The document discusses exploiting the FILE structure in C programs. It provides an overview of how file streams and the FILE structure work. Key points include that the FILE structure contains flags, buffers, a file descriptor, and a virtual function table. It describes how functions like fopen, fread, and fwrite interact with the FILE structure. It then discusses potential exploitation techniques like overwriting the virtual function table or FILE's linked list to gain control of program flow. It notes defenses like vtable verification implemented in modern libc libraries.
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
Virtual File System in Linux Kernel
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
Decompressed vmlinux: linux kernel initialization from page table configurati...Adrian Huang
Talk about how Linux kernel initializes the page table.
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
Process Address Space: The way to create virtual address (page table) of user...Adrian Huang
Process Address Space: The way to create virtual address (page table) of userspace application.
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
Virtual File System in Linux Kernel
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
Decompressed vmlinux: linux kernel initialization from page table configurati...Adrian Huang
Talk about how Linux kernel initializes the page table.
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
Process Address Space: The way to create virtual address (page table) of user...Adrian Huang
Process Address Space: The way to create virtual address (page table) of userspace application.
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017Carol Smith
What is machine learning? Is UX relevant in the age of artificial intelligence (AI)? How can I take advantage of cognitive computing? Get answers to these questions and learn about the implications for your work in this session. Carol will help you understand at a basic level how these systems are built and what is required to get insights from them. Carol will present examples of how machine learning is already being used and explore the ethical challenges inherent in creating AI. You will walk away with an awareness of the weaknesses of AI and the knowledge of how these systems work.
File handling in C involves manipulating files through operations such as opening, reading, writing, and closing. The `<stdio.h>` library provides functions like `fopen`, `fclose`, `fread`, and `fwrite` for these operations. To read from a file, you can use functions like `fscanf` or `fgets`, while `fprintf` and `fputs` are used for writing. It's crucial to check for errors during file operations and close files using `fclose` to ensure proper resource management. Binary file handling is possible with functions like `fwrite` and `fread`. File handling is integral for tasks involving data storage, retrieval, and manipulation in C programs.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Play with FILE Structure - Yet Another Binary Exploit Technique
1. Play with FILE Structure
Yet Another Binary Exploit Technique
angelboy@chroot.org
1
2. About me
• Angelboy
• CTF player
• WCTF / Boston Key Party 1st
• DEFCON / HITB 2nd
• Chroot / HITCON / 217
• Blog
• blog.angelboy.tw
2
3. Agenda
• Introduction
• File stream
• Overview the FILE structure
• Exploitation of FILE structure
• FSOP
• Vtable verification in FILE structure
• Make FILE structure great again
• Conclusion
3
4. Agenda
• Introduction
• File stream
• Overview the FILE structure
• Exploitation of FILE structure
• FSOP
• Vtable verification in FILE structure
• Make FILE structure great again
• Conclusion
4
5. Introduction
• What happen when we use a raw io function
read/write
Kernel Buffer
User space
Kernel space
Disk
5
6. Introduction
• What happen when we use a raw io function
read/write
Kernel Buffer
User space
Kernel space
Disk
Reduce the number of HD I/O
6
7. Introduction
• What is File stream
• A higher-level interface on the primitive file descriptor facilities
• Stream buffering
• Portable and High performance
• What is FILE structure
• A File stream descriptor
• Created by fopen
7
8. Introduction
• What happen when we use stdio function
read/write
Kernel Buffer
User space
Kernel space
Disk
stdio Buffer
fread/fwrite
8
9. Introduction
• What happen when we use stdio function
read/write
Kernel Buffer
User space
Kernel space
Disk
stdio Buffer
fread/fwrite
Reduce the number of syscall
9
10. Agenda
• Introduction
• File stream
• Overview the FILE structure
• Exploitation of FILE structure
• FSOP
• Vtable verification in FILE structure
• Make FILE structure great again
• Conclusion
10
15. Introduction
• FILE structure
• FILE plus
• stdin/stdout/stderr
• fopen also use it
