SlideShare a Scribd company logo
Play with FILE Structure
Yet Another Binary Exploit Technique
angelboy@chroot.org
1
About me
• Angelboy

• CTF player 

• WCTF / Boston Key Party 1st

• DEFCON / HITB 2nd

• Chroot / HITCON / 217

• Blog

• blog.angelboy.tw
2
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable verification in FILE structure

• Make FILE structure great again

• Conclusion
3
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable verification in FILE structure

• Make FILE structure great again

• Conclusion
4
Introduction
• What happen when we use a raw io function
read/write
Kernel Buffer
User space
Kernel space
Disk
5
Introduction
• What happen when we use a raw io function
read/write
Kernel Buffer
User space
Kernel space
Disk
Reduce the number of HD I/O
6
Introduction
• What is File stream

• A higher-level interface on the primitive file descriptor facilities

• Stream buffering

• Portable and High performance

• What is FILE structure

• A File stream descriptor

• Created by fopen
7
Introduction
• What happen when we use stdio function
read/write
Kernel Buffer
User space
Kernel space
Disk
stdio Buffer
fread/fwrite
8
Introduction
• What happen when we use stdio function
read/write
Kernel Buffer
User space
Kernel space
Disk
stdio Buffer
fread/fwrite
Reduce the number of syscall
9
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable verification in FILE structure

• Make FILE structure great again

• Conclusion
10
Introduction
• FILE structure

• A complex structure

• Flags

• Stream buffer

• File descriptor

• FILE_plus

• Virtual function table
11
Introduction
• FILE structure

• Flags

• Record the attribute of the File stream

• Read only

• Append

• …
12
Introduction
• FILE structure

• Stream buffer

• Read buffer

• Write buffer

• Reserve buffer
13
Introduction
• FILE structure

• _fileno

• File descriptor

• Return by sys_open
14
Introduction
• FILE structure

• FILE plus

• stdin/stdout/stderr

• fopen also use it

• Extra Virtual function table

• Any operation on file is via vtable
15
Introduction
• FILE structure

• FILE plus 

• stdin/stdout/stderr

• fopen also use it

• Extra Virtual function table

• Any operation on file is via vtable
16
Introduction
• FILE structure

• Every FILE associate with a _chain (linked list)
17
_IO_list_all
_flag
……
chain
_flag
……
chain
_flag
……
0
stderr stdout stdin
Introduction
• fopen workflow

• Allocate FILE structure

• Initial the FILE structure

• Link the FILE structure

• open file
18
fopen
malloc
_IO_link_in
sys_open
_IO_new_file_init_internal
_IO_new_file_open
Introduction
• fopen workflow

• Allocate FILE structure
_IO_list_all
_flag
……
chain
……
vtable
_flag
……
chain
……
vtable
_flag
……
0
……
vtable
stderr stdout stdin
19
malloc
Introduction
• fopen workflow

• Initialize the FILE structure

• Link the FILE structure
_IO_list_all
_flag
……
chain
……
vtable
_flag
……
chain
……
vtable
_flag
……
0
……
vtable
stderr stdout stdin
0
……
0
……
0
fp
20
_IO_new_file_init_internal
_IO_link_in
Introduction
• fopen workflow

• Initial the FILE structure

• Link the FILE structure
_IO_list_all
_flag
……
chain
……
vtable
_flag
……
chain
……
vtable
_flag
……
0
……
vtable
stderr stdout stdin
_flag
……
chain
……
vtable
fp
21
_IO_link_in
_IO_new_file_init_internal
Introduction
• fopen workflow

• open file
_IO_list_all
_flag
……
chain
……
vtable
_flag
……
chain
……
vtable
_flag
……
0
……
vtable
stderr stdout stdin
_flag
……
chain
……
vtable
fp
22
sys_open
Introduction
• fread workflow

• If stream buffer is NULL

• Allocate buffer

• Read data to the stream buffer

• Copy data from stream buffer to destination
23
fread
vtable->_IO_file_xsgetn
vtable->doallocate
vtable->_IO_file_underflow
sys_read
Introduction
• fread workflow

• If stream buffer is NULL

• Allocate buffer
_flag
read_ptr (0)
read_end (0)
……
buf_base (0)
buf_end (0)
……
vtable
fp
_IO_file_finish
_IO_file_overflow
…
_IO_file_doallocate
…
…
…
_IO_default_imbue
vtable
24
fread
vtable->_IO_file_xsgetn
vtable->doallocate
Introduction
• fread workflow

• Read data to the stream buffer
_flag
read_ptr (0)
read_end (0)
……
0x603010
0x604010
……
vtable
fp
stdio buffer
25
vtable->_IO_file_underflow
sys_read
Introduction
• fread workflow

