iofile_vtable_check 문제 푸신분 혹시 계신가요? 문제를 푸는데 벽을 느껴서 그렇습니다. 혹시 푸신분 계신다면 이렇게 풀면 된다고 약간의 팁만 주실수 있으신가요?

if 문에 걸리지 않게 다른 offset을 참조하는 함수를 찾아서 oneshot을 통해 풀이 진행했습니다. 그런데 조건에 맞는 oneshot이 없어서 막혀있습니다... 해당함수말고 다른 함수를 사용하는 방법은 도저히 떠오르지 않는데 다른 방법이 있는걸까요?

iofile_vtable_check 를 풀고있는데 막혀서 진전이 없습니다... 팁이나 조언 부탁 드립니다

강의에 있는 str_overflow를 확인하기 위해서 vtable을 메모리에서 보면 gdb-peda$ x/40gx 0x00007ffff7dcc2a0 0x7ffff7dcc2a0 <_IO_file_jumps>: 0x0000000000000000 0x0000000000000000 0x7ffff7dcc2b0 <_IO_file_jumps+16>: 0x00007ffff7a70330 0x00007ffff7a71300 0x7ffff7dcc2c0 <_IO_file_jumps+32>: 0x00007ffff7a71020 0x00007ffff7a723c0 0x7ffff7dcc2d0 <_IO_file_jumps+48>: 0x00007ffff7a73c50 0x00007ffff7a6f930 0x7ffff7dcc2e0 <_IO_file_jumps+64>: 0x00007ffff7a6f590 0x00007ffff7a6eb90 0x7ffff7dcc2f0 <_IO_file_jumps+80>: 0x00007ffff7a72990 0x00007ffff7a6e850 0x7ffff7dcc300 <_IO_file_jumps+96>: 0x00007ffff7a6e6d0 0x00007ffff7a62100 0x7ffff7dcc310 <_IO_file_jumps+112>: 0x00007ffff7a6f910 0x00007ffff7a6f190 0x7ffff7dcc320 <_IO_file_jumps+128>: 0x00007ffff7a6e910 0x00007ffff7a6e840 0x7ffff7dcc330 <_IO_file_jumps+144>: 0x00007ffff7a6f180 0x00007ffff7a73dd0 0x7ffff7dcc340 <_IO_file_jumps+160>: 0x00007ffff7a73de0 0x0000000000000000 0x7ffff7dcc350: 0x0000000000000000 0x0000000000000000 0x7ffff7dcc360: 0x0000000000000000 0x0000000000000000 0x7ffff7dcc370: 0x00007ffff7a74300 0x00007ffff7a73f60 <--- _IO_str_overflow 0x7ffff7dcc380: 0x00007ffff7a73f00 0x00007ffff7a723c0 0x7ffff7dcc390: 0x00007ffff7a742e0 0x00007ffff7a72420 0x7ffff7dcc3a0: 0x00007ffff7a725d0 0x00007ffff7a74430 0x7ffff7dcc3b0: 0x00007ffff7a72990 0x00007ffff7a72860 0x7ffff7dcc3c0: 0x00007ffff7a72c50 0x00007ffff7a72a00 0x7ffff7dcc3d0: 0x00007ffff7a73db0 0x00007ffff7a73dc0 vtable symbols로 표시된 곳 뒤쪽에 str_overflow가 있더라구요. 그리고 glibc 소스에서 vtable 선언을 보면 struct _IO_jump_t { JUMP_FIELD(size_t, __dummy); JUMP_FIELD(size_t, __dummy2); JUMP_FIELD(_IO_finish_t, __finish); JUMP_FIELD(_IO_overflow_t, __overflow); JUMP_FIELD(_IO_underflow_t, __underflow); JUMP_FIELD(_IO_underflow_t, __uflow); JUMP_FIELD(_IO_pbackfail_t, __pbackfail); /* showmany */ JUMP_FIELD(_IO_xsputn_t, __xsputn); JUMP_FIELD(_IO_xsgetn_t, __xsgetn); JUMP_FIELD(_IO_seekoff_t, __seekoff); JUMP_FIELD(_IO_seekpos_t, __seekpos); JUMP_FIELD(_IO_setbuf_t, __setbuf); JUMP_FIELD(_IO_sync_t, __sync); JUMP_FIELD(_IO_doallocate_t, __doallocate); JUMP_FIELD(_IO_read_t, __read); JUMP_FIELD(_IO_write_t, __write); JUMP_FIELD(_IO_seek_t, __seek); JUMP_FIELD(_IO_close_t, __close); JUMP_FIELD(_IO_stat_t, __stat); JUMP_FIELD(_IO_showmanyc_t, __showmanyc); JUMP_FIELD(_IO_imbue_t, __imbue); #if 0 get_column; set_column; #endif }; /* We always allocate an extra word following an _IO_FILE. This contains a pointer to the function jump table used. This is for compatibility with C++ streambuf; the word can be used to smash to a pointer to a virtual function table. */ struct _IO_FILE_plus { _IO_FILE file; const struct _IO_jump_t *vtable; }; IO_jump_t 구조체가 vtable인데, 이 안에는 str_overflow가 안보이네요. 그래서 찾아보니까 str_overflow가 있는 소스 아래에 const struct _IO_jump_t _IO_str_jumps libio_vtable = { JUMP_INIT_DUMMY, JUMP_INIT(finish, _IO_str_finish), JUMP_INIT(overflow, _IO_str_overflow), JUMP_INIT(underflow, _IO_str_underflow), JUMP_INIT(uflow, _IO_default_uflow), JUMP_INIT(pbackfail, _IO_str_pbackfail), JUMP_INIT(xsputn, _IO_default_xsputn), JUMP_INIT(xsgetn, _IO_default_xsgetn), JUMP_INIT(seekoff, _IO_str_seekoff), JUMP_INIT(seekpos, _IO_default_seekpos), JUMP_INIT(setbuf, _IO_default_setbuf), JUMP_INIT(sync, _IO_default_sync), JUMP_INIT(doallocate, _IO_default_doallocate), JUMP_INIT(read, _IO_default_read), JUMP_INIT(write, _IO_default_write), JUMP_INIT(seek, _IO_default_seek), JUMP_INIT(close, _IO_default_close), JUMP_INIT(stat, _IO_default_stat), JUMP_INIT(showmanyc, _IO_default_showmanyc), JUMP_INIT(imbue, _IO_default_imbue) }; vtable과 약간만 다른 libio_vtable이란게 있고 이 안에 str_overflow가 있더라구요. 맨 처음에 메모리에서 봤던 vtalbe 뒤에 있는 영역이 libio_vtable 같은데 무슨 차이일까요?? 뭔가 파일에다가 처리하는 vtable, 문자열 대상으로 처리하는 vtable 이런 식으로 나눠진 것 같은데.

우분투 16.04버전에서는 익스가 안되나요?