• Extra Virtual function table
• Any operation on file is via vtable
15
16. Introduction
• FILE structure
• FILE plus
• stdin/stdout/stderr
• fopen also use it
• Extra Virtual function table
• Any operation on file is via vtable
16
17. Introduction
• FILE structure
• Every FILE associate with a _chain (linked list)
17
_IO_list_all
_flag
……
chain
_flag
……
chain
_flag
……
0
stderr stdout stdin
18. Introduction
• fopen workflow
• Allocate FILE structure
• Initial the FILE structure
• Link the FILE structure
• open file
18
fopen
malloc
_IO_link_in
sys_open
_IO_new_file_init_internal
_IO_new_file_open
23. Introduction
• fread workflow
• If stream buffer is NULL
• Allocate buffer
• Read data to the stream buffer
• Copy data from stream buffer to destination
23
fread
vtable->_IO_file_xsgetn
vtable->doallocate
vtable->_IO_file_underflow
sys_read
28. Introduction
• fwrite workflow
• If stream buffer is NULL
• Allocate buffer
• Copy user data to the stream buffer
• If the stream buffer is filled or flush the stream
• write data from stream buffer to the file
28
fwrite
vtable->_IO_file_xsputn
vtable->_IO_file_overflow
vtable->doallocate
sys_write
29. Introduction
• fclose workflow
• Unlink the FILE structure
• Flush & Release the stream buffer
• Close the file
• Release the FILE structure
29
fclose
_IO_unlink_it
_IO_new_file_close_it
_IO_do_flush
sys_close
vtable—>_IO_file_finish
free
30. Agenda
• Introduction
• File stream
• Overview the FILE structure
• Exploitation of FILE structure
• FSOP
• Vtable verification in FILE structure
• Make FILE structure great again
• Conclusion
30
31. Exploitation of FILE
• There are a good target in FILE structure
• Virtual Function Table
31
32. • Let’s overwrite with buffer address
Exploitation of FILE
Buffer overflow
Sample code
payload
Buffer address
32
//variable buf at 0x6009a0
35. Exploitation of FILE
• Not call vtable directly…
• RDX is our input
but not call instruction
35
36. Exploitation of FILE
• Let’s see what happened in fclose
• We can get information of segfault in gdb and located it in source code
Segfault
36
37. Exploitation of FILE
• FILE structure
• _lock
• Prevent race condition in multithread
• Very common in stdio related function
• Usually need to construct it for Exploitation
37
38. • Let’s fix the lock
Exploitation of FILE
Find a global buffer as our lock
Fix our payload
offset of _lock
38
0x100 bytes
40. Exploitation of FILE
• Another interesting
• stdin/stdout/stderr is also a FILE structure in glibc
• We can overwrite the global variable in glibc to control the flow
40
GLIBC SYMBOL TABLE
Global offset
41. Agenda
• Introduction
• File stream
• Overview the FILE structure
• Exploitation of FILE structure
• FSOP
• Vtable verification in FILE structure
• Make FILE structure great again
• Conclusion
41
42. FSOP
• File-Stream Oriented Programing
• Control the linked list of File stream
• _chain
• _IO_list_all
• Powerful function
• _IO_flush_all_lockp
42
43. FSOP
• _IO_flush_all_lockp
• fflush all file stream
• When will call it
• Glib abort routine
• exit function
• Main return
43
malloc_printerr
_libc_message(error msg)
abort
_IO_flush_all_lockp
JUMP_FIELD(_IO_overflow_t,
__overflow)
If the condition is satisfied
Glibc abort routine
44. FSOP
• _IO_flush_all_lockp
• It will process all FILE
in FILE linked list
• We can construct the
linked list to do oriented
programing
44
fp = _IO_list_all
condition
Trigger virtual funcition
Point to next
52. Agenda
• Introduction
• File stream
• Overview the FILE structure
• Exploitation of FILE structure
• FSOP
• Vtable verification in FILE structure
• Make FILE structure great again
• Conclusion
52
53. Vtable verification
• Unfortunately, there are a virtual function table in latest libc
• Check the address of vtable before all virtual function call
• If vtable is invalid, it would abort
53
54. Vtable verification
• Vtable verification in File
• The vtable must be in libc _IO_vtable section
• If it’s not in _IO_vtable section, it will check if the vtable are permitted
54
56. Vtable verification
• Bypass ?
• Overwrite IO_accept_foreign_vtables ?
• It’s very difficult because of the pointer guard
56
Demangle with pointer guard
57. Vtable verification
• Bypass ?
• Overwrite _dl_open_hook ?
• Sounds good, but if you can control the value, you can also control
other good target
57
58. Vtable verification
• Summary of the vtable verification
• It very hard to bypass it.
• Exploitation of FILE structure is died ?
58
59. Agenda
• Introduction
• File stream
• Overview the FILE structure
• Exploitation of FILE structure
• FSOP
• Vtable verification in FILE structure
• Make FILE structure great again
• Conclusion
59
60. Make FILE structure great again
• How about change the target from vtable to other element ?
