在2.34移除了hook函数之后堆利用就少了一个大的攻击方向了。而House of apple这个手法就给我们提供了新的攻击方向IOFILE结构体。虽然在house of orange就有所利用之后也有一些利用了相关结构体的手法但都没有House of apple条件简单。House of apple由roderick01师傅提出至今仍可使用原文链接如下House of apple 一种新的glibc中IO攻击方法 (2)House of apple仅需要泄露libc和堆地址及一次largebin attack即可完成攻击House of apple有三种利用方式我目前就讲讲House of apple2。而House of apple2主要利用就是通过largebin attack攻击_IO_list_all把一个堆块伪造成IOFILE结构体通过在堆块进行IOFILE结构体进行布局因为 _wide_vtable没有检测虚表的地址范围。伪造虚表 _wide_vtable当系统调用其中的虚表函数时我们就可以劫持程序控制流。利用原理及源码House of apple2主要利用链原作者给出了三条我就以第一条为例了剩下的各位感兴趣可以看看原文。我们知道当我们程序从main函数返回或者exit的时候程序会刷新IO流主要是通过_IO_flush_all这个函数实现的相关源码如下int_IO_flush_all (void){int result 0;FILE *fp;#ifdef _IO_MTSAFE_IO_IO_cleanup_region_start_noarg (flush_cleanup);_IO_lock_lock (list_all_lock);#endiffor (fp (FILE *) _IO_list_all; fp ! NULL; fp fp-_chain){run_fp fp;_IO_flockfile (fp);if (((fp-_mode 0 fp-_IO_write_ptr fp-_IO_write_base)|| (_IO_vtable_offset (fp) 0 fp-_mode 0 (fp-_wide_data-_IO_write_ptr fp-_wide_data-_IO_write_base))) _IO_OVERFLOW (fp, EOF) EOF)#主要利用在_IO_OVERFLOW这个函数后面result EOF;_IO_funlockfile (fp);run_fp NULL;}#ifdef _IO_MTSAFE_IO_IO_lock_unlock (list_all_lock);_IO_cleanup_region_end (0);#endifreturn result;}可以看见他需要满足一些条件((fp-_mode 0 fp-_IO_write_ptr fp-_IO_write_base)|| (_IO_vtable_offset (fp) 0 fp-_mode 0 (fp-_wide_data-_IO_write_ptr fp-_wide_data-_IO_write_base)满足| |左右两边其中一边即可然后他就会调用_IO_OVERFLOW其本质是一个宏#define _IO_OVERFLOW(FP, CH) JUMP1 (__overflow, FP, CH)就是这样fp- __vtable- __overflow(fp, ch)因为__overflow距vtable的偏移是0x18也就是会调用vtable0x18的函数也就是此时会进行虚表函数调用所以如果我们虚表改成_IO_wfile_jumps就会调用 _IO_wfile_jumps这个虚表内的函数我要讲的第一条链就是利用他调用 _IO_wfile_overflow这个函数不过首先得先讲讲_wide_data的结构如下struct _IO_wide_data{wchar_t *_IO_read_ptr; /* Current read pointer */wchar_t *_IO_read_end; /* End of get area. */wchar_t *_IO_read_base; /* Start of putbackget area. */wchar_t *_IO_write_base; /* Start of put area. */wchar_t *_IO_write_ptr; /* Current put pointer. */wchar_t *_IO_write_end; /* End of put area. */wchar_t *_IO_buf_base; /* Start of reserve area. */wchar_t *_IO_buf_end; /* End of reserve area. *//* The following fields are used to support backing up and undo. */wchar_t *_IO_save_base; /* Pointer to start of non-current get area. */wchar_t *_IO_backup_base; /* Pointer to first valid character ofbackup area */wchar_t *_IO_save_end; /* Pointer to end of non-current get area. */__mbstate_t _IO_state;__mbstate_t _IO_last_state;struct _IO_codecvt _codecvt;wchar_t _shortbuf[1];const struct _IO_jump_t *_wide_vtable;};可以看见跟IOFILE结构体是非常像的要注意的就是其虚表偏移是0xe0_IO_wfile_overflow的函数内容如下wint_t_IO_wfile_overflow (FILE *f, wint_t wch){if (f-_flags _IO_NO_WRITES) /* SET ERROR */{f-_flags | _IO_ERR_SEEN;__set_errno (EBADF);return WEOF;}/* If currently reading