House of apple2 IO利用方法详解<\/h1>

1. 简介<\/h2>
House of apple是roderick01在2022年7月提出的一种新型IO利用思路，分为三种调用方式：House of apple1、House of apple2和House of apple3。这些调用方式基于新发现的调用链：`IO_FILE -> _wide_data<\/code>。<\/p>`

2. 前置知识<\/h2>
2.1 高版本libc的变化<\/h3>
在libc2.34及以上版本中，glibc移除了许多hook全局变量，包括：<\/p>

_malloc_hook<\/code><\/li>
_free_hook<\/code><\/li>
_realloc_hook<\/code><\/li>
<\/ul>
这使得传统的hook函数利用方式失效，高版本堆利用必须依赖于：<\/p>

伪造_IO_FILE<\/code>结构体<\/li>
劫持IO流<\/li>
<\/ol>
2.2 相关IO利用技术<\/h3>

House of pig：需要结合tcache stashing unlink attack和largebin attack<\/li>
House of kiwi & House of emma：需要绕过或劫持TLS结构体<\/li>
House of cat：需要多次largebin attack或任意写操作<\/li>
<\/ul>
3. House of apple2的优势<\/h2>
House of apple2是目前用途最广、攻击效果最好的高版本堆利用方式之一，主要优势在于：<\/p>

只需要一次largebin attack<\/strong><\/li>
利用条件相对宽松<\/li>
全版本通用<\/li>
<\/ul>
4. 利用条件<\/h2>

程序从main函数返回或能调用exit函数<\/li>
能泄露heap地址和libc地址<\/li>
能使用一次largebin attack<\/li>
<\/ol>
5. 核心利用思路<\/h2>
House of apple2利用_IO_FILE<\/code>结构体中的_wide_data<\/code>成员，该成员的特殊性在于：<\/p>

包含_wide_vtable<\/code>虚表<\/li>
调用_wide_vtable<\/code>中的函数时没有vtable合法性检查<\/li>
<\/ul>
具体利用步骤：<\/p>

劫持IO_FILE<\/code>的vtable为_IO_wfile_jumps<\/code><\/li>
控制_wide_data<\/code>为可控的堆地址空间<\/li>
控制_wide_data->_wide_vtable<\/code>为可控的堆地址空间<\/li>
控制程序执行IO流函数调用，最终调用到_IO_Wxxxxx<\/code>函数控制执行流<\/li>
<\/ol>
6. 关键调用链分析<\/h2>
6.1 _IO_wfile_overflow<\/code>调用链<\/h3>
_IO_wfile_overflow 
<\/span><\/span>  →<\/span> _IO_wdoallocbuf 
<\/span><\/span>    →<\/span> _IO_WDOALLOCATE
<\/span><\/span><\/code><\/pre>6.2 _IO_wfile_underflow_mmap<\/code>调用链<\/h3>
_IO_wfile_underflow_mmap 
<\/span><\/span>  →<\/span> _IO_wdoallocbuf 
<\/span><\/span>    →<\/span> _IO_WDOALLOCATE
<\/span><\/span><\/code><\/pre>6.3 _IO_wdefault_xsgetn<\/code>调用链<\/h3>
_IO_wdefault_xsgetn 
<\/span><\/span>  →<\/span> __wunderflow 
<\/span><\/span>    →<\/span> _IO_switch_to_wget_mode 
<\/span><\/span>      →<\/span> _IO_WOVERFLOW
<\/span><\/span><\/code><\/pre>7. 例题分析：heaporw<\/h2>
7.1 程序分析<\/h3>
程序提供基本功能：<\/p>

添加largebin chunk (0x420-0x550)<\/li>
删除chunk（存在UAF）<\/li>
显示chunk内容<\/li>
编辑chunk内容<\/li>
<\/ul>
7.2 利用步骤<\/h3>


泄露libc地址<\/strong>：<\/p>

分配两个largebin chunk<\/li>
释放其中一个并显示，泄露libc地址<\/li>
<\/ul>
<\/li>

泄露heap地址<\/strong>：<\/p>

通过编辑释放的chunk修改size，使其进入tcache<\/li>
显示tcache chunk获取heap地址<\/li>
<\/ul>
<\/li>

构造largebin attack<\/strong>：<\/p>

准备两个largebin chunk和两个smallbin chunk<\/li>
通过修改bk_nextsize实现largebin attack<\/li>
<\/ul>
<\/li>

构造fake IO结构<\/strong>：<\/p>

伪造_IO_FILE<\/code>结构体<\/li>
设置_wide_data<\/code>指向可控区域<\/li>
设置_wide_vtable<\/code>指向伪造的虚表<\/li>
<\/ul>
<\/li>

