Play with FILE Structure - Yet Another Binary Exploit Technique

A
Angel Boy
Play with FILE Structure Yet Another Binary Exploit Technique angelboy@chroot.org 1
About me • Angelboy • CTF player • WCTF / Boston Key Party 1st • DEFCON / HITB 2nd • Chroot / HITCON / 217 • Blog • blog.angelboy.tw 2
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 3
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 4
Introduction • What happen when we use a raw io function read/write Kernel Buffer User space Kernel space Disk 5
Introduction • What happen when we use a raw io function read/write Kernel Buffer User space Kernel space Disk Reduce the number of HD I/O 6
Introduction • What is File stream • A higher-level interface on the primitive file descriptor facilities • Stream buffering • Portable and High performance • What is FILE structure • A File stream descriptor • Created by fopen 7
Introduction • What happen when we use stdio function read/write Kernel Buffer User space Kernel space Disk stdio Buffer fread/fwrite 8
Introduction • What happen when we use stdio function read/write Kernel Buffer User space Kernel space Disk stdio Buffer fread/fwrite Reduce the number of syscall 9
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 10
Introduction • FILE structure • A complex structure • Flags • Stream buffer • File descriptor • FILE_plus • Virtual function table 11
Introduction • FILE structure • Flags • Record the attribute of the File stream • Read only • Append • … 12
Introduction • FILE structure • Stream buffer • Read buffer • Write buffer • Reserve buffer 13
Introduction • FILE structure • _fileno • File descriptor • Return by sys_open 14
Introduction • FILE structure • FILE plus • stdin/stdout/stderr • fopen also use it • Extra Virtual function table • Any operation on file is via vtable 15
Introduction • FILE structure • FILE plus • stdin/stdout/stderr • fopen also use it • Extra Virtual function table • Any operation on file is via vtable 16
Introduction • FILE structure • Every FILE associate with a _chain (linked list) 17 _IO_list_all _flag …… chain _flag …… chain _flag …… 0 stderr stdout stdin
Introduction • fopen workflow • Allocate FILE structure • Initial the FILE structure • Link the FILE structure • open file 18 fopen malloc _IO_link_in sys_open _IO_new_file_init_internal _IO_new_file_open
Introduction • fopen workflow • Allocate FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin 19 malloc
Introduction • fopen workflow • Initialize the FILE structure • Link the FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin 0 …… 0 …… 0 fp 20 _IO_new_file_init_internal _IO_link_in
Introduction • fopen workflow • Initial the FILE structure • Link the FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin _flag …… chain …… vtable fp 21 _IO_link_in _IO_new_file_init_internal
Introduction • fopen workflow • open file _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin _flag …… chain …… vtable fp 22 sys_open
Introduction • fread workflow • If stream buffer is NULL • Allocate buffer • Read data to the stream buffer • Copy data from stream buffer to destination 23 fread vtable->_IO_file_xsgetn vtable->doallocate vtable->_IO_file_underflow sys_read
Introduction • fread workflow • If stream buffer is NULL • Allocate buffer _flag read_ptr (0) read_end (0) …… buf_base (0) buf_end (0) …… vtable fp _IO_file_finish _IO_file_overflow … _IO_file_doallocate … … … _IO_default_imbue vtable 24 fread vtable->_IO_file_xsgetn vtable->doallocate
Introduction • fread workflow • Read data to the stream buffer _flag read_ptr (0) read_end (0) …… 0x603010 0x604010 …… vtable fp stdio buffer 25 vtable->_IO_file_underflow sys_read
Introduction • fread workflow • Copy data from stream buffer 
 to destination _flag 0x603010 0x604010 …… 0x603010 0x604010 …… vtable fp AAAA AAAA BBBB BBBB CCCC CCCC … … … ZZZZ stdio buffer Destination 26 vtable->_IO_file_xsgetn
AAAA AAAA BBBB BBBB CCCC CCCC … … … ZZZZ Introduction • fread workflow • Copy data from stream buffer 
 to destination _flag 0x603040 0x604010 …… 0x603010 0x604010 …… vtable fp stdio buffer AAAAAAAA Copy to destination 27 vtable->_IO_file_xsgetn
Introduction • fwrite workflow • If stream buffer is NULL • Allocate buffer • Copy user data to the stream buffer • If the stream buffer is filled or flush the stream • write data from stream buffer to the file 28 fwrite vtable->_IO_file_xsputn vtable->_IO_file_overflow vtable->doallocate sys_write
Introduction • fclose workflow • Unlink the FILE structure • Flush & Release the stream buffer • Close the file • Release the FILE structure 29 fclose _IO_unlink_it _IO_new_file_close_it _IO_do_flush sys_close vtable—>_IO_file_finish free
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 30
Exploitation of FILE • There are a good target in FILE structure • Virtual Function Table 31
• Let’s overwrite with buffer address Exploitation of FILE Buffer overflow Sample code payload Buffer address 32 //variable buf at 0x6009a0
• Let’s overwrite with buffer address Exploitation of FILE 33 Buffer fp fp _flag read_ptr (0) read_end (0) …… vtable
• Let’s overwrite with buffer address Exploitation of FILE 34 AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA …… …… AAAAAAAA …… Buffer 0x6009a0 fp _flag read_ptr (0) read_end (0) …… vtable Buffer overflow
Exploitation of FILE • Not call vtable directly… • RDX is our input
 but not call instruction 35
Exploitation of FILE • Let’s see what happened in fclose • We can get information of segfault in gdb and located it in source code Segfault 36
Exploitation of FILE • FILE structure • _lock • Prevent race condition in multithread • Very common in stdio related function • Usually need to construct it for Exploitation 37
• Let’s fix the lock Exploitation of FILE Find a global buffer as our lock Fix our payload offset of _lock 38 0x100 bytes
• We control PC ! Exploitation of FILE 39
Exploitation of FILE • Another interesting • stdin/stdout/stderr is also a FILE structure in glibc • We can overwrite the global variable in glibc to control the flow 40 GLIBC SYMBOL TABLE Global offset
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 41
FSOP • File-Stream Oriented Programing • Control the linked list of File stream • _chain • _IO_list_all • Powerful function • _IO_flush_all_lockp 42