or no buffer allocated. */if ((f-_flags _IO_CURRENTLY_PUTTING) 0|| f-_wide_data-_IO_write_base NULL){/* Allocate a buffer if needed. */if (f-_wide_data-_IO_write_base 0){_IO_wdoallocbuf (f);_IO_free_wbackup_area (f);_IO_wsetg (f, f-_wide_data-_IO_buf_base,f-_wide_data-_IO_buf_base, f-_wide_data-_IO_buf_base);if (f-_IO_write_base NULL){_IO_doallocbuf (f);_IO_setg (f, f-_IO_buf_base, f-_IO_buf_base, f-_IO_buf_base);}}else{/* Otherwise must be currently reading. If _IO_read_ptr(and hence also _IO_read_end) is at the buffer end,logically slide the buffer forwards one block (by settingthe read pointers to all point at the beginning of theblock). This makes room for subsequent output.Otherwise, set the read pointers to _IO_read_end (leavingthat alone, so it can continue to correspond to theexternal position). */if (f-_wide_data-_IO_read_ptr f-_wide_data-_IO_buf_end){f-_IO_read_end f-_IO_read_ptr f-_IO_buf_base;f-_wide_data-_IO_read_end f-_wide_data-_IO_read_ptr f-_wide_data-_IO_buf_base;}}f-_wide_data-_IO_write_ptr f-_wide_data-_IO_read_ptr;f-_wide_data-_IO_write_base f-_wide_data-_IO_write_ptr;f-_wide_data-_IO_write_end f-_wide_data-_IO_buf_end;f-_wide_data-_IO_read_base f-_wide_data-_IO_read_ptr f-_wide_data-_IO_read_end;f-_IO_write_ptr f-_IO_read_ptr;f-_IO_write_base f-_IO_write_ptr;f-_IO_write_end f-_IO_buf_end;f-_IO_read_base f-_IO_read_ptr f-_IO_read_end;f-_flags | _IO_CURRENTLY_PUTTING;if (f-_flags (_IO_LINE_BUF | _IO_UNBUFFERED))f-_wide_data-_IO_write_end f-_wide_data-_IO_write_ptr;}if (wch WEOF)return _IO_do_flush (f);if (f-_wide_data-_IO_write_ptr f-_wide_data-_IO_buf_end)/* Buffer is really full */if (_IO_do_flush (f) EOF)return WEOF;*f-_wide_data-_IO_write_ptr wch;if ((f-_flags _IO_UNBUFFERED)|| ((f-_flags _IO_LINE_BUF) wch L\n))if (_IO_do_flush (f) EOF)return WEOF;return wch;}在House of apple2中我们主要关注else上面的部分wint_t_IO_wfile_overflow (FILE *f, wint_t wch){if (f-_flags _IO_NO_WRITES) /* SET ERROR */{f-_flags | _IO_ERR_SEEN;__set_errno (EBADF);return WEOF;}/* If currently reading or no buffer allocated. */if ((f-_flags _IO_CURRENTLY_PUTTING) 0|| f-_wide_data-_IO_write_base NULL){/* Allocate a buffer if needed. */if (f-_wide_data-_IO_write_base 0){_IO_wdoallocbuf (f);_IO_free_wbackup_area (f);_IO_wsetg (f, f-_wide_data-_IO_buf_base,f-_wide_data-_IO_buf_base, f-_wide_data-_IO_buf_base);if (f-_IO_write_base NULL){_IO_doallocbuf (f);_IO_setg (f, f-_IO_buf_base, f-_IO_buf_base, f-_IO_buf_base);}}我们的目标是调用_IO_wdoallocbuf首先肯定是不能满足f-_flags _IO_NO_WRITES即flag0x80其次要满足(f- _flags _IO_CURRENTLY_PUTTING) 0|| f- _wide_data- _IO_write_base NULL即 _wide_data0x20要等于0flags 0x800void_IO_wdoallocbuf (FILE *fp){if (fp-_wide_data-_IO_buf_base)return;if (!