Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Play with FILE Structure
Yet Another Binary Exploit Technique
angelboy@chroot.org
1
About me
• Angelboy

• CTF player 

• WCTF / Boston Key Party 1st

• DEFCON / HITB 2nd

• Chroot / HITCON / 217

• Blog

•...
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable ve...
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable ve...
Introduction
• What happen when we use a raw io function
read/write
Kernel Buffer
User space
Kernel space
Disk
5
Introduction
• What happen when we use a raw io function
read/write
Kernel Buffer
User space
Kernel space
Disk
Reduce the ...
Introduction
• What is File stream

• A higher-level interface on the primitive file descriptor facilities

• Stream bufferi...
Introduction
• What happen when we use stdio function
read/write
Kernel Buffer
User space
Kernel space
Disk
stdio Buffer
f...
Introduction
• What happen when we use stdio function
read/write
Kernel Buffer
User space
Kernel space
Disk
stdio Buffer
f...
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable ve...
Introduction
• FILE structure

• A complex structure

• Flags

• Stream buffer

• File descriptor

• FILE_plus

• Virtual f...
Introduction
• FILE structure

• Flags

• Record the attribute of the File stream

• Read only

• Append

• …
12
Introduction
• FILE structure

• Stream buffer

• Read buffer

• Write buffer

• Reserve buffer
13
Introduction
• FILE structure

• _fileno

• File descriptor

• Return by sys_open
14
Introduction
• FILE structure

• FILE plus

• stdin/stdout/stderr

• fopen also use it

• Extra Virtual function table

• ...
Introduction
• FILE structure

• FILE plus 

• stdin/stdout/stderr

• fopen also use it

• Extra Virtual function table

•...
Introduction
• FILE structure

• Every FILE associate with a _chain (linked list)
17
_IO_list_all
_flag
……
chain
_flag
……
ch...
Introduction
• fopen workflow

• Allocate FILE structure

• Initial the FILE structure

• Link the FILE structure

• open fi...
Introduction
• fopen workflow

• Allocate FILE structure
_IO_list_all
_flag
……
chain
……
vtable
_flag
……
chain
……
vtable
_flag
...
Introduction
• fopen workflow

• Initialize the FILE structure

• Link the FILE structure
_IO_list_all
_flag
……
chain
……
vta...
Introduction
• fopen workflow

• Initial the FILE structure

• Link the FILE structure
_IO_list_all
_flag
……
chain
……
vtable...
Introduction
• fopen workflow

• open file
_IO_list_all
_flag
……
chain
……
vtable
_flag
……
chain
……
vtable
_flag
……
0
……
vtable
...
Introduction
• fread workflow

• If stream buffer is NULL

• Allocate buffer

• Read data to the stream buffer

• Copy data fr...
Introduction
• fread workflow

• If stream buffer is NULL

• Allocate buffer
_flag
read_ptr (0)
read_end (0)
……
buf_base (0)
b...
Introduction
• fread workflow

• Read data to the stream buffer
_flag
read_ptr (0)
read_end (0)
……
0x603010
0x604010
……
vtabl...
Introduction
• fread workflow

• Copy data from stream buffer 

to destination
_flag
0x603010
0x604010
……
0x603010
0x604010
…...
AAAA
AAAA
BBBB
BBBB
CCCC
CCCC
…
…
…
ZZZZ
Introduction
• fread workflow

• Copy data from stream buffer 

to destination
_flag...
Introduction
• fwrite workflow

• If stream buffer is NULL

• Allocate buffer

• Copy user data to the stream buffer

• If the...
Introduction
• fclose workflow

• Unlink the FILE structure

• Flush & Release the stream buffer

• Close the file

• Release...
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable ve...
Exploitation of FILE
• There are a good target in FILE structure

• Virtual Function Table
31
• Let’s overwrite with buffer address
Exploitation of FILE
Buffer overflow
Sample code
payload
Buffer address
32
//variable bu...
• Let’s overwrite with buffer address
Exploitation of FILE
33
Buffer
fp
fp
_flag
read_ptr (0)
read_end (0)
……
vtable
• Let’s overwrite with buffer address
Exploitation of FILE
34
AAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAAAA
……
……
AAAAAAAA
……
Buffer
0...
Exploitation of FILE
• Not call vtable directly…

• RDX is our input

but not call instruction
35
Exploitation of FILE
• Let’s see what happened in fclose

