Overflow using FILE structure-vulnerability warning-the black bar safety net

ID MYHACK58:62201681513
Type myhack58
Reporter 佚名
Modified 2016-11-26T00:00:00


Recently, the Shanghai University student network security game it only shows a title pwn450, for not a lot of me, and instantly rip off forced, but the gangster or gangster, and finally was quite what the Yankees do come up, but anyway I didn't make out, and finally see explanations, with two points, one is a heap overflow, another is to use the FILE structure to make a fuss; a dish of chicken am I the only one a school, stack overflow, this point back then to learn, first learning how to use the FILE structure of the body, and also wrote this article. The learning process is mainly to see the big cattle blog articles written out, in the end also will attach the corresponding article. A, structure of the body description First introduced under the FILE structure, the following figure is the FILE structure of the body: ! Usually we normal use of the FILE structure of the scenario is: ! In this case, the system will give the application a period of space of the corresponding data assignment after then the address is returned to the fp. In fact, the system is not directly assigned to the FILE(_IO_FILE)structure of the body, but the name of _IO_FILE_plus structure, this structure contains the _IO_FILE structure of the body, also contains a virtual function table pointer, which is defined as: ! This structure inside the body of the _IO_jump_t pointer similar to C++virtual function table, and its structure, the specific virtual function name is defined as follows: ! Between the two the entire relationship structure diagram is as follows: ! Photo source: https://outflux.net/blog/archives/2011/12/22/abusing-the-file-structure/ Second, the use of the principles of Our usual in the application to call fclose, and fputs to take these functions when the system will eventually by _IO_jump_t this function table pointer for the function call, such as fclose will call the close function. In knowing this, just imagine if we think of a way to use other kinds of overflow way the application's file pointer to point to our controlled area, in the region and forged the corresponding _IO_FILE_plus head, mostly _IO_jump_t table or table function pointer, eventually the program calls fclose function or other function, you can control the program to execute, we want it to perform the address control of the eip, control the world. More common is the use of strcpy and strcat, etc. to cover up the file pointer and then further use, the following will give two examples to further understand how to achieve, one is to use the UAF to cover modify the pointer, one is the use of strcpy stack overflow. Third, the examples 1. The UAF use Directly attached to the source code source: https://outflux.net/blog/archives/2011/12/22/abusing-the-file-structure/: the ! You can see, the program first application _IO_FILE_plus (sizeof(_IO_FILE+sizeof(void)) body structure size of the memory block, then the free fall, followed by open a file, then the system will just release the memory space allocated to the file pointer, don't know can go look at UAF related to the information that is in this case str and fp point to the same memory space, then use str fp structure _IO_jump_t pointer to our fake funcs array, and then the system finally call fclose when that call _IO_jump_t inside the close function of the time eventually turned into a call to our definition of the pwn function, end program execution screenshot is as follows: ! 2 is stack overflow using First posted the source code to see someone else's article after the adaptation. ! The program is meant to be”abc.....” This string is written into the aa. txt, compiled. The first is the vulnerability discovery, you can enter up to 1 0 4 6 characters, the last strcpy copied into the stage buffer, cause the buffer to overflow, into IDA, as in the following figure ! You can see the stage for the bp-0x41A and the fp pointer for the bp-0x8, which means that the input length is greater than 0x41a-0x8=0x412 of 1 0 of 4 2 of when you can cover the fp pointer, The maximum allowable input for 0x416, more than four bytes, just can cover the fp pointer, in order to reduce the difficulty only reflect the use of the FILE structure of ideas, the program does not ask that our own leakage 栈地址 or something, but directly gives a buff address, so you can directly cover the fp pointer to buff in the address. Finally in the call to fputs(source is fprintf, the compiler when optimization became fputs time, we put it calls _IO_jump_t structure corresponding to the function address is rewritten into the get_flag function of the address. In the write exp time also encountered a lot of difficulties, said the following I what is a step-by-step solution. Large cattle of the article is the stderr pointer to the data copied to the We input of the memory, 详细情况可以参考http://www.evil0x.com/posts/13764.html, but I want the file pointer inside the data you have is an address you don't use, if we advance the use of gdb stderr inside data Copy out, due to the address randomization effect, the data is very large might have become inaccessible, and thus prone to error, looking at it again _IO_FILE structure of the body after I decided to directly to the fp data inside are all covered into a stage of the address. Previously I also known a system of the _IO_FILE structure body size is 0x94 1 of 4 8, so at 0x94 back the data I put _IO_jump_t function table pointer value set to stage+1 8 0 of the address, in stage+1 8 0 place forged _IO_jump_t the function table, and the function of the exterior surface of the address are pointing to the get_flag function. This was originally written out of the exp code is as follows:

[1] [2] [3] next