• Copy data from stream buffer 

to destination
_flag
0x603010
0x604010
……
0x603010
0x604010
……
vtable
fp
AAAA
AAAA
BBBB
BBBB
CCCC
CCCC
…
…
…
ZZZZ
stdio buffer
Destination
26
vtable->_IO_file_xsgetn
AAAA
AAAA
BBBB
BBBB
CCCC
CCCC
…
…
…
ZZZZ
Introduction
• fread workflow

• Copy data from stream buffer 

to destination
_flag
0x603040
0x604010
……
0x603010
0x604010
……
vtable
fp
stdio buffer
AAAAAAAA
Copy to destination
27
vtable->_IO_file_xsgetn
Introduction
• fwrite workflow

• If stream buffer is NULL

• Allocate buffer

• Copy user data to the stream buffer

• If the stream buffer is filled or flush the stream

• write data from stream buffer to the file
28
fwrite
vtable->_IO_file_xsputn
vtable->_IO_file_overflow
vtable->doallocate
sys_write
Introduction
• fclose workflow

• Unlink the FILE structure

• Flush & Release the stream buffer

• Close the file

• Release the FILE structure
29
fclose
_IO_unlink_it
_IO_new_file_close_it
_IO_do_flush
sys_close
vtable—>_IO_file_finish
free
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable verification in FILE structure

• Make FILE structure great again

• Conclusion
30
Exploitation of FILE
• There are a good target in FILE structure

• Virtual Function Table
31
• Let’s overwrite with buffer address
Exploitation of FILE
Buffer overflow
Sample code
payload
Buffer address
32
//variable buf at 0x6009a0
• Let’s overwrite with buffer address
Exploitation of FILE
33
Buffer
fp
fp
_flag
read_ptr (0)
read_end (0)
……
vtable
• Let’s overwrite with buffer address
Exploitation of FILE
34
AAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAAAA
……
……
AAAAAAAA
……
Buffer
0x6009a0
fp
_flag
read_ptr (0)
read_end (0)
……
vtable
Buffer overflow
Exploitation of FILE
• Not call vtable directly…

• RDX is our input

but not call instruction
35
Exploitation of FILE
• Let’s see what happened in fclose

• We can get information of segfault in gdb and located it in source code
Segfault
36
Exploitation of FILE
• FILE structure

• _lock

• Prevent race condition in multithread

• Very common in stdio related function

• Usually need to construct it for Exploitation
37
• Let’s fix the lock
Exploitation of FILE
Find a global buffer as our lock
Fix our payload
offset of _lock
38
0x100 bytes
• We control PC !
Exploitation of FILE
39
Exploitation of FILE
• Another interesting

• stdin/stdout/stderr is also a FILE structure in glibc

• We can overwrite the global variable in glibc to control the flow
40
GLIBC SYMBOL TABLE
Global offset
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable verification in FILE structure

• Make FILE structure great again

• Conclusion
41
FSOP
• File-Stream Oriented Programing

• Control the linked list of File stream

• _chain

• _IO_list_all

• Powerful function

• _IO_flush_all_lockp
42
FSOP
• _IO_flush_all_lockp

• fflush all file stream

• When will call it

• Glib abort routine

• exit function

• Main return
43
malloc_printerr
_libc_message(error msg)
abort
_IO_flush_all_lockp
JUMP_FIELD(_IO_overflow_t,
__overflow)
If the condition is satisfied
Glibc abort routine
FSOP
• _IO_flush_all_lockp

• It will process all FILE

in FILE linked list

• We can construct the

linked list to do oriented

programing
44
fp = _IO_list_all
condition
Trigger virtual funcition
Point to next
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
45
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“sh”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtablefake_vtable fake_vtable2
system
system
system
…
…
foo
foo
foo
…
…
Trigger abort()
46
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“sh”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtablefake_vtable fake_vtable2
system
system
system
…
…
foo
foo
foo
…
…
call foo(_flags)
47
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“sh”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtablefake_vtable fake_vtable2
system
system
system
…
…
foo
foo
foo
…
…
call foo(“bar”)
48
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“sh”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtablefake_vtable fake_vtable2
system
system
system
…
…
foo
foo
foo
…
…
fp = fp->chain
49
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“sh”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtablefake_vtable fake_vtable2
system
system
system
…
…
foo
foo
foo
…
…
call system(_flags)
50
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“sh”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtablefake_vtable fake_vtable2
system
system
system
…
…
foo
foo
foo
…
…
call system(_flags)
GET SHELL !!
51
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable verification in FILE structure

• Make FILE structure great again

• Conclusion
52
Vtable verification
• Unfortunately, there are a virtual function table in latest libc

• Check the address of vtable before all virtual function call

• If vtable is invalid, it would abort
53
Vtable verification
• Vtable verification in File

• The vtable must be in libc _IO_vtable section

• If it’s not in _IO_vtable section, it will check if the vtable are permitted
54
• _IO_vtable_check

• Check the foreign vtables
Vtable verification
55
For overriding
For share library
Vtable verification
• Bypass ?