• We can get information of segfault in gdb and located it in so...
Exploitation of FILE
• FILE structure

• _lock

• Prevent race condition in multithread

• Very common in stdio related fu...
• Let’s fix the lock
Exploitation of FILE
Find a global buffer as our lock
Fix our payload
offset of _lock
38
0x100 bytes
• We control PC !
Exploitation of FILE
39
Exploitation of FILE
• Another interesting

• stdin/stdout/stderr is also a FILE structure in glibc

• We can overwrite th...
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable ve...
FSOP
• File-Stream Oriented Programing

• Control the linked list of File stream

• _chain

• _IO_list_all

• Powerful fun...
FSOP
• _IO_flush_all_lockp

• fflush all file stream

• When will call it

• Glib abort routine

• exit function

• Main retur...
FSOP
• _IO_flush_all_lockp

• It will process all FILE

in FILE linked list

• We can construct the

linked list to do orie...
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
45
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_r...
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_r...
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_r...
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_r...
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_r...
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_r...
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable ve...
Vtable verification
• Unfortunately, there are a virtual function table in latest libc

• Check the address of vtable befor...
Vtable verification
• Vtable verification in File

• The vtable must be in libc _IO_vtable section

• If it’s not in _IO_vta...
• _IO_vtable_check

• Check the foreign vtables
Vtable verification
55
For overriding
For share library
Vtable verification
• Bypass ?

• Overwrite IO_accept_foreign_vtables ?

• It’s very difficult because of the pointer guard
5...
Vtable verification
• Bypass ?

• Overwrite _dl_open_hook ?

• Sounds good, but if you can control the value, you can also ...
Vtable verification
• Summary of the vtable verification

• It very hard to bypass it.

• Exploitation of FILE structure is ...
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable ve...
Make FILE structure great again
• How about change the target from vtable to other element ?

• Stream Buffer & File Descri...
Make FILE structure great again
• If we can overwrite the FILE structure and use fread and fwrite with the
FILE structure
...
Make FILE structure great again
• Arbitrary memory reading

• fwrite

• Set the _fileno to the file descriptor of stdout 

•...
Make FILE structure great again
• Arbitrary memory reading

• Set _flag &~ _IO_NO_WRITES

• Set _flag |= _IO_CURRENTLY_PUTTI...
Make FILE structure great again
• Arbitrary memory reading

• Let _IO_read_end equal to _IO_write_base

• If it’s not, it ...
Make FILE structure great again
• Arbitrary memory reading

• Sample code
65
Make FILE structure great again
• Arbitrary memory writing

• fread

• Set the _fileno to file descriptor of stdin

• Set _fl...
Make FILE structure great again
• Arbitrary memory writing

• Set read_base & read_ptr to NULL
67
It will copy data from b...
Make FILE structure great again
• Arbitrary memory writing

• Set _flag &~ _IO_NO_READS
68
Our goal
Make FILE structure great again
• Arbitrary memory writing

• Sample code
69
Make FILE structure great again
• If you have arbitrary memory address read and write, you can control the
flow very easy

...
Make FILE structure great again
• If we don’t have any file operation in the program

• We can use stdin/stdout/stderr 

• ...
Make FILE structure great again
• Scenario

• Use any stdin related function

• scanf/fgets/gets …

• Stdin is unbuffer

• ...
Make FILE structure great again
• Overwrite buf_end with a pointer behind the stdin

• Unsorted bin attack

• Very common ...
Make FILE structure great again
• Overwrite buf_end with a pointer behind the stdin

• Unsorted bin attack

• Very common ...
Make FILE structure great again
• Stdin related function

• scanf(“%d”,&var)

• It will call

• read(0,buf_base,sizeof(std...
Make FILE structure great again
• Stdin related function

• scanf(“%d”,&var)

• It will call

• read(0,buf_base,sizeof(std...
Make FILE structure great again
• Stdin related function

• scanf(“%d”,&var)

• It will call

• read(0,buf_base,sizeof(std...
Make FILE structure great again
• How about Windows ?