• Stream Buffer & File Descriptor
60
61. Make FILE structure great again
• If we can overwrite the FILE structure and use fread and fwrite with the
FILE structure
• We can
• Arbitrary memory reading
• Arbitrary memory writing
61
62. Make FILE structure great again
• Arbitrary memory reading
• fwrite
• Set the _fileno to the file descriptor of stdout
• Set _flag & ~_IO_NO_WRITES
• Set _flag |= _IO_CURRENTLY_PUTTING
• Set the write_base & write_ptr to memory address which you want to read
• _IO_read_end equal to _IO_write_base
62
63. Make FILE structure great again
• Arbitrary memory reading
• Set _flag &~ _IO_NO_WRITES
• Set _flag |= _IO_CURRENTLY_PUTTING
63
Our goal
It will adjust the stream buffer
A piece of code in fwrite
64. Make FILE structure great again
• Arbitrary memory reading
• Let _IO_read_end equal to _IO_write_base
• If it’s not, it would adjust to the current offset.
64
It will adjust the stream buffer
Our goal
66. Make FILE structure great again
• Arbitrary memory writing
• fread
• Set the _fileno to file descriptor of stdin
• Set _flag &~ _IO_NO_READS
• Set read_base & read_ptr to NULL
• Set the buf_base & buf_end to memory address which you want to wirte
• buf_end - buf_base < size of fread
66
67. Make FILE structure great again
• Arbitrary memory writing
• Set read_base & read_ptr to NULL
67
It will copy data from buffer to destination
Buffer size must be smaller than read size
68. Make FILE structure great again
• Arbitrary memory writing
• Set _flag &~ _IO_NO_READS
68
Our goal
70. Make FILE structure great again
• If you have arbitrary memory address read and write, you can control the
flow very easy
• GOT hijack
• __malloc_hook_/__free_hook_/__realloc_hook_
• …
• By the way, you can not only use fread and fwrite but also use any stdio
related function
70
71. Make FILE structure great again
• If we don’t have any file operation in the program
• We can use stdin/stdout/stderr
• put/printf/scanf
• …
71
72. Make FILE structure great again
• Scenario
• Use any stdin related function
• scanf/fgets/gets …
• Stdin is unbuffer
• Very common in normal stdio program
72
…
_IO_buf_base
_IO_buf_end
…
_short_buf
…
stdin buffer
stdin
73. Make FILE structure great again
• Overwrite buf_end with a pointer behind the stdin
• Unsorted bin attack
• Very common in heap exploitation
73
…
_IO_buf_base
_IO_buf_end
…
_short_buf
…
stdin buffer
stdin
74. Make FILE structure great again
• Overwrite buf_end with a pointer behind the stdin
• Unsorted bin attack
• Very common in heap exploitation
74
…
_IO_buf_base
Unsorted bin
…
_short_buf
…
vtable
…
stdin
stdin buffer
…
main_arena
malloc_hook
75. Make FILE structure great again
• Stdin related function
• scanf(“%d”,&var)
• It will call
• read(0,buf_base,sizeof(stdin buffer))
75
…
_IO_buf_base
Unsorted bin
…
_short_buf
…
vtable
…
stdin
stdin buffer
…
main_arena
malloc_hook
76. Make FILE structure great again
• Stdin related function
• scanf(“%d”,&var)
• It will call
• read(0,buf_base,sizeof(stdin buffer))
• It can overwrite many global variable in glibc
• Input: aaaa…….
76
…
_IO_buf_base
Unsorted bin
…
aaaaaaaa
…
aaaaaaaa
…
stdin
stdin buffer
…
main_arena
aaaaaaaa
77. Make FILE structure great again
• Stdin related function
• scanf(“%d”,&var)
• It will call
• read(0,buf_base,sizeof(stdin buffer))
• It can overwrite many global variable in glibc
• Input: aaaa…….
77
…
_IO_buf_base
aaaaaaaa
…
aaaaaaaa
…
aaaaaaaa
…
stdin
stdin buffer
…
main_arena
aaaaaaaa
Control PC again !
78. Make FILE structure great again
• How about Windows ?
• No vtable in FILE
• It also has stream buffer pointer
• You can corrupt it to achieve arbitrary memory read and write
78
79. Agenda
• Introduction
• File stream
• Overview the FILE structure
• Exploitation of FILE structure
• FSOP
• Vtable verification in FILE structure
• Make FILE structure great again
• Conclusion
79
80. Conclusion
• FILE structure is a good target for binary exploit
• It can be used to
• Arbitrary memory read and write
• Control the PC and do oriented programing
• Other exploit technology
• Arbitrary free/unmmap
• …
80
81. Conclusion
• FILE structure is a good target for binary Exploit
• It’s very powerful in some unexploitable case
• Let’s try to find more and more exploit technology in FILE structure
81
Mail : angelboy@chroot.org
Blog : blog.angelboy.tw
Twitter : scwuaptx