\u4ee5\u4eca\u5929\u6765\u8bb2\u4e00\u4e0b […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[33],"class_list":["post-221","post","type-post","status-publish","format-standard","hentry","category-pwn","tag-house-of-emma"],"_links":{"self":[{"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/posts\/221","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/comments?post=221"}],"version-history":[{"count":2,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/posts\/221\/revisions"}],"predecessor-version":[{"id":235,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/posts\/221\/revisions\/235"}],"wp:attachment":[{"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/media?parent=221"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/categories?post=221"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/tags?post=221"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}