House of apple2手法及部分源码解析
在2.34移除了hook函数之后,堆利用就少了一个大的攻击方向了。而House of apple这个手法就给我们提供了新的攻击方向:IOFILE结构体。虽然在house of orange就有所利用,之后也有一些利用了相关结构体的手法,但都没有House of apple条件简单。
House of apple由roderick01师傅提出,至今仍可使用,原文链接如下House of apple 一种新的glibc中IO攻击方法 (2)
House of apple仅需要泄露libc和堆地址及一次largebin attack即可完成攻击,House of apple有三种利用方式,我目前就讲讲House of apple2。而House of apple2主要利用就是通过largebin attack攻击_IO_list_all把一个堆块伪造成IOFILE结构体,通过在堆块进行IOFILE结构体进行布局,因为 _wide_vtable没有检测虚表的地址范围。伪造虚表 _wide_vtable,当系统调用其中的虚表函数时,我们就可以劫持程序控制流。
利用原理及源码
House of apple2主要利用链原作者给出了三条,我就以第一条为例了,剩下的各位感兴趣可以看看原文。我们知道当我们程序从main函数返回或者exit的时候程序会刷新IO流,主要是通过_IO_flush_all这个函数实现的,相关源码如下:
int |
_IO_flush_all (void) |
{ |
int result = 0; |
FILE *fp; |
#ifdef _IO_MTSAFE_IO |
_IO_cleanup_region_start_noarg (flush_cleanup); |
_IO_lock_lock (list_all_lock); |
#endif |
for (fp = (FILE *) _IO_list_all; fp != NULL; fp = fp->_chain) |
{ |
run_fp = fp; |
_IO_flockfile (fp); |
if (((fp->_mode <= 0 && fp->_IO_write_ptr > fp->_IO_write_base) |
|| (_IO_vtable_offset (fp) == 0 |
&& fp->_mode > 0 && (fp->_wide_data->_IO_write_ptr |
> fp->_wide_data->_IO_write_base)) |
) |
&& _IO_OVERFLOW (fp, EOF) == EOF)#主要利用在_IO_OVERFLOW这个函数后面 |
result = EOF; |
_IO_funlockfile (fp); |
run_fp = NULL; |
} |
#ifdef _IO_MTSAFE_IO |
_IO_lock_unlock (list_all_lock); |
_IO_cleanup_region_end (0); |
#endif |
return result; |
} |
可以看见他需要满足一些条件
((fp->_mode <= 0 && fp->_IO_write_ptr > fp->_IO_write_base) |
|| (_IO_vtable_offset (fp) == 0 |
&& fp->_mode > 0 && (fp->_wide_data->_IO_write_ptr |
> fp->_wide_data->_IO_write_base) |
满足| |左右两边其中一边即可然后他就会调用_IO_OVERFLOW,其本质是一个宏
#define _IO_OVERFLOW(FP, CH) JUMP1 (__overflow, FP, CH) |
就是这样fp-> __vtable-> __overflow(fp, ch) |
因为__overflow距vtable的偏移是0x18,也就是会调用vtable+0x18的函数 |
也就是此时会进行虚表函数调用,所以如果我们虚表改成_IO_wfile_jumps就会调用 _IO_wfile_jumps这个虚表内的函数,我要讲的第一条链就是利用他调用 _IO_wfile_overflow这个函数,不过首先得先讲讲
_wide_data的结构如下
struct _IO_wide_data |
{ |
wchar_t *_IO_read_ptr; /* Current read pointer */ |
wchar_t *_IO_read_end; /* End of get area. */ |
wchar_t *_IO_read_base; /* Start of putback+get area. */ |
wchar_t *_IO_write_base; /* Start of put area. */ |
wchar_t *_IO_write_ptr; /* Current put pointer. */ |
wchar_t *_IO_write_end; /* End of put area. */ |
wchar_t *_IO_buf_base; /* Start of reserve area. */ |
wchar_t *_IO_buf_end; /* End of reserve area. */ |
/* The following fields are used to support backing up and undo. */ |
wchar_t *_IO_save_base; /* Pointer to start of non-current get area. */ |
wchar_t *_IO_backup_base; /* Pointer to first valid character of |
backup area */ |
wchar_t *_IO_save_end; /* Pointer to end of non-current get area. */ |
__mbstate_t _IO_state; |
__mbstate_t _IO_last_state; |
struct _IO_codecvt _codecvt; |
wchar_t _shortbuf[1]; |
const struct _IO_jump_t *_wide_vtable; |
}; |
可以看见跟IOFILE结构体是非常像的,要注意的就是其虚表偏移是0xe0
_IO_wfile_overflow的函数内容如下
wint_t |
_IO_wfile_overflow (FILE *f, wint_t wch) |
{ |
if (f->_flags & _IO_NO_WRITES) /* SET ERROR */ |
{ |
f->_flags |= _IO_ERR_SEEN; |
__set_errno (EBADF); |
return WEOF; |
} |
/* If currently reading or no buffer allocated. */ |