• Overwrite IO_accept_foreign_vtables ?

• It’s very difficult because of the pointer guard
56
Demangle with pointer guard
Vtable verification
• Bypass ?

• Overwrite _dl_open_hook ?

• Sounds good, but if you can control the value, you can also control
other good target
57
Vtable verification
• Summary of the vtable verification

• It very hard to bypass it.

• Exploitation of FILE structure is died ?
58
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable verification in FILE structure

• Make FILE structure great again

• Conclusion
59
Make FILE structure great again
• How about change the target from vtable to other element ?

• Stream Buffer & File Descriptor
60
Make FILE structure great again
• If we can overwrite the FILE structure and use fread and fwrite with the
FILE structure

• We can

• Arbitrary memory reading

• Arbitrary memory writing
61
Make FILE structure great again
• Arbitrary memory reading

• fwrite

• Set the _fileno to the file descriptor of stdout 

• Set _flag & ~_IO_NO_WRITES

• Set _flag |= _IO_CURRENTLY_PUTTING

• Set the write_base & write_ptr to memory address which you want to read

• _IO_read_end equal to _IO_write_base
62
Make FILE structure great again
• Arbitrary memory reading

• Set _flag &~ _IO_NO_WRITES

• Set _flag |= _IO_CURRENTLY_PUTTING
63
Our goal
It will adjust the stream buffer
A piece of code in fwrite
Make FILE structure great again
• Arbitrary memory reading

• Let _IO_read_end equal to _IO_write_base

• If it’s not, it would adjust to the current offset.
64
It will adjust the stream buffer
Our goal
Make FILE structure great again
• Arbitrary memory reading

• Sample code
65
Make FILE structure great again
• Arbitrary memory writing

• fread

• Set the _fileno to file descriptor of stdin

• Set _flag &~ _IO_NO_READS

• Set read_base & read_ptr to NULL

• Set the buf_base & buf_end to memory address which you want to wirte

• buf_end - buf_base < size of fread
66
Make FILE structure great again
• Arbitrary memory writing

• Set read_base & read_ptr to NULL
67
It will copy data from buffer to destination
Buffer size must be smaller than read size
Make FILE structure great again
• Arbitrary memory writing

• Set _flag &~ _IO_NO_READS
68
Our goal
Make FILE structure great again
• Arbitrary memory writing

• Sample code
69
Make FILE structure great again
• If you have arbitrary memory address read and write, you can control the
flow very easy

• GOT hijack

• __malloc_hook_/__free_hook_/__realloc_hook_

• …

• By the way, you can not only use fread and fwrite but also use any stdio
related function
70
Make FILE structure great again
• If we don’t have any file operation in the program

• We can use stdin/stdout/stderr 

• put/printf/scanf

• …
71
Make FILE structure great again
• Scenario

• Use any stdin related function

• scanf/fgets/gets …

• Stdin is unbuffer

• Very common in normal stdio program
72
…
_IO_buf_base
_IO_buf_end
…
_short_buf
…
stdin buffer
stdin
Make FILE structure great again
• Overwrite buf_end with a pointer behind the stdin

• Unsorted bin attack

• Very common in heap exploitation
73
…
_IO_buf_base
_IO_buf_end
…
_short_buf
…
stdin buffer
stdin
Make FILE structure great again
• Overwrite buf_end with a pointer behind the stdin

• Unsorted bin attack

• Very common in heap exploitation
74
…
_IO_buf_base
Unsorted bin
…
_short_buf
…
vtable
…
stdin
stdin buffer
…
main_arena
malloc_hook
Make FILE structure great again
• Stdin related function

• scanf(“%d”,&var)

• It will call

• read(0,buf_base,sizeof(stdin buffer))
75
…
_IO_buf_base
Unsorted bin
…
_short_buf
…
vtable
…
stdin
stdin buffer
…
main_arena
malloc_hook
Make FILE structure great again
• Stdin related function

• scanf(“%d”,&var)

• It will call

• read(0,buf_base,sizeof(stdin buffer))

• It can overwrite many global variable in glibc

• Input: aaaa…….
76
…
_IO_buf_base
Unsorted bin
…
aaaaaaaa
…
aaaaaaaa
…
stdin
stdin buffer
…
main_arena
aaaaaaaa
Make FILE structure great again
• Stdin related function

• scanf(“%d”,&var)

• It will call

• read(0,buf_base,sizeof(stdin buffer))

• It can overwrite many global variable in glibc

• Input: aaaa…….
77
…
_IO_buf_base
aaaaaaaa
…
aaaaaaaa
…
aaaaaaaa
…
stdin
stdin buffer
…
main_arena
aaaaaaaa
Control PC again !
Make FILE structure great again
• How about Windows ?