• No vtable in FILE

• It also has stream buffer pointer

• You can ...
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable ve...
Conclusion
• FILE structure is a good target for binary exploit

• It can be used to

• Arbitrary memory read and write

•...
Conclusion
• FILE structure is a good target for binary Exploit

• It’s very powerful in some unexploitable case

• Let’s ...
Upcoming SlideShare
Loading in …5
×

Play with FILE Structure - Yet Another Binary Exploit Technique

11,269 views

Published on

Play with FILE Structure - Yet Another Binary Exploit Technique

Published in: Technology
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Play with FILE Structure - Yet Another Binary Exploit Technique

  1. 1. Play with FILE Structure Yet Another Binary Exploit Technique angelboy@chroot.org 1
  2. 2. About me • Angelboy • CTF player • WCTF / Boston Key Party 1st • DEFCON / HITB 2nd • Chroot / HITCON / 217 • Blog • blog.angelboy.tw 2
  3. 3. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 3
  4. 4. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 4
  5. 5. Introduction • What happen when we use a raw io function read/write Kernel Buffer User space Kernel space Disk 5
  6. 6. Introduction • What happen when we use a raw io function read/write Kernel Buffer User space Kernel space Disk Reduce the number of HD I/O 6
  7. 7. Introduction • What is File stream • A higher-level interface on the primitive file descriptor facilities • Stream buffering • Portable and High performance • What is FILE structure • A File stream descriptor • Created by fopen 7
  8. 8. Introduction • What happen when we use stdio function read/write Kernel Buffer User space Kernel space Disk stdio Buffer fread/fwrite 8
  9. 9. Introduction • What happen when we use stdio function read/write Kernel Buffer User space Kernel space Disk stdio Buffer fread/fwrite Reduce the number of syscall 9
  10. 10. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 10
  11. 11. Introduction • FILE structure • A complex structure • Flags • Stream buffer • File descriptor • FILE_plus • Virtual function table 11
  12. 12. Introduction • FILE structure • Flags • Record the attribute of the File stream • Read only • Append • … 12
  13. 13. Introduction • FILE structure • Stream buffer • Read buffer • Write buffer • Reserve buffer 13
  14. 14. Introduction • FILE structure • _fileno • File descriptor • Return by sys_open 14
  15. 15. Introduction • FILE structure • FILE plus • stdin/stdout/stderr • fopen also use it • Extra Virtual function table • Any operation on file is via vtable 15
  16. 16. Introduction • FILE structure • FILE plus • stdin/stdout/stderr • fopen also use it • Extra Virtual function table • Any operation on file is via vtable 16
  17. 17. Introduction • FILE structure • Every FILE associate with a _chain (linked list) 17 _IO_list_all _flag …… chain _flag …… chain _flag …… 0 stderr stdout stdin
  18. 18. Introduction • fopen workflow • Allocate FILE structure • Initial the FILE structure • Link the FILE structure • open file 18 fopen malloc _IO_link_in sys_open _IO_new_file_init_internal _IO_new_file_open
  19. 19. Introduction • fopen workflow • Allocate FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin 19 malloc
  20. 20. Introduction • fopen workflow • Initialize the FILE structure • Link the FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin 0 …… 0 …… 0 fp 20 _IO_new_file_init_internal _IO_link_in
  21. 21. Introduction • fopen workflow • Initial the FILE structure • Link the FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin _flag …… chain …… vtable fp 21 _IO_link_in _IO_new_file_init_internal
  22. 22. Introduction • fopen workflow • open file _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin _flag …… chain …… vtable fp 22 sys_open
  23. 23. Introduction • fread workflow • If stream buffer is NULL • Allocate buffer • Read data to the stream buffer • Copy data from stream buffer to destination 23 fread vtable->_IO_file_xsgetn vtable->doallocate vtable->_IO_file_underflow sys_read
  24. 24. Introduction • fread workflow • If stream buffer is NULL • Allocate buffer _flag read_ptr (0) read_end (0) …… buf_base (0) buf_end (0) …… vtable fp _IO_file_finish _IO_file_overflow … _IO_file_doallocate … … … _IO_default_imbue vtable 24 fread vtable->_IO_file_xsgetn vtable->doallocate
  25. 25. Introduction • fread workflow • Read data to the stream buffer _flag read_ptr (0) read_end (0) …… 0x603010 0x604010 …… vtable fp stdio buffer 25 vtable->_IO_file_underflow sys_read
  26. 26. Introduction • fread workflow • Copy data from stream buffer 
