在打 glibc 2.39 house of cat 時候

去修改 vtable 後他讓他跳進去 `_IO_wfile_seekoff`

之後再 call 進去  `_IO_switch_to_wget_mode` 來造 `system("sh")`

0cdK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6W2L8r3W2^5K9i4u0Q4x3X3g2T1L8$3!0@1L8r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3k6$3I4A6j5X3y4Q4x3V1k6Y4L8r3W2T1j5#2)9J5k6o6u0Q4x3X3f1K6z5g2)9J5c8Y4y4G2N6i4u0U0k6g2)9J5c8X3I4A6j5X3W2G2i4K6u0r3N6$3k6A6L8r3g2G2M7s2y4Q4x3X3g2U0i4K6t1K6e0o6M7@1x3R3`.`.

```c

off64_t

_IO_wfile_seekoff (FILE *fp, off64_t offset, int dir, int mode)

{

  off64_t result;

  off64_t delta, new_offset;

  long int count;

  /* Short-circuit into a separate function.  We don't want to mix any

     functionality and we don't want to touch anything inside the FILE

     object. */

  if (mode == 0)

    return do_ftell_wide (fp);

  /* POSIX.1 8.2.3.7 says that after a call the fflush() the file

     offset of the underlying file must be exact.  */

  int must_be_exact = ((fp->_wide_data->_IO_read_base

            == fp->_wide_data->_IO_read_end)

               && (fp->_wide_data->_IO_write_base

               == fp->_wide_data->_IO_write_ptr));

  bool was_writing = ((fp->_wide_data->_IO_write_ptr

               > fp->_wide_data->_IO_write_base)

              || _IO_in_put_mode (fp));

  /* Flush unwritten characters.

     (This may do an unneeded write if we seek within the buffer.

     But to be able to switch to reading, we would need to set

     egptr to pptr.  That can't be done in the current design,

     which assumes file_ptr() is eGptr.  Anyway, since we probably

     end up flushing when we close(), it doesn't make much difference.)

     FIXME: simulate mem-mapped files. */

  if (was_writing && _IO_switch_to_wget_mode (fp))

    return WEOF;

```

不過 exploit 發現 mode == 0 導致他進到錯誤分支就 crash 了

請問有甚麼方法可以控制 mode 嗎

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课