• No vtable in FILE

• It also has stream buffer pointer

• You can corrupt it to achieve arbitrary memory read and write
78
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable verification in FILE structure

• Make FILE structure great again

• Conclusion
79
Conclusion
• FILE structure is a good target for binary exploit

• It can be used to

• Arbitrary memory read and write

• Control the PC and do oriented programing

• Other exploit technology

• Arbitrary free/unmmap

• …
80
Conclusion
• FILE structure is a good target for binary Exploit

• It’s very powerful in some unexploitable case

• Let’s try to find more and more exploit technology in FILE structure
81
Mail : angelboy@chroot.org
Blog : blog.angelboy.tw
Twitter : scwuaptx

More Related Content

What's hot

Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3
Angel Boy
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented Programming
Angel Boy
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
Angel Boy
 
Execution
ExecutionExecution
Execution
Angel Boy
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in Linux
Adrian Huang
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
Angel Boy
 
x86
x86x86
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache Exploitation
Angel Boy
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
Weber Tsai
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
Angel Boy
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
hackstuff
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedVmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Adrian Huang
 
Linux SMEP bypass techniques
Linux SMEP bypass techniquesLinux SMEP bypass techniques
Linux SMEP bypass techniques
Vitaly Nikolenko
 
Part II: LLVM Intermediate Representation
Part II: LLVM Intermediate RepresentationPart II: LLVM Intermediate Representation
Part II: LLVM Intermediate Representation
Wei-Ren Chen
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdso
Viller Hsiao
 
台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報
耀德 蔡
 
Instruction Combine in LLVM
Instruction Combine in LLVMInstruction Combine in LLVM
Instruction Combine in LLVM
Wang Hsiangkai
 
Master Canary Forging by Yuki Koike - CODE BLUE 2015
Master Canary Forging by Yuki Koike - CODE BLUE 2015Master Canary Forging by Yuki Koike - CODE BLUE 2015
Master Canary Forging by Yuki Koike - CODE BLUE 2015
CODE BLUE
 

What's hot (20)

Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented Programming
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
 
Execution
ExecutionExecution
Execution
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in Linux
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
 
x86
x86x86
x86
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache Exploitation
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is bootedVmlinux: anatomy of bzimage and how x86 64 processor is booted
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
 
Linux SMEP bypass techniques
Linux SMEP bypass techniquesLinux SMEP bypass techniques
Linux SMEP bypass techniques
 
Part II: LLVM Intermediate Representation
Part II: LLVM Intermediate RepresentationPart II: LLVM Intermediate Representation
Part II: LLVM Intermediate Representation
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdso
 
台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報
 
Instruction Combine in LLVM
Instruction Combine in LLVMInstruction Combine in LLVM
Instruction Combine in LLVM
 
Master Canary Forging by Yuki Koike - CODE BLUE 2015
Master Canary Forging by Yuki Koike - CODE BLUE 2015Master Canary Forging by Yuki Koike - CODE BLUE 2015
Master Canary Forging by Yuki Koike - CODE BLUE 2015
 

Viewers also liked

Klee and angr
Klee and angrKlee and angr
Klee and angr
Wei-Bo Chen
 
滲透測試基本技巧與經驗分享
滲透測試基本技巧與經驗分享滲透測試基本技巧與經驗分享
滲透測試基本技巧與經驗分享
WEI CHIEH CHAO
 
2016.9.10 hackfoldr課
2016.9.10 hackfoldr課2016.9.10 hackfoldr課
2016.9.10 hackfoldr課
佩琪 羅
 
Bug hunting through_reverse_engineering
Bug hunting through_reverse_engineeringBug hunting through_reverse_engineering
Bug hunting through_reverse_engineering
arif
 
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
Sehan Lee
 
Glibc malloc internal
Glibc malloc internalGlibc malloc internal
Glibc malloc internal
Motohiro KOSAKI
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
Syed Zillay Ali
 
Introduction to Reverse Engineering
Introduction to Reverse EngineeringIntroduction to Reverse Engineering
Introduction to Reverse EngineeringDobromir Enchev
 
Reverse engineering
Reverse  engineeringReverse  engineering
Reverse engineering
Yuffie Valen
 
Introduction to Reverse Engineering
Introduction to Reverse EngineeringIntroduction to Reverse Engineering
Introduction to Reverse Engineering
Gopinath Chintala
 
Reverse Engineering
Reverse EngineeringReverse Engineering
Reverse Engineering
dswanson
 
Reverse engineering & its application
Reverse engineering & its applicationReverse engineering & its application
Reverse engineering & its application
mapqrs
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
ananya0122
 
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
 

Viewers also liked (14)

Klee and angr
Klee and angrKlee and angr
Klee and angr
 
滲透測試基本技巧與經驗分享
滲透測試基本技巧與經驗分享滲透測試基本技巧與經驗分享
滲透測試基本技巧與經驗分享
 
2016.9.10 hackfoldr課
2016.9.10 hackfoldr課2016.9.10 hackfoldr課
2016.9.10 hackfoldr課
 