FSOP • _IO_flush_all_lockp • fflush all file stream • When will call it • Glib abort routine • exit function • Main return 43 malloc_printerr _libc_message(error msg) abort _IO_flush_all_lockp JUMP_FIELD(_IO_overflow_t, __overflow) If the condition is satisfied Glibc abort routine
FSOP • _IO_flush_all_lockp • It will process all FILE
 in FILE linked list • We can construct the
 linked list to do oriented
 programing 44 fp = _IO_list_all condition Trigger virtual funcition Point to next
FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable 45
FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … Trigger abort() 46
FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call foo(_flags) 47
FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call foo(“bar”) 48
FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … fp = fp->chain 49
FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call system(_flags) 50
FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call system(_flags) GET SHELL !! 51
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 52
Vtable verification • Unfortunately, there are a virtual function table in latest libc • Check the address of vtable before all virtual function call • If vtable is invalid, it would abort 53
Vtable verification • Vtable verification in File • The vtable must be in libc _IO_vtable section • If it’s not in _IO_vtable section, it will check if the vtable are permitted 54
• _IO_vtable_check • Check the foreign vtables Vtable verification 55 For overriding For share library
Vtable verification • Bypass ? • Overwrite IO_accept_foreign_vtables ? • It’s very difficult because of the pointer guard 56 Demangle with pointer guard
Vtable verification • Bypass ? • Overwrite _dl_open_hook ? • Sounds good, but if you can control the value, you can also control other good target 57
Vtable verification • Summary of the vtable verification • It very hard to bypass it. • Exploitation of FILE structure is died ? 58
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 59
Make FILE structure great again • How about change the target from vtable to other element ? • Stream Buffer & File Descriptor 60
Make FILE structure great again • If we can overwrite the FILE structure and use fread and fwrite with the FILE structure • We can • Arbitrary memory reading • Arbitrary memory writing 61
Make FILE structure great again • Arbitrary memory reading • fwrite • Set the _fileno to the file descriptor of stdout • Set _flag & ~_IO_NO_WRITES • Set _flag |= _IO_CURRENTLY_PUTTING • Set the write_base & write_ptr to memory address which you want to read • _IO_read_end equal to _IO_write_base 62
Make FILE structure great again • Arbitrary memory reading • Set _flag &~ _IO_NO_WRITES • Set _flag |= _IO_CURRENTLY_PUTTING 63 Our goal It will adjust the stream buffer A piece of code in fwrite
Make FILE structure great again • Arbitrary memory reading • Let _IO_read_end equal to _IO_write_base • If it’s not, it would adjust to the current offset. 64 It will adjust the stream buffer Our goal
Make FILE structure great again • Arbitrary memory reading • Sample code 65
Make FILE structure great again • Arbitrary memory writing • fread • Set the _fileno to file descriptor of stdin • Set _flag &~ _IO_NO_READS • Set read_base & read_ptr to NULL • Set the buf_base & buf_end to memory address which you want to wirte • buf_end - buf_base < size of fread 66
Make FILE structure great again • Arbitrary memory writing • Set read_base & read_ptr to NULL 67 It will copy data from buffer to destination Buffer size must be smaller than read size
Make FILE structure great again • Arbitrary memory writing • Set _flag &~ _IO_NO_READS 68 Our goal
Make FILE structure great again • Arbitrary memory writing • Sample code 69
Make FILE structure great again • If you have arbitrary memory address read and write, you can control the flow very easy • GOT hijack • __malloc_hook_/__free_hook_/__realloc_hook_ • … • By the way, you can not only use fread and fwrite but also use any stdio related function 70
Make FILE structure great again • If we don’t have any file operation in the program • We can use stdin/stdout/stderr • put/printf/scanf • … 71
Make FILE structure great again • Scenario • Use any stdin related function • scanf/fgets/gets … • Stdin is unbuffer • Very common in normal stdio program 72 … _IO_buf_base _IO_buf_end … _short_buf … stdin buffer stdin
Make FILE structure great again • Overwrite buf_end with a pointer behind the stdin • Unsorted bin attack • Very common in heap exploitation 73 … _IO_buf_base _IO_buf_end … _short_buf … stdin buffer stdin
Make FILE structure great again • Overwrite buf_end with a pointer behind the stdin • Unsorted bin attack • Very common in heap exploitation 74 … _IO_buf_base Unsorted bin … _short_buf … vtable … stdin stdin buffer … main_arena malloc_hook
Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) 75 … _IO_buf_base Unsorted bin … _short_buf … vtable … stdin stdin buffer … main_arena malloc_hook
Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) • It can overwrite many global variable in glibc • Input: aaaa……. 76 … _IO_buf_base Unsorted bin … aaaaaaaa … aaaaaaaa … stdin stdin buffer … main_arena aaaaaaaa
Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) • It can overwrite many global variable in glibc • Input: aaaa……. 77 … _IO_buf_base aaaaaaaa … aaaaaaaa … aaaaaaaa … stdin stdin buffer … main_arena aaaaaaaa Control PC again !
Make FILE structure great again • How about Windows ? • No vtable in FILE • It also has stream buffer pointer • You can corrupt it to achieve arbitrary memory read and write 78
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 79
Conclusion • FILE structure is a good target for binary exploit • It can be used to • Arbitrary memory read and write • Control the PC and do oriented programing • Other exploit technology • Arbitrary free/unmmap • … 80
Conclusion • FILE structure is a good target for binary Exploit • It’s very powerful in some unexploitable case • Let’s try to find more and more exploit technology in FILE structure 81 Mail : angelboy@chroot.org Blog : blog.angelboy.tw Twitter : scwuaptx
1 of 81

