SlideShare a Scribd company logo

Play with FILE Structure - Yet Another Binary Exploit Technique

A
Angel Boy

The document discusses exploiting the FILE structure in C programs. It provides an overview of how file streams and the FILE structure work. Key points include that the FILE structure contains flags, buffers, a file descriptor, and a virtual function table. It describes how functions like fopen, fread, and fwrite interact with the FILE structure. It then discusses potential exploitation techniques like overwriting the virtual function table or FILE's linked list to gain control of program flow. It notes defenses like vtable verification implemented in modern libc libraries.

Technology
1 of 81
Downloaded 647 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Most read
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
Most read
63
64
65
66
Most read
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
Play with FILE Structure Yet Another Binary Exploit Technique angelboy@chroot.org 1
About me • Angelboy • CTF player • WCTF / Boston Key Party 1st • DEFCON / HITB 2nd • Chroot / HITCON / 217 • Blog • blog.angelboy.tw 2
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 3
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 4
Introduction • What happen when we use a raw io function read/write Kernel Buffer User space Kernel space Disk 5
Introduction • What happen when we use a raw io function read/write Kernel Buffer User space Kernel space Disk Reduce the number of HD I/O 6
Introduction • What is File stream • A higher-level interface on the primitive file descriptor facilities • Stream buffering • Portable and High performance • What is FILE structure • A File stream descriptor • Created by fopen 7
Introduction • What happen when we use stdio function read/write Kernel Buffer User space Kernel space Disk stdio Buffer fread/fwrite 8
Introduction • What happen when we use stdio function read/write Kernel Buffer User space Kernel space Disk stdio Buffer fread/fwrite Reduce the number of syscall 9
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 10
Introduction • FILE structure • A complex structure • Flags • Stream buffer • File descriptor • FILE_plus • Virtual function table 11
Introduction • FILE structure • Flags • Record the attribute of the File stream • Read only • Append • … 12
Introduction • FILE structure • Stream buffer • Read buffer • Write buffer • Reserve buffer 13
Introduction • FILE structure • _fileno • File descriptor • Return by sys_open 14
Introduction • FILE structure • FILE plus • stdin/stdout/stderr • fopen also use it • Extra Virtual function table • Any operation on file is via vtable 15
Introduction • FILE structure • FILE plus • stdin/stdout/stderr • fopen also use it • Extra Virtual function table • Any operation on file is via vtable 16
Introduction • FILE structure • Every FILE associate with a _chain (linked list) 17 _IO_list_all _flag …… chain _flag …… chain _flag …… 0 stderr stdout stdin
Introduction • fopen workflow • Allocate FILE structure • Initial the FILE structure • Link the FILE structure • open file 18 fopen malloc _IO_link_in sys_open _IO_new_file_init_internal _IO_new_file_open
Introduction • fopen workflow • Allocate FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin 19 malloc
Introduction • fopen workflow • Initialize the FILE structure • Link the FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin 0 …… 0 …… 0 fp 20 _IO_new_file_init_internal _IO_link_in
Introduction • fopen workflow • Initial the FILE structure • Link the FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin _flag …… chain …… vtable fp 21 _IO_link_in _IO_new_file_init_internal
Introduction • fopen workflow • open file _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin _flag …… chain …… vtable fp 22 sys_open
Introduction • fread workflow • If stream buffer is NULL • Allocate buffer • Read data to the stream buffer • Copy data from stream buffer to destination 23 fread vtable->_IO_file_xsgetn vtable->doallocate vtable->_IO_file_underflow sys_read
Introduction • fread workflow • If stream buffer is NULL • Allocate buffer _flag read_ptr (0) read_end (0) …… buf_base (0) buf_end (0) …… vtable fp _IO_file_finish _IO_file_overflow … _IO_file_doallocate … … … _IO_default_imbue vtable 24 fread vtable->_IO_file_xsgetn vtable->doallocate
Introduction • fread workflow • Read data to the stream buffer _flag read_ptr (0) read_end (0) …… 0x603010 0x604010 …… vtable fp stdio buffer 25 vtable->_IO_file_underflow sys_read
Introduction • fread workflow • Copy data from stream buffer 
 to destination _flag 0x603010 0x604010 …… 0x603010 0x604010 …… vtable fp AAAA AAAA BBBB BBBB CCCC CCCC … … … ZZZZ stdio buffer Destination 26 vtable->_IO_file_xsgetn
AAAA AAAA BBBB BBBB CCCC CCCC … … … ZZZZ Introduction • fread workflow • Copy data from stream buffer 
 to destination _flag 0x603040 0x604010 …… 0x603010 0x604010 …… vtable fp stdio buffer AAAAAAAA Copy to destination 27 vtable->_IO_file_xsgetn
Introduction • fwrite workflow • If stream buffer is NULL • Allocate buffer • Copy user data to the stream buffer • If the stream buffer is filled or flush the stream • write data from stream buffer to the file 28 fwrite vtable->_IO_file_xsputn vtable->_IO_file_overflow vtable->doallocate sys_write
Introduction • fclose workflow • Unlink the FILE structure • Flush & Release the stream buffer • Close the file • Release the FILE structure 29 fclose _IO_unlink_it _IO_new_file_close_it _IO_do_flush sys_close vtable—>_IO_file_finish free
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 30
Exploitation of FILE • There are a good target in FILE structure • Virtual Function Table 31
• Let’s overwrite with buffer address Exploitation of FILE Buffer overflow Sample code payload Buffer address 32 //variable buf at 0x6009a0
• Let’s overwrite with buffer address Exploitation of FILE 33 Buffer fp fp _flag read_ptr (0) read_end (0) …… vtable
• Let’s overwrite with buffer address Exploitation of FILE 34 AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA …… …… AAAAAAAA …… Buffer 0x6009a0 fp _flag read_ptr (0) read_end (0) …… vtable Buffer overflow
Exploitation of FILE • Not call vtable directly… • RDX is our input
 but not call instruction 35
Exploitation of FILE • Let’s see what happened in fclose • We can get information of segfault in gdb and located it in source code Segfault 36
Exploitation of FILE • FILE structure • _lock • Prevent race condition in multithread • Very common in stdio related function • Usually need to construct it for Exploitation 37
• Let’s fix the lock Exploitation of FILE Find a global buffer as our lock Fix our payload offset of _lock 38 0x100 bytes