 to destination _flag 0x603010 0x604010 …… 0x603010 0x604010 …… vtable fp AAAA AAAA BBBB BBBB CCCC CCCC … … … ZZZZ stdio buffer Destination 26 vtable->_IO_file_xsgetn
  27. 27. AAAA AAAA BBBB BBBB CCCC CCCC … … … ZZZZ Introduction • fread workflow • Copy data from stream buffer 
 to destination _flag 0x603040 0x604010 …… 0x603010 0x604010 …… vtable fp stdio buffer AAAAAAAA Copy to destination 27 vtable->_IO_file_xsgetn
  28. 28. Introduction • fwrite workflow • If stream buffer is NULL • Allocate buffer • Copy user data to the stream buffer • If the stream buffer is filled or flush the stream • write data from stream buffer to the file 28 fwrite vtable->_IO_file_xsputn vtable->_IO_file_overflow vtable->doallocate sys_write
  29. 29. Introduction • fclose workflow • Unlink the FILE structure • Flush & Release the stream buffer • Close the file • Release the FILE structure 29 fclose _IO_unlink_it _IO_new_file_close_it _IO_do_flush sys_close vtable—>_IO_file_finish free
  30. 30. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 30
  31. 31. Exploitation of FILE • There are a good target in FILE structure • Virtual Function Table 31
  32. 32. • Let’s overwrite with buffer address Exploitation of FILE Buffer overflow Sample code payload Buffer address 32 //variable buf at 0x6009a0
  33. 33. • Let’s overwrite with buffer address Exploitation of FILE 33 Buffer fp fp _flag read_ptr (0) read_end (0) …… vtable
  34. 34. • Let’s overwrite with buffer address Exploitation of FILE 34 AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA …… …… AAAAAAAA …… Buffer 0x6009a0 fp _flag read_ptr (0) read_end (0) …… vtable Buffer overflow
  35. 35. Exploitation of FILE • Not call vtable directly… • RDX is our input
 but not call instruction 35
  36. 36. Exploitation of FILE • Let’s see what happened in fclose • We can get information of segfault in gdb and located it in source code Segfault 36
  37. 37. Exploitation of FILE • FILE structure • _lock • Prevent race condition in multithread • Very common in stdio related function • Usually need to construct it for Exploitation 37
  38. 38. • Let’s fix the lock Exploitation of FILE Find a global buffer as our lock Fix our payload offset of _lock 38 0x100 bytes
  39. 39. • We control PC ! Exploitation of FILE 39
  40. 40. Exploitation of FILE • Another interesting • stdin/stdout/stderr is also a FILE structure in glibc • We can overwrite the global variable in glibc to control the flow 40 GLIBC SYMBOL TABLE Global offset
  41. 41. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 41
  42. 42. FSOP • File-Stream Oriented Programing • Control the linked list of File stream • _chain • _IO_list_all • Powerful function • _IO_flush_all_lockp 42
  43. 43. FSOP • _IO_flush_all_lockp • fflush all file stream • When will call it • Glib abort routine • exit function • Main return 43 malloc_printerr _libc_message(error msg) abort _IO_flush_all_lockp JUMP_FIELD(_IO_overflow_t, __overflow) If the condition is satisfied Glibc abort routine
  44. 44. FSOP • _IO_flush_all_lockp • It will process all FILE
 in FILE linked list • We can construct the
 linked list to do oriented
 programing 44 fp = _IO_list_all condition Trigger virtual funcition Point to next
  45. 45. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable 45
  46. 46. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … Trigger abort() 46
  47. 47. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call foo(_flags) 47
  48. 48. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call foo(“bar”) 48
  49. 49. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … fp = fp->chain 49
  50. 50. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call system(_flags) 50
  51. 51. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call system(_flags) GET SHELL !! 51
  52. 52. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 52
  53. 53. Vtable verification • Unfortunately, there are a virtual function table in latest libc • Check the address of vtable before all virtual function call • If vtable is invalid, it would abort 53
  54. 54. Vtable verification • Vtable verification in File • The vtable must be in libc _IO_vtable section • If it’s not in _IO_vtable section, it will check if the vtable are permitted 54
  55. 55. • _IO_vtable_check • Check the foreign vtables Vtable verification 55 For overriding For share library
  56. 56. Vtable verification • Bypass ? • Overwrite IO_accept_foreign_vtables ? • It’s very difficult because of the pointer guard 56 Demangle with pointer guard
  57. 57. Vtable verification • Bypass ? • Overwrite _dl_open_hook ? • Sounds good, but if you can control the value, you can also control other good target 57