构造ROP链<\/strong>：<\/p>

使用svcudp_reply+26<\/code>的gadget实现栈迁移<\/li>
构造ORW链读取flag<\/li>
<\/ul>
<\/li>
<\/ol>
7.3 关键代码片段<\/h3>
# 伪造IO结构<\/span>
<\/span><\/span>pl =<\/span> p64(0<\/span>)+<\/span>p64(leave_ret)+<\/span>p64(0<\/span>)+<\/span>p64(io_all-<\/span>0x20<\/span>)
<\/span><\/span>pl +=<\/span> p64(0<\/span>)*<\/span>2<\/span>+<\/span>p64(0<\/span>)+<\/span>p64(orw_addr)  # chunk0+0x48<\/span>
<\/span><\/span>pl +=<\/span> p64(0<\/span>)*<\/span>4<\/span>
<\/span><\/span>pl +=<\/span> p64(0<\/span>)*<\/span>3<\/span>+<\/span>p64(lock)
<\/span><\/span>pl +=<\/span> p64(0<\/span>)*<\/span>2<\/span>+<\/span>p64(chunk0+<\/span>0xe0<\/span>)+<\/span>p64(0<\/span>)
<\/span><\/span>pl +=<\/span> p64(0<\/span>)*<\/span>4<\/span>
<\/span><\/span>pl +=<\/span> p64(0<\/span>)+<\/span>p64(wfile) 
<\/span><\/span>pl +=<\/span> p64(0<\/span>)*<\/span>0x1c<\/span>+<\/span>p64(chunk0+<\/span>0xe0<\/span>+<\/span>0xe8<\/span>)  # chunk0+0xe0<\/span>
<\/span><\/span>pl +=<\/span> p64(0<\/span>)*<\/span>0xd<\/span>+<\/span>p64(magic_gadget)
<\/span><\/span>
<\/span><\/span># ORW链<\/span>
<\/span><\/span>orw =<\/span> b<\/span>'.\/flag<\/span>\x00\x00<\/span>'<\/span>
<\/span><\/span>orw +=<\/span> p64(pop_rdx_r12)+<\/span>p64(0<\/span>)+<\/span>p64(chunk0-<\/span>0x10<\/span>)
<\/span><\/span>orw +=<\/span> p64(pop_rdi)+<\/span>p64(orw_addr)
<\/span><\/span>orw +=<\/span> p64(pop_rsi)+<\/span>p64(0<\/span>)
<\/span><\/span>orw +=<\/span> p64(open_addr)
<\/span><\/span>orw +=<\/span> p64(pop_rdi)+<\/span>p64(3<\/span>)
<\/span><\/span>orw +=<\/span> p64(pop_rsi)+<\/span>p64(orw_addr+<\/span>0x100<\/span>)
<\/span><\/span>orw +=<\/span> p64(pop_rdx_r12)+<\/span>p64(0x50<\/span>)+<\/span>p64(0<\/span>)
<\/span><\/span>orw +=<\/span> p64(read_addr)
<\/span><\/span>orw +=<\/span> p64(pop_rdi)+<\/span>p64(orw_addr+<\/span>0x100<\/span>)
<\/span><\/span>orw +=<\/span> p64(puts_addr)
<\/span><\/span><\/code><\/pre>8. 执行流程<\/h2>

程序退出时遍历_IO_list_all<\/code><\/li>
调用伪造的_IO_FILE<\/code>结构体中的_IO_wfile_overflow<\/code><\/li>
通过_IO_wdoallocbuf<\/code>调用_IO_WDOALLOCATE<\/code><\/li>
_IO_WDOALLOCATE<\/code>被伪造成svcudp_reply+26<\/code>的gadget<\/li>
执行ROP链实现ORW<\/li>
<\/ol>
9. 总结<\/h2>
House of apple2通过利用_wide_data<\/code>绕过了vtable检查，只需要一次largebin attack即可实现代码执行，是目前高版本IO利用中最有效的方法之一。关键在于：<\/p>

正确伪造_IO_FILE<\/code>结构体<\/li>
合理设置_wide_data<\/code>和_wide_vtable<\/code><\/li>
选择合适的调用链触发执行流劫持<\/li>
<\/ol>

House of apple2 IO利用方法详解<\/h1>

1. 简介<\/h2> House of apple是roderick01在2022年7月提出的一种新型IO利用思路，分为三种调用方式：House of apple1、House of apple2和House of apple3。这些调用方式基于新发现的调用链：IO_FILE -> _wide_data<\/code>。<\/p>

6. 关键调用链分析<\/h2>

7. 例题分析：heaporw<\/h2>

1. 简介<\/h2>
House of apple是roderick01在2022年7月提出的一种新型IO利用思路，分为三种调用方式：House of apple1、House of apple2和House of apple3。这些调用方式基于新发现的调用链：`IO_FILE -> _wide_data<\/code>。<\/p>`