• We control PC ! Exploitation of FILE 39
Exploitation of FILE • Another interesting • stdin/stdout/stderr is also a FILE structure in glibc • We can overwrite the global variable in glibc to control the flow 40 GLIBC SYMBOL TABLE Global offset
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 41
FSOP • File-Stream Oriented Programing • Control the linked list of File stream • _chain • _IO_list_all • Powerful function • _IO_flush_all_lockp 42
FSOP • _IO_flush_all_lockp • fflush all file stream • When will call it • Glib abort routine • exit function • Main return 43 malloc_printerr _libc_message(error msg) abort _IO_flush_all_lockp JUMP_FIELD(_IO_overflow_t, __overflow) If the condition is satisfied Glibc abort routine
FSOP • _IO_flush_all_lockp • It will process all FILE
 in FILE linked list • We can construct the
 linked list to do oriented
 programing 44 fp = _IO_list_all condition Trigger virtual funcition Point to next
FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable 45
FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … Trigger abort() 46
FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call foo(_flags) 47
FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call foo(“bar”) 48
FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … fp = fp->chain 49
FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call system(_flags) 50
FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call system(_flags) GET SHELL !! 51
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 52
Vtable verification • Unfortunately, there are a virtual function table in latest libc • Check the address of vtable before all virtual function call • If vtable is invalid, it would abort 53
Vtable verification • Vtable verification in File • The vtable must be in libc _IO_vtable section • If it’s not in _IO_vtable section, it will check if the vtable are permitted 54
• _IO_vtable_check • Check the foreign vtables Vtable verification 55 For overriding For share library
Vtable verification • Bypass ? • Overwrite IO_accept_foreign_vtables ? • It’s very difficult because of the pointer guard 56 Demangle with pointer guard
Vtable verification • Bypass ? • Overwrite _dl_open_hook ? • Sounds good, but if you can control the value, you can also control other good target 57
Vtable verification • Summary of the vtable verification • It very hard to bypass it. • Exploitation of FILE structure is died ? 58
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 59
Make FILE structure great again • How about change the target from vtable to other element ? • Stream Buffer & File Descriptor 60
Make FILE structure great again • If we can overwrite the FILE structure and use fread and fwrite with the FILE structure • We can • Arbitrary memory reading • Arbitrary memory writing 61
Make FILE structure great again • Arbitrary memory reading • fwrite • Set the _fileno to the file descriptor of stdout • Set _flag & ~_IO_NO_WRITES • Set _flag |= _IO_CURRENTLY_PUTTING • Set the write_base & write_ptr to memory address which you want to read • _IO_read_end equal to _IO_write_base 62
Make FILE structure great again • Arbitrary memory reading • Set _flag &~ _IO_NO_WRITES • Set _flag |= _IO_CURRENTLY_PUTTING 63 Our goal It will adjust the stream buffer A piece of code in fwrite
Make FILE structure great again • Arbitrary memory reading • Let _IO_read_end equal to _IO_write_base • If it’s not, it would adjust to the current offset. 64 It will adjust the stream buffer Our goal
Make FILE structure great again • Arbitrary memory reading • Sample code 65
Make FILE structure great again • Arbitrary memory writing • fread • Set the _fileno to file descriptor of stdin • Set _flag &~ _IO_NO_READS • Set read_base & read_ptr to NULL • Set the buf_base & buf_end to memory address which you want to wirte • buf_end - buf_base < size of fread 66
Make FILE structure great again • Arbitrary memory writing • Set read_base & read_ptr to NULL 67 It will copy data from buffer to destination Buffer size must be smaller than read size
Make FILE structure great again • Arbitrary memory writing • Set _flag &~ _IO_NO_READS 68 Our goal
Make FILE structure great again • Arbitrary memory writing • Sample code 69
Make FILE structure great again • If you have arbitrary memory address read and write, you can control the flow very easy • GOT hijack • __malloc_hook_/__free_hook_/__realloc_hook_ • … • By the way, you can not only use fread and fwrite but also use any stdio related function 70
Make FILE structure great again • If we don’t have any file operation in the program • We can use stdin/stdout/stderr • put/printf/scanf • … 71
Make FILE structure great again • Scenario • Use any stdin related function • scanf/fgets/gets … • Stdin is unbuffer • Very common in normal stdio program 72 … _IO_buf_base _IO_buf_end … _short_buf … stdin buffer stdin
Make FILE structure great again • Overwrite buf_end with a pointer behind the stdin • Unsorted bin attack • Very common in heap exploitation 73 … _IO_buf_base _IO_buf_end … _short_buf … stdin buffer stdin
Make FILE structure great again • Overwrite buf_end with a pointer behind the stdin • Unsorted bin attack • Very common in heap exploitation 74 … _IO_buf_base Unsorted bin … _short_buf … vtable … stdin stdin buffer … main_arena malloc_hook
Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) 75 … _IO_buf_base Unsorted bin … _short_buf … vtable … stdin stdin buffer … main_arena malloc_hook
Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) • It can overwrite many global variable in glibc • Input: aaaa……. 76 … _IO_buf_base Unsorted bin … aaaaaaaa … aaaaaaaa … stdin stdin buffer … main_arena aaaaaaaa
Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) • It can overwrite many global variable in glibc • Input: aaaa……. 77 … _IO_buf_base aaaaaaaa … aaaaaaaa … aaaaaaaa … stdin stdin buffer … main_arena aaaaaaaa Control PC again !
Make FILE structure great again • How about Windows ? • No vtable in FILE • It also has stream buffer pointer • You can corrupt it to achieve arbitrary memory read and write 78
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 79
Conclusion • FILE structure is a good target for binary exploit • It can be used to • Arbitrary memory read and write • Control the PC and do oriented programing • Other exploit technology • Arbitrary free/unmmap • … 80
Conclusion • FILE structure is a good target for binary Exploit • It’s very powerful in some unexploitable case • Let’s try to find more and more exploit technology in FILE structure 81 Mail : angelboy@chroot.org Blog : blog.angelboy.tw Twitter : scwuaptx
Ad