Play with FILE Structure - Yet Another Binary Exploit Technique

Download to read offline
Technology

Play with FILE Structure - Yet Another Binary Exploit Technique

A
Angel Boy

Recommended

Pwning in c++ (basic) by
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
30.6K views83 slides
Linux Binary Exploitation - Return-oritend Programing by
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
2.6K views91 slides
Advanced heap exploitaion by
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaionAngel Boy
27.1K views55 slides
Binary exploitation - AIS3 by
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3Angel Boy
7.3K views235 slides
Return to dlresolve by
Return to dlresolveReturn to dlresolve
Return to dlresolveAngel Boy
17.8K views41 slides
Sigreturn Oriented Programming by
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented ProgrammingAngel Boy
26.4K views34 slides

More Related Content

What's hot

Windows 10 Nt Heap Exploitation (Chinese version) by
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Angel Boy
7.8K views189 slides
Linux Binary Exploitation - Stack buffer overflow by
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowAngel Boy
2.6K views92 slides
A whirlwind tour of the LLVM optimizer by
A whirlwind tour of the LLVM optimizerA whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizerNikita Popov
7.4K views109 slides
Reliable Windows Heap Exploits by
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploitsamiable_indian
3.3K views81 slides
ROP 輕鬆談 by
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
26K views82 slides
Tcache Exploitation by
Tcache ExploitationTcache Exploitation
Tcache ExploitationAngel Boy
2.8K views63 slides

What's hot(20)

Windows 10 Nt Heap Exploitation (Chinese version) by Angel Boy
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
Angel Boy7.8K views
Linux Binary Exploitation - Stack buffer overflow by Angel Boy
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflow
Angel Boy2.6K views
A whirlwind tour of the LLVM optimizer by Nikita Popov
A whirlwind tour of the LLVM optimizerA whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizer
Nikita Popov7.4K views
Reliable Windows Heap Exploits by amiable_indian
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploits
amiable_indian3.3K views
ROP 輕鬆談 by hackstuff
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
hackstuff26K views
Tcache Exploitation by Angel Boy
Tcache ExploitationTcache Exploitation
Tcache Exploitation
Angel Boy2.8K views
Glibc malloc internal by Motohiro KOSAKI
Glibc malloc internalGlibc malloc internal
Glibc malloc internal
Motohiro KOSAKI62.1K views
ret2dl resolve by sounakano
ret2dl resolveret2dl resolve
ret2dl resolve
sounakano585 views
Linux binary Exploitation - Basic knowledge by Angel Boy
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
Angel Boy3K views
MacOS memory allocator (libmalloc) Exploitation by Angel Boy
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
Angel Boy4.6K views
Linux SMEP bypass techniques by Vitaly Nikolenko
Linux SMEP bypass techniquesLinux SMEP bypass techniques
Linux SMEP bypass techniques
Vitaly Nikolenko4.7K views
Linux BPF Superpowers by Brendan Gregg
Linux BPF SuperpowersLinux BPF Superpowers
Linux BPF Superpowers
Brendan Gregg422.9K views
ELFの動的リンク by 7shi
ELFの動的リンクELFの動的リンク
ELFの動的リンク
7shi 18K views
Execution by Angel Boy
ExecutionExecution
Execution
Angel Boy25.6K views
BPF - in-kernel virtual machine by Alexei Starovoitov
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
Alexei Starovoitov11.7K views
台科逆向簡報 by 耀德 蔡
台科逆向簡報台科逆向簡報
台科逆向簡報
耀德 蔡5.4K views
BPF Internals (eBPF) by Brendan Gregg
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
Brendan Gregg15.3K views
Stack pivot by sounakano
Stack pivotStack pivot
Stack pivot
sounakano494 views
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark by CanSecWest
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CanSecWest4.1K views
The Linux Block Layer - Built for Fast Storage by Kernel TLV
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast Storage
Kernel TLV4.3K views