Bug hunting through_reverse_engineering
Bug hunting through_reverse_engineeringBug hunting through_reverse_engineering
Bug hunting through_reverse_engineering
 
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
 
Glibc malloc internal
Glibc malloc internalGlibc malloc internal
Glibc malloc internal
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
 
Introduction to Reverse Engineering
Introduction to Reverse EngineeringIntroduction to Reverse Engineering
Introduction to Reverse Engineering
 
Reverse engineering
Reverse  engineeringReverse  engineering
Reverse engineering
 
Introduction to Reverse Engineering
Introduction to Reverse EngineeringIntroduction to Reverse Engineering
Introduction to Reverse Engineering
 
Reverse Engineering
Reverse EngineeringReverse Engineering
Reverse Engineering
 
Reverse engineering & its application
Reverse engineering & its applicationReverse engineering & its application
Reverse engineering & its application
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
 
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
 

Similar to Play with FILE Structure - Yet Another Binary Exploit Technique

File handing in C
File handing in CFile handing in C
File handing in C
shrishcg
 
Systems Programming - File IO
Systems Programming - File IOSystems Programming - File IO
Systems Programming - File IO
HelpWithAssignment.com
 
File Handling in C .pptx
File Handling in C .pptxFile Handling in C .pptx
File Handling in C .pptx
Ayshwarya Baburam
 
File management
File managementFile management
File management
sumathiv9
 
NiFi Developer Guide
NiFi Developer GuideNiFi Developer Guide
NiFi Developer Guide
Deon Huang
 
06 file processing
06 file processing06 file processing
06 file processing
Issay Meii
 
Speed up large-scale ML/DL offline inference job with Alluxio
Speed up large-scale ML/DL offline inference job with AlluxioSpeed up large-scale ML/DL offline inference job with Alluxio
Speed up large-scale ML/DL offline inference job with Alluxio
Alluxio, Inc.
 
Linux System Programming - Buffered I/O
Linux System Programming - Buffered I/O Linux System Programming - Buffered I/O
Linux System Programming - Buffered I/O
YourHelper1
 
Unit 2.1 Introduction to Kernel.ppt (Kernel Services and Architecture)
Unit 2.1 Introduction to Kernel.ppt (Kernel Services and Architecture)Unit 2.1 Introduction to Kernel.ppt (Kernel Services and Architecture)
Unit 2.1 Introduction to Kernel.ppt (Kernel Services and Architecture)
AnilkumarBrahmane2
 
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Alex Gorbachev
 
Working with files (concepts/pseudocode/python)
Working with files (concepts/pseudocode/python)Working with files (concepts/pseudocode/python)
Working with files (concepts/pseudocode/python)
FerryKemperman
 
File mangement
File mangementFile mangement
File mangement
Jigarthacker
 
IS - section 1 - modifiedFinal information system.pptx
IS - section 1 - modifiedFinal information system.pptxIS - section 1 - modifiedFinal information system.pptx
IS - section 1 - modifiedFinal information system.pptx
NaglaaAbdelhady
 
Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)
Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)
Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)
Issac Buenrostro
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
DefconRussia
 
Unix cmc
Unix cmcUnix cmc
Unix cmc
Oussama BENNANI
 
NiFi - First approach
NiFi - First approachNiFi - First approach
NiFi - First approach
Mickael Cassy
 
Process Communication IPC in LINUX Environments
Process Communication IPC in LINUX EnvironmentsProcess Communication IPC in LINUX Environments
Process Communication IPC in LINUX Environments
infant2404
 
Linux System Programming - File I/O
Linux System Programming - File I/O Linux System Programming - File I/O
Linux System Programming - File I/O
YourHelper1
 
Linux operating system by Quontra Solutions
Linux operating system by Quontra SolutionsLinux operating system by Quontra Solutions
Linux operating system by Quontra Solutions
QUONTRASOLUTIONS
 

Similar to Play with FILE Structure - Yet Another Binary Exploit Technique (20)

File handing in C
File handing in CFile handing in C
File handing in C
 
Systems Programming - File IO
Systems Programming - File IOSystems Programming - File IO
Systems Programming - File IO
 
File Handling in C .pptx
File Handling in C .pptxFile Handling in C .pptx
File Handling in C .pptx
 
File management
File managementFile management
File management
 
NiFi Developer Guide
NiFi Developer GuideNiFi Developer Guide
NiFi Developer Guide
 
06 file processing
06 file processing06 file processing
06 file processing
 
Speed up large-scale ML/DL offline inference job with Alluxio
Speed up large-scale ML/DL offline inference job with AlluxioSpeed up large-scale ML/DL offline inference job with Alluxio
Speed up large-scale ML/DL offline inference job with Alluxio
 