(fp-_flags _IO_UNBUFFERED))if ((wint_t)_IO_WDOALLOCATE (fp) ! WEOF)// _IO_WXXXX调用return;_IO_wsetb (fp, fp-_wide_data-_shortbuf,fp-_wide_data-_shortbuf 1, 0);}libc_hidden_def (_IO_wdoallocbuf)这里我们要走到 _IO_WDOALLOCATE这里所以fp- _wide_data- _IO_buf_base0即 _wide_data0x30要为0fp-_flags _IO_UNBUFFERED要不成立所以flag2要为0然后就会调用 _IO_WDOALLOCATE_IO_WDOALLOCATE是虚表函数虚表没有变化都是const struct _IO_jump_t _IO_wstrn_jumps attribute_hidden {JUMP_INIT_DUMMY,JUMP_INIT(finish, _IO_wstr_finish),JUMP_INIT(overflow, (_IO_overflow_t) _IO_wstrn_overflow),JUMP_INIT(underflow, (_IO_underflow_t) _IO_wstr_underflow),JUMP_INIT(uflow, (_IO_underflow_t) _IO_wdefault_uflow),JUMP_INIT(pbackfail, (_IO_pbackfail_t) _IO_wstr_pbackfail),JUMP_INIT(xsputn, _IO_wdefault_xsputn),JUMP_INIT(xsgetn, _IO_wdefault_xsgetn),JUMP_INIT(seekoff, _IO_wstr_seekoff),JUMP_INIT(seekpos, _IO_default_seekpos),JUMP_INIT(setbuf, _IO_default_setbuf),JUMP_INIT(sync, _IO_default_sync),JUMP_INIT(doallocate, _IO_wdefault_doallocate),JUMP_INIT(read, _IO_default_read),JUMP_INIT(write, _IO_default_write),JUMP_INIT(seek, _IO_default_seek),JUMP_INIT(close, _IO_default_close),JUMP_INIT(stat, _IO_default_stat),JUMP_INIT(showmanyc, _IO_default_showmanyc),JUMP_INIT(imbue, _IO_default_imbue)};#每个指针的间隔在64位下是0x8_IO_WDOALLOCATE距虚表偏移是0x68所以我们在伪造的虚表地址0x68的地方填上我们想让他调用的函数即可其第一个参数IOFILE结构体的是flags字段的地址总结综上house of apple2的第一条链就完成了这里借用一下原文的总结调用链如下exitfcloseall_IO_cleanup_IO_flush_all_lockp_IO_OVERFLOW_IO_wfile_overflow_IO_wdoallocbuf_IO_WDOALLOCATE*(fp-_wide_data-_wide_vtable 0x68)(fp)对fp的设置如下_flags设置为~(2 | 0x8 | 0x800)如果不需要控制rdi设置为0即可如果需要获得shell可设置为 sh;注意前面有两个空格vtable设置为_IO_wfile_jumps/_IO_wfile_jumps_mmap/_IO_wfile_jumps_maybe_mmap地址加减偏移使其能成功调用_IO_wfile_overflow即可_wide_data设置为可控堆地址A即满足*(fp 0xa0) A_wide_data-_IO_write_base设置为0即满足*(A 0x18) 0_wide_data-_IO_buf_base设置为0即满足*(A 0x30) 0_wide_data-_wide_vtable设置为可控堆地址B即满足*(A 0xe0) B_wide_data-_wide_vtable-doallocate设置为地址C用于劫持RIP即满足*(B 0x68) C并且为了调用_IO_OVERFLOW需要设置同时还要满足以下条件||左边/右边的一种。((fp-_mode 0 fp-_IO_write_ptr fp-_IO_write_base)|| (_IO_vtable_offset (fp) 0 fp-_mode 0 (fp-_wide_data-_IO_write_ptr fp-_wide_data-_IO_write_base)星途杯——便签详细题目解析可以看第二届“星途杯”网络安全竞赛pwn全解及第一道ai的wp - firefly_star - 博客园简单来说就是有UAFfree仅清空use标志不能edit。攻击思路就是先泄露libc和堆地址然后利用tcache往stdout上分配堆块这题其实我们打到stdout就可以getshell了因为stdout他本身就是IO流所以最后刷新IO流的时候就会刷新到他只要我们伪造好相关的IOFILE结构即可。这里其实wide_data可以指向他本身这样可以少布局一个结构。exp如下#!/usr/bin/env python3from pwn import *import sysfrom ctypes import *from pwncli import *import socks# cli_script()#from ae64 import AE64#from pymao import *context.log_leveldebugcontext.archamd64libc ELF(./libc.so.6)# libc1cdll.LoadLibrary(./libc.so.6)li./libc.so.6socks.set_default_proxy(socks.SOCKS5,81.dart.ccsssc.com,25790,username1nkvap1o,passwordcl330rd,rdnsTrue