Recommended

Pwning in c++ (basic)
Pwning in c++ (basic)
Angel Boy
 
Heap exploitation
Heap exploitation
Angel Boy
 
Execution
Execution
Angel Boy
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
Angel Boy
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
Angel Boy
 
ROP 輕鬆談
ROP 輕鬆談
hackstuff
 
Binary exploitation - AIS3
Binary exploitation - AIS3
Angel Boy
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
Angel Boy
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflow
Angel Boy
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation
Angel Boy
 
Advanced heap exploitaion
Advanced heap exploitaion
Angel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
 
Understanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panic
Joseph Lu
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
Michael Scovetta
 
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015
CODE BLUE
 
Glibc malloc internal
Glibc malloc internal
Motohiro KOSAKI
 
ELFの動的リンク
ELFの動的リンク
7shi
 
Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...
Adrian Huang
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machine
Alexei Starovoitov
 
Sigreturn Oriented Programming
Sigreturn Oriented Programming
Angel Boy
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
Angel Boy
 
The linux networking architecture
The linux networking architecture
hugo lu
 
QEMU - Binary Translation
QEMU - Binary Translation
Jiann-Fuh Liaw
 
Tcache Exploitation
Tcache Exploitation
Angel Boy
 
Virtual Machine Constructions for Dummies
Virtual Machine Constructions for Dummies
National Cheng Kung University
 
BPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
Return to dlresolve
Return to dlresolve
Angel Boy
 