Linux System Programming - Buffered I/O
Linux System Programming - Buffered I/O Linux System Programming - Buffered I/O
Linux System Programming - Buffered I/O
 
Unit 2.1 Introduction to Kernel.ppt (Kernel Services and Architecture)
Unit 2.1 Introduction to Kernel.ppt (Kernel Services and Architecture)Unit 2.1 Introduction to Kernel.ppt (Kernel Services and Architecture)
Unit 2.1 Introduction to Kernel.ppt (Kernel Services and Architecture)
 
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
 
Working with files (concepts/pseudocode/python)
Working with files (concepts/pseudocode/python)Working with files (concepts/pseudocode/python)
Working with files (concepts/pseudocode/python)
 
File mangement
File mangementFile mangement
File mangement
 
IS - section 1 - modifiedFinal information system.pptx
IS - section 1 - modifiedFinal information system.pptxIS - section 1 - modifiedFinal information system.pptx
IS - section 1 - modifiedFinal information system.pptx
 
Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)
Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)
Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
Unix cmc
Unix cmcUnix cmc
Unix cmc
 
NiFi - First approach
NiFi - First approachNiFi - First approach
NiFi - First approach
 
Process Communication IPC in LINUX Environments
Process Communication IPC in LINUX EnvironmentsProcess Communication IPC in LINUX Environments
Process Communication IPC in LINUX Environments
 
Linux System Programming - File I/O
Linux System Programming - File I/O Linux System Programming - File I/O
Linux System Programming - File I/O
 
Linux operating system by Quontra Solutions
Linux operating system by Quontra SolutionsLinux operating system by Quontra Solutions
Linux operating system by Quontra Solutions
 

Recently uploaded

June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
Edge AI and Vision Alliance
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Precisely
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 

Recently uploaded (20)