Viewers also liked

Heap exploitation by
Heap exploitationHeap exploitation
Heap exploitationAngel Boy
35.2K views100 slides
Klee and angr by
Klee and angrKlee and angr
Klee and angrWei-Bo Chen
4.5K views52 slides
滲透測試基本技巧與經驗分享 by
滲透測試基本技巧與經驗分享滲透測試基本技巧與經驗分享
滲透測試基本技巧與經驗分享WEI CHIEH CHAO
4K views59 slides
2016.9.10 hackfoldr課 by
2016.9.10 hackfoldr課2016.9.10 hackfoldr課
2016.9.10 hackfoldr課佩琪 羅
2.2K views48 slides
Bug hunting through_reverse_engineering by
Bug hunting through_reverse_engineeringBug hunting through_reverse_engineering
Bug hunting through_reverse_engineeringarif
568 views43 slides
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean) by
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)Sehan Lee
1.7K views11 slides

Viewers also liked(14)

Heap exploitation by Angel Boy
Heap exploitationHeap exploitation
Heap exploitation
Angel Boy35.2K views
Klee and angr by Wei-Bo Chen
Klee and angrKlee and angr
Klee and angr
Wei-Bo Chen4.5K views
滲透測試基本技巧與經驗分享 by WEI CHIEH CHAO
滲透測試基本技巧與經驗分享滲透測試基本技巧與經驗分享
滲透測試基本技巧與經驗分享
WEI CHIEH CHAO4K views
2016.9.10 hackfoldr課 by 佩琪 羅
2016.9.10 hackfoldr課2016.9.10 hackfoldr課
2016.9.10 hackfoldr課
佩琪 羅2.2K views
Bug hunting through_reverse_engineering by arif
Bug hunting through_reverse_engineeringBug hunting through_reverse_engineering
Bug hunting through_reverse_engineering
arif568 views
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean) by Sehan Lee
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
Sehan Lee1.7K views
Reverse engineering by Syed Zillay Ali
Reverse engineeringReverse engineering
Reverse engineering
Syed Zillay Ali6.1K views
Introduction to Reverse Engineering by Dobromir Enchev
Introduction to Reverse EngineeringIntroduction to Reverse Engineering
Introduction to Reverse Engineering
Dobromir Enchev4.6K views
Reverse engineering by Yuffie Valen
Reverse engineeringReverse engineering
Reverse engineering
Yuffie Valen7.7K views
Introduction to Reverse Engineering by Gopinath Chintala
Introduction to Reverse EngineeringIntroduction to Reverse Engineering
Introduction to Reverse Engineering
Gopinath Chintala7.2K views
Reverse Engineering by dswanson
Reverse EngineeringReverse Engineering
Reverse Engineering
dswanson13.2K views
Reverse engineering & its application by mapqrs
Reverse engineering & its applicationReverse engineering & its application
Reverse engineering & its application
mapqrs37.1K views
Reverse engineering by ananya0122
Reverse engineeringReverse engineering
Reverse engineering
ananya012236.1K views
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017 by Carol Smith
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith4.9M views

Similar to Play with FILE Structure - Yet Another Binary Exploit Technique

Systems Programming - File IO by
Systems Programming - File IOSystems Programming - File IO
Systems Programming - File IOHelpWithAssignment.com
248 views36 slides
File Handling in C .pptx by
File Handling in C .pptxFile Handling in C .pptx
File Handling in C .pptxAyshwarya Baburam
11 views22 slides
File management by
File managementFile management
File managementsumathiv9
109 views12 slides
NiFi Developer Guide by
NiFi Developer GuideNiFi Developer Guide
NiFi Developer GuideDeon Huang
710 views44 slides
06 file processing by
06 file processing06 file processing
06 file processingIssay Meii
1K views44 slides
Speed up large-scale ML/DL offline inference job with Alluxio by
Speed up large-scale ML/DL offline inference job with AlluxioSpeed up large-scale ML/DL offline inference job with Alluxio
Speed up large-scale ML/DL offline inference job with AlluxioAlluxio, Inc.
229 views14 slides

