libc高版本劫持程序流思路学习

学习4daK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6C8K9i4u0A6L8W2)9J5k6s2y4S2P5g2)9J5k6i4c8G2M7q4)9J5c8U0t1H3x3U0m8Q4x3V1j5H3y4W2)9J5c8U0t1&6i4K6u0r3x3p5y4f1c8W2)9J5k6q4c8o6g2p5k6Q4x3X3b7J5x3o6t1H3i4K6u0V1f1i4g2S2L8s2y4Q4x3X3c8b7g2@1&6Q4x3V1j5`. 、 553K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6X3L8i4W2&6i4K6u0W2M7s2u0G2i4K6u0r3x3U0l9J5x3q4)9J5c8U0p5H3i4K6u0r3x3U0k6Q4x3V1k6o6L8$3#2H3k6i4c8A6N6r3W2G2L8W2)9J5c8V1u0&6N6r3g2o6g2p5k6Q4x3X3b7J5x3o6t1H3i4K6u0r3i4K6t1K6k6%4g2F1i4@1f1#2i4@1t1^5i4K6R3^5i4@1f1#2i4K6R3J5i4K6R3#2i4@1f1#2i4K6S2p5i4K6W2m8i4@1f1#2i4@1q4q4i4@1p5J5i4@1f1$3i4K6R3H3i4K6W2p5i4@1f1^5i4@1t1%4i4@1q4r3

针对2.29及以上版本libc

劫持_IO_2_1stderr 的 _chain字段，即劫持原本是_IO_2_1_stdout的值到可控区域，伪造一个_IO_2_1stdout结构

伪造的stdout结构中的要注意过check，结构如下

程序在退出时会调用exit函数(return退出时也会调用exit函数)，这样在_IO_cleanup的时候就会劫持程序流，原理如下：结合高版本的libc中setcontext控制参数为rdx，而之后过程中调用malloc前rdx=[rdi+0x28]，所以我们将malloc_hook劫持为setcontext+61就可以利用setcontext劫持程序流，效果如下：

    #伪造的_IO_2_1_stdout_结构
    IO = '\0'*0x28
    IO += p64(heap_base+0x360+0xe0)  ----->后面调用setcontext时的rdx值
    IO = IO.ljust(0xd8,'\0')
    IO += p64(IO_str_jumps)          ----->过check