June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 

Play with FILE Structure - Yet Another Binary Exploit Technique

  • 1. Play with FILE Structure Yet Another Binary Exploit Technique angelboy@chroot.org 1
  • 2. About me • Angelboy • CTF player • WCTF / Boston Key Party 1st • DEFCON / HITB 2nd • Chroot / HITCON / 217 • Blog • blog.angelboy.tw 2
  • 3. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 3
  • 4. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 4
  • 5. Introduction • What happen when we use a raw io function read/write Kernel Buffer User space Kernel space Disk 5
  • 6. Introduction • What happen when we use a raw io function read/write Kernel Buffer User space Kernel space Disk Reduce the number of HD I/O 6
  • 7. Introduction • What is File stream • A higher-level interface on the primitive file descriptor facilities • Stream buffering • Portable and High performance • What is FILE structure • A File stream descriptor • Created by fopen 7
  • 8. Introduction • What happen when we use stdio function read/write Kernel Buffer User space Kernel space Disk stdio Buffer fread/fwrite 8
  • 9. Introduction • What happen when we use stdio function read/write Kernel Buffer User space Kernel space Disk stdio Buffer fread/fwrite Reduce the number of syscall 9
  • 10. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 10
  • 11. Introduction • FILE structure • A complex structure • Flags • Stream buffer • File descriptor • FILE_plus • Virtual function table 11
  • 12. Introduction • FILE structure • Flags • Record the attribute of the File stream • Read only • Append • … 12
  • 13. Introduction • FILE structure • Stream buffer • Read buffer • Write buffer • Reserve buffer 13
  • 14. Introduction • FILE structure • _fileno • File descriptor • Return by sys_open 14
  • 15. Introduction • FILE structure • FILE plus • stdin/stdout/stderr • fopen also use it • Extra Virtual function table • Any operation on file is via vtable 15
  • 16. Introduction • FILE structure • FILE plus • stdin/stdout/stderr • fopen also use it • Extra Virtual function table • Any operation on file is via vtable 16
  • 17. Introduction • FILE structure • Every FILE associate with a _chain (linked list) 17 _IO_list_all _flag …… chain _flag …… chain _flag …… 0 stderr stdout stdin
  • 18. Introduction • fopen workflow • Allocate FILE structure • Initial the FILE structure • Link the FILE structure • open file 18 fopen malloc _IO_link_in sys_open _IO_new_file_init_internal _IO_new_file_open
  • 19. Introduction • fopen workflow • Allocate FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin 19 malloc
  • 20. Introduction • fopen workflow • Initialize the FILE structure • Link the FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin 0 …… 0 …… 0 fp 20 _IO_new_file_init_internal _IO_link_in
  • 21. Introduction • fopen workflow • Initial the FILE structure • Link the FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin _flag …… chain …… vtable fp 21 _IO_link_in _IO_new_file_init_internal
  • 22. Introduction • fopen workflow • open file _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin _flag …… chain …… vtable fp 22 sys_open
  • 23. Introduction • fread workflow • If stream buffer is NULL • Allocate buffer • Read data to the stream buffer • Copy data from stream buffer to destination 23 fread vtable->_IO_file_xsgetn vtable->doallocate vtable->_IO_file_underflow sys_read
  • 24. Introduction • fread workflow • If stream buffer is NULL • Allocate buffer _flag read_ptr (0) read_end (0) …… buf_base (0) buf_end (0) …… vtable fp _IO_file_finish _IO_file_overflow … _IO_file_doallocate … … … _IO_default_imbue vtable 24 fread vtable->_IO_file_xsgetn vtable->doallocate
  • 25. Introduction • fread workflow • Read data to the stream buffer _flag read_ptr (0) read_end (0) …… 0x603010 0x604010 …… vtable fp stdio buffer 25 vtable->_IO_file_underflow sys_read
  • 26. Introduction • fread workflow • Copy data from stream buffer 
 to destination _flag 0x603010 0x604010 …… 0x603010 0x604010 …… vtable fp AAAA AAAA BBBB BBBB CCCC CCCC … … … ZZZZ stdio buffer Destination 26 vtable->_IO_file_xsgetn
  • 27. AAAA AAAA BBBB BBBB CCCC CCCC … … … ZZZZ Introduction • fread workflow • Copy data from stream buffer 
 to destination _flag 0x603040 0x604010 …… 0x603010 0x604010 …… vtable fp stdio buffer AAAAAAAA Copy to destination 27 vtable->_IO_file_xsgetn
  • 28. Introduction • fwrite workflow • If stream buffer is NULL • Allocate buffer • Copy user data to the stream buffer • If the stream buffer is filled or flush the stream • write data from stream buffer to the file 28 fwrite vtable->_IO_file_xsputn vtable->_IO_file_overflow vtable->doallocate sys_write
  • 29. Introduction • fclose workflow • Unlink the FILE structure • Flush & Release the stream buffer • Close the file • Release the FILE structure 29 fclose _IO_unlink_it _IO_new_file_close_it _IO_do_flush sys_close vtable—>_IO_file_finish free
  • 30. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 30
  • 31. Exploitation of FILE • There are a good target in FILE structure • Virtual Function Table 31
  • 32. • Let’s overwrite with buffer address Exploitation of FILE Buffer overflow Sample code payload Buffer address 32 //variable buf at 0x6009a0
  • 33. • Let’s overwrite with buffer address Exploitation of FILE 33 Buffer fp fp _flag read_ptr (0) read_end (0) …… vtable
  • 34. • Let’s overwrite with buffer address Exploitation of FILE 34 AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA …… …… AAAAAAAA …… Buffer 0x6009a0 fp _flag read_ptr (0) read_end (0) …… vtable Buffer overflow
  • 35. Exploitation of FILE • Not call vtable directly… • RDX is our input
 but not call instruction 35
  • 36. Exploitation of FILE • Let’s see what happened in fclose • We can get information of segfault in gdb and located it in source code Segfault 36
  • 37. Exploitation of FILE • FILE structure • _lock • Prevent race condition in multithread • Very common in stdio related function • Usually need to construct it for Exploitation 37
  • 38. • Let’s fix the lock Exploitation of FILE Find a global buffer as our lock Fix our payload offset of _lock 38 0x100 bytes
  • 39. • We control PC ! Exploitation of FILE 39
  • 40. Exploitation of FILE • Another interesting • stdin/stdout/stderr is also a FILE structure in glibc • We can overwrite the global variable in glibc to control the flow 40 GLIBC SYMBOL TABLE Global offset
  • 41. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 41