Similar to Play with FILE Structure - Yet Another Binary Exploit Technique(20)

Systems Programming - File IO by HelpWithAssignment.com
Systems Programming - File IOSystems Programming - File IO
Systems Programming - File IO
HelpWithAssignment.com248 views
File Handling in C .pptx by Ayshwarya Baburam
File Handling in C .pptxFile Handling in C .pptx
File Handling in C .pptx
Ayshwarya Baburam11 views
File management by sumathiv9
File managementFile management
File management
sumathiv9109 views
NiFi Developer Guide by Deon Huang
NiFi Developer GuideNiFi Developer Guide
NiFi Developer Guide
Deon Huang710 views
06 file processing by Issay Meii
06 file processing06 file processing
06 file processing
Issay Meii1K views
Speed up large-scale ML/DL offline inference job with Alluxio by Alluxio, Inc.
Speed up large-scale ML/DL offline inference job with AlluxioSpeed up large-scale ML/DL offline inference job with Alluxio
Speed up large-scale ML/DL offline inference job with Alluxio
Alluxio, Inc.229 views
Linux System Programming - Buffered I/O by YourHelper1
Linux System Programming - Buffered I/O Linux System Programming - Buffered I/O
Linux System Programming - Buffered I/O
YourHelper1143 views
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW... by Alex Gorbachev
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Alex Gorbachev3.9K views
File mangement by Jigarthacker
File mangementFile mangement
File mangement
Jigarthacker613 views
Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB) by Issac Buenrostro
Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)
Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)
Issac Buenrostro16.9K views
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities by DefconRussia
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
DefconRussia2.9K views
Unix cmc by Oussama BENNANI
Unix cmcUnix cmc
Unix cmc
Oussama BENNANI226 views
NiFi - First approach by Mickael Cassy
NiFi - First approachNiFi - First approach
NiFi - First approach
Mickael Cassy212 views
Linux System Programming - File I/O by YourHelper1
Linux System Programming - File I/O Linux System Programming - File I/O
Linux System Programming - File I/O
YourHelper1175 views
Linux operating system by Quontra Solutions by QUONTRASOLUTIONS
Linux operating system by Quontra SolutionsLinux operating system by Quontra Solutions
Linux operating system by Quontra Solutions
QUONTRASOLUTIONS626 views
Still All on One Server: Perforce at Scale by Perforce
Still All on One Server: Perforce at Scale Still All on One Server: Perforce at Scale
Still All on One Server: Perforce at Scale
Perforce1.5K views
Upgrade von TYPO3 4.5 auf 6.2 - CertiFUNcation Phantasialand 2015 by Wolfgang Wagner
Upgrade von TYPO3 4.5 auf 6.2 - CertiFUNcation Phantasialand 2015Upgrade von TYPO3 4.5 auf 6.2 - CertiFUNcation Phantasialand 2015
Upgrade von TYPO3 4.5 auf 6.2 - CertiFUNcation Phantasialand 2015
Wolfgang Wagner1.2K views
AHUG Presentation: Fun with Hadoop File Systems by Infochimps, a CSC Big Data Business
AHUG Presentation: Fun with Hadoop File SystemsAHUG Presentation: Fun with Hadoop File Systems
AHUG Presentation: Fun with Hadoop File Systems
Infochimps, a CSC Big Data Business1.6K views
Filehadnling by Khushal Mehta
FilehadnlingFilehadnling
Filehadnling
Khushal Mehta180 views
Eric Steele – World Plone Day 2010 – Plone 4 Overview by Eric Steele
Eric Steele – World Plone Day 2010 – Plone 4 OverviewEric Steele – World Plone Day 2010 – Plone 4 Overview
Eric Steele – World Plone Day 2010 – Plone 4 Overview
Eric Steele919 views

Recently uploaded

ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...Jasper Oosterveld
27 views49 slides
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online by
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineShapeBlue
75 views19 slides
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ... by
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...ShapeBlue
55 views12 slides
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue by
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlueMigrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlueShapeBlue
71 views20 slides
"Surviving highload with Node.js", Andrii Shumada by
"Surviving highload with Node.js", Andrii Shumada "Surviving highload with Node.js", Andrii Shumada
"Surviving highload with Node.js", Andrii Shumada Fwdays
33 views29 slides
Business Analyst Series 2023 - Week 3 Session 5 by
Business Analyst Series 2023 - Week 3 Session 5Business Analyst Series 2023 - Week 3 Session 5
Business Analyst Series 2023 - Week 3 Session 5DianaGray10
345 views20 slides

Recently uploaded(20)

ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by Jasper Oosterveld
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
Jasper Oosterveld27 views
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online by ShapeBlue
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
ShapeBlue75 views
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ... by ShapeBlue
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
ShapeBlue55 views
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue by ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlueMigrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
ShapeBlue71 views
"Surviving highload with Node.js", Andrii Shumada by Fwdays
"Surviving highload with Node.js", Andrii Shumada "Surviving highload with Node.js", Andrii Shumada
"Surviving highload with Node.js", Andrii Shumada
Fwdays33 views
Business Analyst Series 2023 - Week 3 Session 5 by DianaGray10
Business Analyst Series 2023 - Week 3 Session 5Business Analyst Series 2023 - Week 3 Session 5
Business Analyst Series 2023 - Week 3 Session 5
DianaGray10345 views
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... by Bernd Ruecker
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
Bernd Ruecker48 views
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue by ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
ShapeBlue62 views
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by IttrainingIttraining
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
IttrainingIttraining69 views
Network Source of Truth and Infrastructure as Code revisited by Network Automation Forum
Network Source of Truth and Infrastructure as Code revisitedNetwork Source of Truth and Infrastructure as Code revisited
Network Source of Truth and Infrastructure as Code revisited
Network Automation Forum32 views
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... by ShapeBlue
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
ShapeBlue37 views
Kyo - Functional Scala 2023.pdf by Flavio W. Brasil
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdf
Flavio W. Brasil418 views
Ransomware is Knocking your Door_Final.pdf by Security Bootcamp
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
Security Bootcamp66 views
Scaling Knowledge Graph Architectures with AI by Enterprise Knowledge
Scaling Knowledge Graph Architectures with AIScaling Knowledge Graph Architectures with AI
Scaling Knowledge Graph Architectures with AI
Enterprise Knowledge50 views
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De... by Moses Kemibaro
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...
Moses Kemibaro27 views
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit... by ShapeBlue
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
ShapeBlue40 views
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti... by ShapeBlue
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
ShapeBlue26 views
Uni Systems for Power Platform.pptx by Uni Systems S.M.S.A.
Uni Systems for Power Platform.pptxUni Systems for Power Platform.pptx
Uni Systems for Power Platform.pptx
Uni Systems S.M.S.A.58 views
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue by ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueElevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
ShapeBlue70 views
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson126 views

