대기중
libio_vtable은 뭔가요??
강의에 있는 str_overflow를 확인하기 위해서
vtable을 메모리에서 보면
gdb-peda$ x/40gx 0x00007ffff7dcc2a0
0x7ffff7dcc2a0 <_IO_file_jumps>: 0x0000000000000000 0x0000000000000000
0x7ffff7dcc2b0 <_IO_file_jumps+16>: 0x00007ffff7a70330 0x00007ffff7a71300
0x7ffff7dcc2c0 <_IO_file_jumps+32>: 0x00007ffff7a71020 0x00007ffff7a723c0
0x7ffff7dcc2d0 <_IO_file_jumps+48>: 0x00007ffff7a73c50 0x00007ffff7a6f930
0x7ffff7dcc2e0 <_IO_file_jumps+64>: 0x00007ffff7a6f590 0x00007ffff7a6eb90
0x7ffff7dcc2f0 <_IO_file_jumps+80>: 0x00007ffff7a72990 0x00007ffff7a6e850
0x7ffff7dcc300 <_IO_file_jumps+96>: 0x00007ffff7a6e6d0 0x00007ffff7a62100
0x7ffff7dcc310 <_IO_file_jumps+112>: 0x00007ffff7a6f910 0x00007ffff7a6f190
0x7ffff7dcc320 <_IO_file_jumps+128>: 0x00007ffff7a6e910 0x00007ffff7a6e840
0x7ffff7dcc330 <_IO_file_jumps+144>: 0x00007ffff7a6f180 0x00007ffff7a73dd0
0x7ffff7dcc340 <_IO_file_jumps+160>: 0x00007ffff7a73de0 0x0000000000000000
0x7ffff7dcc350: 0x0000000000000000 0x0000000000000000
0x7ffff7dcc360: 0x0000000000000000 0x0000000000000000
0x7ffff7dcc370: 0x00007ffff7a74300 0x00007ffff7a73f60 <--- _IO_str_overflow
0x7ffff7dcc380: 0x00007ffff7a73f00 0x00007ffff7a723c0
0x7ffff7dcc390: 0x00007ffff7a742e0 0x00007ffff7a72420
0x7ffff7dcc3a0: 0x00007ffff7a725d0 0x00007ffff7a74430
0x7ffff7dcc3b0: 0x00007ffff7a72990 0x00007ffff7a72860
0x7ffff7dcc3c0: 0x00007ffff7a72c50 0x00007ffff7a72a00
0x7ffff7dcc3d0: 0x00007ffff7a73db0 0x00007ffff7a73dc0
vtable symbols로 표시된 곳 뒤쪽에 str_overflow가 있더라구요.
그리고 glibc 소스에서 vtable 선언을 보면
struct _IO_jump_t
{
JUMP_FIELD(size_t, __dummy);
JUMP_FIELD(size_t, __dummy2);
JUMP_FIELD(_IO_finish_t, __finish);
JUMP_FIELD(_IO_overflow_t, __overflow);
JUMP_FIELD(_IO_underflow_t, __underflow);
JUMP_FIELD(_IO_underflow_t, __uflow);
JUMP_FIELD(_IO_pbackfail_t, __pbackfail);
/* showmany */
JUMP_FIELD(_IO_xsputn_t, __xsputn);
JUMP_FIELD(_IO_xsgetn_t, __xsgetn);
JUMP_FIELD(_IO_seekoff_t, __seekoff);
JUMP_FIELD(_IO_seekpos_t, __seekpos);
JUMP_FIELD(_IO_setbuf_t, __setbuf);
JUMP_FIELD(_IO_sync_t, __sync);
JUMP_FIELD(_IO_doallocate_t, __doallocate);
JUMP_FIELD(_IO_read_t, __read);
JUMP_FIELD(_IO_write_t, __write);
JUMP_FIELD(_IO_seek_t, __seek);
JUMP_FIELD(_IO_close_t, __close);
JUMP_FIELD(_IO_stat_t, __stat);
JUMP_FIELD(_IO_showmanyc_t, __showmanyc);
JUMP_FIELD(_IO_imbue_t, __imbue);
#if 0
get_column;
set_column;
#endif
};
/* We always allocate an extra word following an _IO_FILE.
This contains a pointer to the function jump table used.
This is for compatibility with C++ streambuf; the word can
be used to smash to a pointer to a virtual function table. */
struct _IO_FILE_plus
{
_IO_FILE file;
const struct _IO_jump_t *vtable;
};
IO_jump_t 구조체가 vtable인데, 이 안에는 str_overflow가 안보이네요.
그래서 찾아보니까 str_overflow가 있는 소스 아래에
const struct _IO_jump_t _IO_str_jumps libio_vtable =
{
JUMP_INIT_DUMMY,
JUMP_INIT(finish, _IO_str_finish),
JUMP_INIT(overflow, _IO_str_overflow),
JUMP_INIT(underflow, _IO_str_underflow),
JUMP_INIT(uflow, _IO_default_uflow),
JUMP_INIT(pbackfail, _IO_str_pbackfail),
JUMP_INIT(xsputn, _IO_default_xsputn),
JUMP_INIT(xsgetn, _IO_default_xsgetn),
JUMP_INIT(seekoff, _IO_str_seekoff),
JUMP_INIT(seekpos, _IO_default_seekpos),
JUMP_INIT(setbuf, _IO_default_setbuf),
JUMP_INIT(sync, _IO_default_sync),
JUMP_INIT(doallocate, _IO_default_doallocate),
JUMP_INIT(read, _IO_default_read),
JUMP_INIT(write, _IO_default_write),
JUMP_INIT(seek, _IO_default_seek),
JUMP_INIT(close, _IO_default_close),
JUMP_INIT(stat, _IO_default_stat),
JUMP_INIT(showmanyc, _IO_default_showmanyc),
JUMP_INIT(imbue, _IO_default_imbue)
};
vtable과 약간만 다른 libio_vtable이란게 있고 이 안에 str_overflow가 있더라구요.
맨 처음에 메모리에서 봤던 vtalbe 뒤에 있는 영역이 libio_vtable 같은데
무슨 차이일까요??
뭔가 파일에다가 처리하는 vtable, 문자열 대상으로 처리하는 vtable
이런 식으로 나눠진 것 같은데.
#pwnable
작성자 정보
답변
0