  • 42. FSOP • File-Stream Oriented Programing • Control the linked list of File stream • _chain • _IO_list_all • Powerful function • _IO_flush_all_lockp 42
  • 43. FSOP • _IO_flush_all_lockp • fflush all file stream • When will call it • Glib abort routine • exit function • Main return 43 malloc_printerr _libc_message(error msg) abort _IO_flush_all_lockp JUMP_FIELD(_IO_overflow_t, __overflow) If the condition is satisfied Glibc abort routine
  • 44. FSOP • _IO_flush_all_lockp • It will process all FILE
 in FILE linked list • We can construct the
 linked list to do oriented
 programing 44 fp = _IO_list_all condition Trigger virtual funcition Point to next
  • 45. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable 45
  • 46. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … Trigger abort() 46
  • 47. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call foo(_flags) 47
  • 48. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call foo(“bar”) 48
  • 49. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … fp = fp->chain 49
  • 50. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call system(_flags) 50
  • 51. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call system(_flags) GET SHELL !! 51
  • 52. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 52
  • 53. Vtable verification • Unfortunately, there are a virtual function table in latest libc • Check the address of vtable before all virtual function call • If vtable is invalid, it would abort 53
  • 54. Vtable verification • Vtable verification in File • The vtable must be in libc _IO_vtable section • If it’s not in _IO_vtable section, it will check if the vtable are permitted 54
  • 55. • _IO_vtable_check • Check the foreign vtables Vtable verification 55 For overriding For share library
  • 56. Vtable verification • Bypass ? • Overwrite IO_accept_foreign_vtables ? • It’s very difficult because of the pointer guard 56 Demangle with pointer guard
  • 57. Vtable verification • Bypass ? • Overwrite _dl_open_hook ? • Sounds good, but if you can control the value, you can also control other good target 57
  • 58. Vtable verification • Summary of the vtable verification • It very hard to bypass it. • Exploitation of FILE structure is died ? 58
  • 59. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 59
  • 60. Make FILE structure great again • How about change the target from vtable to other element ? • Stream Buffer & File Descriptor 60
  • 61. Make FILE structure great again • If we can overwrite the FILE structure and use fread and fwrite with the FILE structure • We can • Arbitrary memory reading • Arbitrary memory writing 61
  • 62. Make FILE structure great again • Arbitrary memory reading • fwrite • Set the _fileno to the file descriptor of stdout • Set _flag & ~_IO_NO_WRITES • Set _flag |= _IO_CURRENTLY_PUTTING • Set the write_base & write_ptr to memory address which you want to read • _IO_read_end equal to _IO_write_base 62
  • 63. Make FILE structure great again • Arbitrary memory reading • Set _flag &~ _IO_NO_WRITES • Set _flag |= _IO_CURRENTLY_PUTTING 63 Our goal It will adjust the stream buffer A piece of code in fwrite
  • 64. Make FILE structure great again • Arbitrary memory reading • Let _IO_read_end equal to _IO_write_base • If it’s not, it would adjust to the current offset. 64 It will adjust the stream buffer Our goal
  • 65. Make FILE structure great again • Arbitrary memory reading • Sample code 65
  • 66. Make FILE structure great again • Arbitrary memory writing • fread • Set the _fileno to file descriptor of stdin • Set _flag &~ _IO_NO_READS • Set read_base & read_ptr to NULL • Set the buf_base & buf_end to memory address which you want to wirte • buf_end - buf_base < size of fread 66
  • 67. Make FILE structure great again • Arbitrary memory writing • Set read_base & read_ptr to NULL 67 It will copy data from buffer to destination Buffer size must be smaller than read size
  • 68. Make FILE structure great again • Arbitrary memory writing • Set _flag &~ _IO_NO_READS 68 Our goal
  • 69. Make FILE structure great again • Arbitrary memory writing • Sample code 69
  • 70. Make FILE structure great again • If you have arbitrary memory address read and write, you can control the flow very easy • GOT hijack • __malloc_hook_/__free_hook_/__realloc_hook_ • … • By the way, you can not only use fread and fwrite but also use any stdio related function 70
  • 71. Make FILE structure great again • If we don’t have any file operation in the program • We can use stdin/stdout/stderr • put/printf/scanf • … 71
  • 72. Make FILE structure great again • Scenario • Use any stdin related function • scanf/fgets/gets … • Stdin is unbuffer • Very common in normal stdio program 72 … _IO_buf_base _IO_buf_end … _short_buf … stdin buffer stdin
  • 73. Make FILE structure great again • Overwrite buf_end with a pointer behind the stdin • Unsorted bin attack • Very common in heap exploitation 73 … _IO_buf_base _IO_buf_end … _short_buf … stdin buffer stdin
  • 74. Make FILE structure great again • Overwrite buf_end with a pointer behind the stdin • Unsorted bin attack • Very common in heap exploitation 74 … _IO_buf_base Unsorted bin … _short_buf … vtable … stdin stdin buffer … main_arena malloc_hook
  • 75. Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) 75 … _IO_buf_base Unsorted bin … _short_buf … vtable … stdin stdin buffer … main_arena malloc_hook
  • 76. Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) • It can overwrite many global variable in glibc • Input: aaaa……. 76 … _IO_buf_base Unsorted bin … aaaaaaaa … aaaaaaaa … stdin stdin buffer … main_arena aaaaaaaa
  • 77. Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) • It can overwrite many global variable in glibc • Input: aaaa……. 77 … _IO_buf_base aaaaaaaa … aaaaaaaa … aaaaaaaa … stdin stdin buffer … main_arena aaaaaaaa Control PC again !
  • 78. Make FILE structure great again • How about Windows ? • No vtable in FILE • It also has stream buffer pointer • You can corrupt it to achieve arbitrary memory read and write 78
  • 79. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 79
  • 80. Conclusion • FILE structure is a good target for binary exploit • It can be used to • Arbitrary memory read and write • Control the PC and do oriented programing • Other exploit technology • Arbitrary free/unmmap • … 80
  • 81. Conclusion • FILE structure is a good target for binary Exploit • It’s very powerful in some unexploitable case • Let’s try to find more and more exploit technology in FILE structure 81 Mail : angelboy@chroot.org Blog : blog.angelboy.tw Twitter : scwuaptx