Play with FILE Structure - Yet Another Binary Exploit Technique

  • 1. Play with FILE Structure Yet Another Binary Exploit Technique angelboy@chroot.org 1
  • 2. About me • Angelboy • CTF player • WCTF / Boston Key Party 1st • DEFCON / HITB 2nd • Chroot / HITCON / 217 • Blog • blog.angelboy.tw 2
  • 3. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 3
  • 4. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 4
  • 5. Introduction • What happen when we use a raw io function read/write Kernel Buffer User space Kernel space Disk 5
  • 6. Introduction • What happen when we use a raw io function read/write Kernel Buffer User space Kernel space Disk Reduce the number of HD I/O 6
  • 7. Introduction • What is File stream • A higher-level interface on the primitive file descriptor facilities • Stream buffering • Portable and High performance • What is FILE structure • A File stream descriptor • Created by fopen 7
  • 8. Introduction • What happen when we use stdio function read/write Kernel Buffer User space Kernel space Disk stdio Buffer fread/fwrite 8
  • 9. Introduction • What happen when we use stdio function read/write Kernel Buffer User space Kernel space Disk stdio Buffer fread/fwrite Reduce the number of syscall 9
  • 10. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 10
  • 11. Introduction • FILE structure • A complex structure • Flags • Stream buffer • File descriptor • FILE_plus • Virtual function table 11
  • 12. Introduction • FILE structure • Flags • Record the attribute of the File stream • Read only • Append • … 12
  • 13. Introduction • FILE structure • Stream buffer • Read buffer • Write buffer • Reserve buffer 13
  • 14. Introduction • FILE structure • _fileno • File descriptor • Return by sys_open 14
  • 15. Introduction • FILE structure • FILE plus • stdin/stdout/stderr • fopen also use it • Extra Virtual function table • Any operation on file is via vtable 15
  • 16. Introduction • FILE structure • FILE plus • stdin/stdout/stderr • fopen also use it • Extra Virtual function table • Any operation on file is via vtable 16
  • 17. Introduction • FILE structure • Every FILE associate with a _chain (linked list) 17 _IO_list_all _flag …… chain _flag …… chain _flag …… 0 stderr stdout stdin
  • 18. Introduction • fopen workflow • Allocate FILE structure • Initial the FILE structure • Link the FILE structure • open file 18 fopen malloc _IO_link_in sys_open _IO_new_file_init_internal _IO_new_file_open
  • 19. Introduction • fopen workflow • Allocate FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin 19 malloc
  • 20. Introduction • fopen workflow • Initialize the FILE structure • Link the FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin 0 …… 0 …… 0 fp 20 _IO_new_file_init_internal _IO_link_in
  • 21. Introduction • fopen workflow • Initial the FILE structure • Link the FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin _flag …… chain …… vtable fp 21 _IO_link_in _IO_new_file_init_internal
  • 22. Introduction • fopen workflow • open file _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin _flag …… chain …… vtable fp 22 sys_open
  • 23. Introduction • fread workflow • If stream buffer is NULL • Allocate buffer • Read data to the stream buffer • Copy data from stream buffer to destination 23 fread vtable->_IO_file_xsgetn vtable->doallocate vtable->_IO_file_underflow sys_read
  • 24. Introduction • fread workflow • If stream buffer is NULL • Allocate buffer _flag read_ptr (0) read_end (0) …… buf_base (0) buf_end (0) …… vtable fp _IO_file_finish _IO_file_overflow … _IO_file_doallocate … … … _IO_default_imbue vtable 24 fread vtable->_IO_file_xsgetn vtable->doallocate
  • 25. Introduction • fread workflow • Read data to the stream buffer _flag read_ptr (0) read_end (0) …… 0x603010 0x604010 …… vtable fp stdio buffer 25 vtable->_IO_file_underflow sys_read
  • 26. Introduction • fread workflow • Copy data from stream buffer 
 to destination _flag 0x603010 0x604010 …… 0x603010 0x604010 …… vtable fp AAAA AAAA BBBB BBBB CCCC CCCC … … … ZZZZ stdio buffer Destination 26 vtable->_IO_file_xsgetn
  • 27. AAAA AAAA BBBB BBBB CCCC CCCC … … … ZZZZ Introduction • fread workflow • Copy data from stream buffer 
 to destination _flag 0x603040 0x604010 …… 0x603010 0x604010 …… vtable fp stdio buffer AAAAAAAA Copy to destination 27 vtable->_IO_file_xsgetn
  • 28. Introduction • fwrite workflow • If stream buffer is NULL • Allocate buffer • Copy user data to the stream buffer • If the stream buffer is filled or flush the stream • write data from stream buffer to the file 28 fwrite vtable->_IO_file_xsputn vtable->_IO_file_overflow vtable->doallocate sys_write
  • 29. Introduction • fclose workflow • Unlink the FILE structure • Flush & Release the stream buffer • Close the file • Release the FILE structure 29 fclose _IO_unlink_it _IO_new_file_close_it _IO_do_flush sys_close vtable—>_IO_file_finish free
  • 30. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 30
  • 31. Exploitation of FILE • There are a good target in FILE structure • Virtual Function Table 31
  • 32. • Let’s overwrite with buffer address Exploitation of FILE Buffer overflow Sample code payload Buffer address 32 //variable buf at 0x6009a0
  • 33. • Let’s overwrite with buffer address Exploitation of FILE 33 Buffer fp fp _flag read_ptr (0) read_end (0) …… vtable
  • 34. • Let’s overwrite with buffer address Exploitation of FILE 34 AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA …… …… AAAAAAAA …… Buffer 0x6009a0 fp _flag read_ptr (0) read_end (0) …… vtable Buffer overflow
  • 35. Exploitation of FILE • Not call vtable directly… • RDX is our input
 but not call instruction 35
  • 36. Exploitation of FILE • Let’s see what happened in fclose • We can get information of segfault in gdb and located it in source code Segfault 36
  • 37. Exploitation of FILE • FILE structure • _lock • Prevent race condition in multithread • Very common in stdio related function • Usually need to construct it for Exploitation 37
  • 38. • Let’s fix the lock Exploitation of FILE Find a global buffer as our lock Fix our payload offset of _lock 38 0x100 bytes
  • 39. • We control PC ! Exploitation of FILE 39
  • 40. Exploitation of FILE • Another interesting • stdin/stdout/stderr is also a FILE structure in glibc • We can overwrite the global variable in glibc to control the flow 40 GLIBC SYMBOL TABLE Global offset
  • 41. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 41
  • 42. FSOP • File-Stream Oriented Programing • Control the linked list of File stream • _chain • _IO_list_all • Powerful function • _IO_flush_all_lockp 42