if ((f->_flags & _IO_CURRENTLY_PUTTING) == 0 |
|| f->_wide_data->_IO_write_base == NULL) |
{ |
/* Allocate a buffer if needed. */ |
if (f->_wide_data->_IO_write_base == 0) |
{ |
_IO_wdoallocbuf (f); |
_IO_free_wbackup_area (f); |
_IO_wsetg (f, f->_wide_data->_IO_buf_base, |
f->_wide_data->_IO_buf_base, f->_wide_data->_IO_buf_base); |
if (f->_IO_write_base == NULL) |
{ |
_IO_doallocbuf (f); |
_IO_setg (f, f->_IO_buf_base, f->_IO_buf_base, f->_IO_buf_base); |
} |
} |
else |
{ |
/* Otherwise must be currently reading. If _IO_read_ptr |
(and hence also _IO_read_end) is at the buffer end, |
logically slide the buffer forwards one block (by setting |
the read pointers to all point at the beginning of the |
block). This makes room for subsequent output. |
Otherwise, set the read pointers to _IO_read_end (leaving |
that alone, so it can continue to correspond to the |
external position). */ |
if (f->_wide_data->_IO_read_ptr == f->_wide_data->_IO_buf_end) |
{ |
f->_IO_read_end = f->_IO_read_ptr = f->_IO_buf_base; |
f->_wide_data->_IO_read_end = f->_wide_data->_IO_read_ptr = |
f->_wide_data->_IO_buf_base; |
} |
} |
f->_wide_data->_IO_write_ptr = f->_wide_data->_IO_read_ptr; |
f->_wide_data->_IO_write_base = f->_wide_data->_IO_write_ptr; |
f->_wide_data->_IO_write_end = f->_wide_data->_IO_buf_end; |
f->_wide_data->_IO_read_base = f->_wide_data->_IO_read_ptr = |
f->_wide_data->_IO_read_end; |
f->_IO_write_ptr = f->_IO_read_ptr; |
f->_IO_write_base = f->_IO_write_ptr; |
f->_IO_write_end = f->_IO_buf_end; |
f->_IO_read_base = f->_IO_read_ptr = f->_IO_read_end; |
f->_flags |= _IO_CURRENTLY_PUTTING; |
if (f->_flags & (_IO_LINE_BUF | _IO_UNBUFFERED)) |
f->_wide_data->_IO_write_end = f->_wide_data->_IO_write_ptr; |
} |
if (wch == WEOF) |
return _IO_do_flush (f); |
if (f->_wide_data->_IO_write_ptr == f->_wide_data->_IO_buf_end) |
/* Buffer is really full */ |
if (_IO_do_flush (f) == EOF) |
return WEOF; |
*f->_wide_data->_IO_write_ptr++ = wch; |
if ((f->_flags & _IO_UNBUFFERED) |
|| ((f->_flags & _IO_LINE_BUF) && wch == L'\n')) |
if (_IO_do_flush (f) == EOF) |
return WEOF; |
return wch; |
} |
在House of apple2中我们主要关注else上面的部分
wint_t |
_IO_wfile_overflow (FILE *f, wint_t wch) |
{ |
if (f->_flags & _IO_NO_WRITES) /* SET ERROR */ |
{ |
f->_flags |= _IO_ERR_SEEN; |
__set_errno (EBADF); |
return WEOF; |
} |
/* If currently reading or no buffer allocated. */ |
if ((f->_flags & _IO_CURRENTLY_PUTTING) == 0 |
|| f->_wide_data->_IO_write_base == NULL) |
{ |
/* Allocate a buffer if needed. */ |
if (f->_wide_data->_IO_write_base == 0) |
{ |
_IO_wdoallocbuf (f); |
_IO_free_wbackup_area (f); |
_IO_wsetg (f, f->_wide_data->_IO_buf_base, |
f->_wide_data->_IO_buf_base, f->_wide_data->_IO_buf_base); |
if (f->_IO_write_base == NULL) |
{ |
_IO_doallocbuf (f); |
_IO_setg (f, f->_IO_buf_base, f->_IO_buf_base, f->_IO_buf_base); |
} |
} |
我们的目标是调用_IO_wdoallocbuf
首先肯定是不能满足f->_flags & _IO_NO_WRITES即flag&0x8==0其次要满足(f-> _flags & _IO_CURRENTLY_PUTTING) == 0
|| f-> _wide_data-> _IO_write_base == NULL即 _wide_data+0x20要等于0,flags &0x800
void |
_IO_wdoallocbuf (FILE *fp) |
{ |
if (fp->_wide_data->_IO_buf_base) |