  58. 58. Vtable verification • Summary of the vtable verification • It very hard to bypass it. • Exploitation of FILE structure is died ? 58
  59. 59. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 59
  60. 60. Make FILE structure great again • How about change the target from vtable to other element ? • Stream Buffer & File Descriptor 60
  61. 61. Make FILE structure great again • If we can overwrite the FILE structure and use fread and fwrite with the FILE structure • We can • Arbitrary memory reading • Arbitrary memory writing 61
  62. 62. Make FILE structure great again • Arbitrary memory reading • fwrite • Set the _fileno to the file descriptor of stdout • Set _flag & ~_IO_NO_WRITES • Set _flag |= _IO_CURRENTLY_PUTTING • Set the write_base & write_ptr to memory address which you want to read • _IO_read_end equal to _IO_write_base 62
  63. 63. Make FILE structure great again • Arbitrary memory reading • Set _flag &~ _IO_NO_WRITES • Set _flag |= _IO_CURRENTLY_PUTTING 63 Our goal It will adjust the stream buffer A piece of code in fwrite
  64. 64. Make FILE structure great again • Arbitrary memory reading • Let _IO_read_end equal to _IO_write_base • If it’s not, it would adjust to the current offset. 64 It will adjust the stream buffer Our goal
  65. 65. Make FILE structure great again • Arbitrary memory reading • Sample code 65
  66. 66. Make FILE structure great again • Arbitrary memory writing • fread • Set the _fileno to file descriptor of stdin • Set _flag &~ _IO_NO_READS • Set read_base & read_ptr to NULL • Set the buf_base & buf_end to memory address which you want to wirte • buf_end - buf_base < size of fread 66
  67. 67. Make FILE structure great again • Arbitrary memory writing • Set read_base & read_ptr to NULL 67 It will copy data from buffer to destination Buffer size must be smaller than read size
  68. 68. Make FILE structure great again • Arbitrary memory writing • Set _flag &~ _IO_NO_READS 68 Our goal
  69. 69. Make FILE structure great again • Arbitrary memory writing • Sample code 69
  70. 70. Make FILE structure great again • If you have arbitrary memory address read and write, you can control the flow very easy • GOT hijack • __malloc_hook_/__free_hook_/__realloc_hook_ • … • By the way, you can not only use fread and fwrite but also use any stdio related function 70
  71. 71. Make FILE structure great again • If we don’t have any file operation in the program • We can use stdin/stdout/stderr • put/printf/scanf • … 71
  72. 72. Make FILE structure great again • Scenario • Use any stdin related function • scanf/fgets/gets … • Stdin is unbuffer • Very common in normal stdio program 72 … _IO_buf_base _IO_buf_end … _short_buf … stdin buffer stdin
  73. 73. Make FILE structure great again • Overwrite buf_end with a pointer behind the stdin • Unsorted bin attack • Very common in heap exploitation 73 … _IO_buf_base _IO_buf_end … _short_buf … stdin buffer stdin
  74. 74. Make FILE structure great again • Overwrite buf_end with a pointer behind the stdin • Unsorted bin attack • Very common in heap exploitation 74 … _IO_buf_base Unsorted bin … _short_buf … vtable … stdin stdin buffer … main_arena malloc_hook
  75. 75. Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) 75 … _IO_buf_base Unsorted bin … _short_buf … vtable … stdin stdin buffer … main_arena malloc_hook
  76. 76. Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) • It can overwrite many global variable in glibc • Input: aaaa……. 76 … _IO_buf_base Unsorted bin … aaaaaaaa … aaaaaaaa … stdin stdin buffer … main_arena aaaaaaaa
  77. 77. Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) • It can overwrite many global variable in glibc • Input: aaaa……. 77 … _IO_buf_base aaaaaaaa … aaaaaaaa … aaaaaaaa … stdin stdin buffer … main_arena aaaaaaaa Control PC again !
  78. 78. Make FILE structure great again • How about Windows ? • No vtable in FILE • It also has stream buffer pointer • You can corrupt it to achieve arbitrary memory read and write 78
  79. 79. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 79
  80. 80. Conclusion • FILE structure is a good target for binary exploit • It can be used to • Arbitrary memory read and write • Control the PC and do oriented programing • Other exploit technology • Arbitrary free/unmmap • … 80
  81. 81. Conclusion • FILE structure is a good target for binary Exploit • It’s very powerful in some unexploitable case • Let’s try to find more and more exploit technology in FILE structure 81 Mail : angelboy@chroot.org Blog : blog.angelboy.tw Twitter : scwuaptx

×