  • 43. FSOP • _IO_flush_all_lockp • fflush all file stream • When will call it • Glib abort routine • exit function • Main return 43 malloc_printerr _libc_message(error msg) abort _IO_flush_all_lockp JUMP_FIELD(_IO_overflow_t, __overflow) If the condition is satisfied Glibc abort routine
  • 44. FSOP • _IO_flush_all_lockp • It will process all FILE
 in FILE linked list • We can construct the
 linked list to do oriented
 programing 44 fp = _IO_list_all condition Trigger virtual funcition Point to next
  • 45. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable 45
  • 46. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … Trigger abort() 46
  • 47. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call foo(_flags) 47
  • 48. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call foo(“bar”) 48
  • 49. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … fp = fp->chain 49
  • 50. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call system(_flags) 50
  • 51. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call system(_flags) GET SHELL !! 51
  • 52. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 52
  • 53. Vtable verification • Unfortunately, there are a virtual function table in latest libc • Check the address of vtable before all virtual function call • If vtable is invalid, it would abort 53
  • 54. Vtable verification • Vtable verification in File • The vtable must be in libc _IO_vtable section • If it’s not in _IO_vtable section, it will check if the vtable are permitted 54
  • 55. • _IO_vtable_check • Check the foreign vtables Vtable verification 55 For overriding For share library
  • 56. Vtable verification • Bypass ? • Overwrite IO_accept_foreign_vtables ? • It’s very difficult because of the pointer guard 56 Demangle with pointer guard
  • 57. Vtable verification • Bypass ? • Overwrite _dl_open_hook ? • Sounds good, but if you can control the value, you can also control other good target 57
  • 58. Vtable verification • Summary of the vtable verification • It very hard to bypass it. • Exploitation of FILE structure is died ? 58
  • 59. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 59
  • 60. Make FILE structure great again • How about change the target from vtable to other element ? • Stream Buffer & File Descriptor 60
  • 61. Make FILE structure great again • If we can overwrite the FILE structure and use fread and fwrite with the FILE structure • We can • Arbitrary memory reading • Arbitrary memory writing 61
  • 62. Make FILE structure great again • Arbitrary memory reading • fwrite • Set the _fileno to the file descriptor of stdout • Set _flag & ~_IO_NO_WRITES • Set _flag |= _IO_CURRENTLY_PUTTING • Set the write_base & write_ptr to memory address which you want to read • _IO_read_end equal to _IO_write_base 62
  • 63. Make FILE structure great again • Arbitrary memory reading • Set _flag &~ _IO_NO_WRITES • Set _flag |= _IO_CURRENTLY_PUTTING 63 Our goal It will adjust the stream buffer A piece of code in fwrite
  • 64. Make FILE structure great again • Arbitrary memory reading • Let _IO_read_end equal to _IO_write_base • If it’s not, it would adjust to the current offset. 64 It will adjust the stream buffer Our goal
  • 65. Make FILE structure great again • Arbitrary memory reading • Sample code 65
  • 66. Make FILE structure great again • Arbitrary memory writing • fread • Set the _fileno to file descriptor of stdin • Set _flag &~ _IO_NO_READS • Set read_base & read_ptr to NULL • Set the buf_base & buf_end to memory address which you want to wirte • buf_end - buf_base < size of fread 66
  • 67. Make FILE structure great again • Arbitrary memory writing • Set read_base & read_ptr to NULL 67 It will copy data from buffer to destination Buffer size must be smaller than read size
  • 68. Make FILE structure great again • Arbitrary memory writing • Set _flag &~ _IO_NO_READS 68 Our goal
  • 69. Make FILE structure great again • Arbitrary memory writing • Sample code 69
  • 70. Make FILE structure great again • If you have arbitrary memory address read and write, you can control the flow very easy • GOT hijack • __malloc_hook_/__free_hook_/__realloc_hook_ • … • By the way, you can not only use fread and fwrite but also use any stdio related function 70
  • 71. Make FILE structure great again • If we don’t have any file operation in the program • We can use stdin/stdout/stderr • put/printf/scanf • … 71
  • 72. Make FILE structure great again • Scenario • Use any stdin related function • scanf/fgets/gets … • Stdin is unbuffer • Very common in normal stdio program 72 … _IO_buf_base _IO_buf_end … _short_buf … stdin buffer stdin
  • 73. Make FILE structure great again • Overwrite buf_end with a pointer behind the stdin • Unsorted bin attack • Very common in heap exploitation 73 … _IO_buf_base _IO_buf_end … _short_buf … stdin buffer stdin
  • 74. Make FILE structure great again • Overwrite buf_end with a pointer behind the stdin • Unsorted bin attack • Very common in heap exploitation 74 … _IO_buf_base Unsorted bin … _short_buf … vtable … stdin stdin buffer … main_arena malloc_hook
  • 75. Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) 75 … _IO_buf_base Unsorted bin … _short_buf … vtable … stdin stdin buffer … main_arena malloc_hook
  • 76. Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) • It can overwrite many global variable in glibc • Input: aaaa……. 76 … _IO_buf_base Unsorted bin … aaaaaaaa … aaaaaaaa … stdin stdin buffer … main_arena aaaaaaaa
  • 77. Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) • It can overwrite many global variable in glibc • Input: aaaa……. 77 … _IO_buf_base aaaaaaaa … aaaaaaaa … aaaaaaaa … stdin stdin buffer … main_arena aaaaaaaa Control PC again !
  • 78. Make FILE structure great again • How about Windows ? • No vtable in FILE • It also has stream buffer pointer • You can corrupt it to achieve arbitrary memory read and write 78
  • 79. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 79
  • 80. Conclusion • FILE structure is a good target for binary exploit • It can be used to • Arbitrary memory read and write • Control the PC and do oriented programing • Other exploit technology • Arbitrary free/unmmap • … 80
  • 81. Conclusion • FILE structure is a good target for binary Exploit • It’s very powerful in some unexploitable case • Let’s try to find more and more exploit technology in FILE structure 81 Mail : angelboy@chroot.org Blog : blog.angelboy.tw Twitter : scwuaptx