return; |
if (!(fp->_flags & _IO_UNBUFFERED)) |
if ((wint_t)_IO_WDOALLOCATE (fp) != WEOF)// _IO_WXXXX调用 |
return; |
_IO_wsetb (fp, fp->_wide_data->_shortbuf, |
fp->_wide_data->_shortbuf + 1, 0); |
} |
libc_hidden_def (_IO_wdoallocbuf) |
这里我们要走到 _IO_WDOALLOCATE这里,所以fp-> _wide_data-> _IO_buf_base==0即 _wide_data+0x30要为0
fp->_flags & _IO_UNBUFFERED要不成立,所以flag&2要为0,然后就会调用 _IO_WDOALLOCATE
_IO_WDOALLOCATE是虚表函数,虚表没有变化都是 |
const struct _IO_jump_t _IO_wstrn_jumps attribute_hidden = |
{ |
JUMP_INIT_DUMMY, |
JUMP_INIT(finish, _IO_wstr_finish), |
JUMP_INIT(overflow, (_IO_overflow_t) _IO_wstrn_overflow), |
JUMP_INIT(underflow, (_IO_underflow_t) _IO_wstr_underflow), |
JUMP_INIT(uflow, (_IO_underflow_t) _IO_wdefault_uflow), |
JUMP_INIT(pbackfail, (_IO_pbackfail_t) _IO_wstr_pbackfail), |
JUMP_INIT(xsputn, _IO_wdefault_xsputn), |
JUMP_INIT(xsgetn, _IO_wdefault_xsgetn), |
JUMP_INIT(seekoff, _IO_wstr_seekoff), |
JUMP_INIT(seekpos, _IO_default_seekpos), |
JUMP_INIT(setbuf, _IO_default_setbuf), |
JUMP_INIT(sync, _IO_default_sync), |
JUMP_INIT(doallocate, _IO_wdefault_doallocate), |
JUMP_INIT(read, _IO_default_read), |
JUMP_INIT(write, _IO_default_write), |
JUMP_INIT(seek, _IO_default_seek), |
JUMP_INIT(close, _IO_default_close), |
JUMP_INIT(stat, _IO_default_stat), |
JUMP_INIT(showmanyc, _IO_default_showmanyc), |
JUMP_INIT(imbue, _IO_default_imbue) |
};#每个指针的间隔在64位下是0x8 |
_IO_WDOALLOCATE距虚表偏移是0x68所以我们在伪造的虚表地址+0x68的地方填上我们想让他调用的函数即可,其第一个参数IOFILE结构体的是flags字段的地址 |
总结
综上house of apple2的第一条链就完成了,这里借用一下原文的总结,调用链如下
exit |
fcloseall |
_IO_cleanup |
_IO_flush_all_lockp |
_IO_OVERFLOW |
_IO_wfile_overflow |
_IO_wdoallocbuf |
_IO_WDOALLOCATE |
*(fp->_wide_data->_wide_vtable + 0x68)(fp) |
对fp的设置如下:
_flags设置为~(2 | 0x8 | 0x800),如果不需要控制rdi,设置为0即可;如果需要获得shell,可设置为 sh;,注意前面有两个空格vtable设置为_IO_wfile_jumps/_IO_wfile_jumps_mmap/_IO_wfile_jumps_maybe_mmap地址(加减偏移),使其能成功调用_IO_wfile_overflow即可_wide_data设置为可控堆地址A,即满足*(fp + 0xa0) = A_wide_data->_IO_write_base设置为0,即满足*(A + 0x18) = 0_wide_data->_IO_buf_base设置为0,即满足*(A + 0x30) = 0_wide_data->_wide_vtable设置为可控堆地址B,即满足*(A + 0xe0) = B_wide_data->_wide_vtable->doallocate设置为地址C用于劫持RIP,即满足*(B + 0x68) = C
并且为了调用_IO_OVERFLOW需要设置同时还要满足以下条件||左边/右边的一种。
((fp->_mode <= 0 && fp->_IO_write_ptr > fp->_IO_write_base) |
|| (_IO_vtable_offset (fp) == 0 |
&& fp->_mode > 0 && (fp->_wide_data->_IO_write_ptr |
> fp->_wide_data->_IO_write_base) |
星途杯——便签
详细题目解析可以看第二届“星途杯”网络安全竞赛pwn全解及第一道ai的wp - firefly_star - 博客园,简单来说就是有UAF,free仅清空use标志不能edit。攻击思路就是先泄露libc和堆地址,然后利用tcache往stdout上分配堆块,这题其实我们打到stdout就可以getshell了,因为stdout他本身就是IO流,所以最后刷新IO流的时候就会刷新到他,只要我们伪造好相关的IOFILE结构即可。这里其实wide_data可以指向他本身,这样可以少布局一个结构。exp如下:
#!/usr/bin/env python3 |
from pwn import * |
import sys |
from ctypes import * |
from pwncli import * |
import socks |
# cli_script() |
#from ae64 import AE64 |
#from pymao import * |
context.log_level='debug' |
context.arch='amd64' |
libc = ELF('./libc.so.6') |
# libc1=cdll.LoadLibrary('./libc.so.6') |
li='./libc.so.6' |
''' |
socks.set_default_proxy( |
socks.SOCKS5, |
"81.dart.ccsssc.com", |
25790, |
username="1nkvap1o", |
password="cl330rd", |
rdns=True |