Introduction to Debuggers
Introduction to Debuggers
Saumil Shah
 
Klee and angr
Klee and angr
Wei-Bo Chen
 
滲透測試基本技巧與經驗分享
滲透測試基本技巧與經驗分享
WEI CHIEH CHAO
 

More Related Content

What's hot (20)

Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflow
Angel Boy
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation
Angel Boy
 
Advanced heap exploitaion
Advanced heap exploitaion
Angel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
 
Understanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panic
Joseph Lu
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
Michael Scovetta
 
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015
CODE BLUE
 
Glibc malloc internal
Glibc malloc internal
Motohiro KOSAKI
 
ELFの動的リンク
ELFの動的リンク
7shi
 
Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...
Adrian Huang
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machine
Alexei Starovoitov
 
Sigreturn Oriented Programming
Sigreturn Oriented Programming
Angel Boy
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
Angel Boy
 
The linux networking architecture
The linux networking architecture
hugo lu
 
QEMU - Binary Translation
QEMU - Binary Translation
Jiann-Fuh Liaw
 
Tcache Exploitation
Tcache Exploitation
Angel Boy
 
Virtual Machine Constructions for Dummies
Virtual Machine Constructions for Dummies
National Cheng Kung University
 
BPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
Return to dlresolve
Return to dlresolve
Angel Boy
 
Introduction to Debuggers
Introduction to Debuggers
Saumil Shah
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflow
Angel Boy
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation
Angel Boy
 
Advanced heap exploitaion
Advanced heap exploitaion
Angel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
 
Understanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panic
Joseph Lu
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
Michael Scovetta
 
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015
CODE BLUE
 
Glibc malloc internal
Glibc malloc internal
Motohiro KOSAKI
 
ELFの動的リンク
ELFの動的リンク
7shi
 
Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...
Adrian Huang
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machine
Alexei Starovoitov
 
Sigreturn Oriented Programming
Sigreturn Oriented Programming
Angel Boy
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
Angel Boy
 
The linux networking architecture
The linux networking architecture
hugo lu
 
QEMU - Binary Translation
QEMU - Binary Translation
Jiann-Fuh Liaw
 
Tcache Exploitation
Tcache Exploitation
Angel Boy
 
Virtual Machine Constructions for Dummies
Virtual Machine Constructions for Dummies
National Cheng Kung University
 
BPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
Return to dlresolve
Return to dlresolve
Angel Boy
 
Introduction to Debuggers
Introduction to Debuggers
Saumil Shah
 

Viewers also liked (13)

Klee and angr
Klee and angr
Wei-Bo Chen
 
滲透測試基本技巧與經驗分享
滲透測試基本技巧與經驗分享
WEI CHIEH CHAO
 
2016.9.10 hackfoldr課
2016.9.10 hackfoldr課
佩琪 羅
 
Bug hunting through_reverse_engineering
Bug hunting through_reverse_engineering
arif
 
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
Se-Han Lee
 
Reverse engineering
Reverse engineering
Syed Zillay Ali
 
Introduction to Reverse Engineering
Introduction to Reverse Engineering
Dobromir Enchev
 
Reverse engineering
Reverse engineering
Yuffie Valen
 
Introduction to Reverse Engineering
Introduction to Reverse Engineering
Gopinath Chintala
 
Reverse Engineering
Reverse Engineering
dswanson
 
Reverse engineering & its application
Reverse engineering & its application
mapqrs
 
Reverse engineering
Reverse engineering
ananya0122
 
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
 
Klee and angr
Klee and angr
Wei-Bo Chen
 
滲透測試基本技巧與經驗分享
滲透測試基本技巧與經驗分享
WEI CHIEH CHAO
 
2016.9.10 hackfoldr課
2016.9.10 hackfoldr課
佩琪 羅
 
Bug hunting through_reverse_engineering
Bug hunting through_reverse_engineering
arif
 
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
Se-Han Lee
 
Reverse engineering
Reverse engineering
Syed Zillay Ali
 
Introduction to Reverse Engineering
Introduction to Reverse Engineering
Dobromir Enchev
 
Reverse engineering
Reverse engineering
Yuffie Valen
 
Introduction to Reverse Engineering
Introduction to Reverse Engineering
Gopinath Chintala
 
Reverse Engineering
Reverse Engineering
dswanson
 
Reverse engineering & its application
Reverse engineering & its application
mapqrs
 
Reverse engineering
Reverse engineering
ananya0122
 
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
 
Ad

Similar to Play with FILE Structure - Yet Another Binary Exploit Technique (20)

7.0 files and c input
7.0 files and c input
Abdullah Basheer
 
C 檔案輸入與輸出
C 檔案輸入與輸出
PingLun Liao
 
14. fiile io
14. fiile io
웅식 전
 
The Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOs
Divye Kapoor
 
Systems Programming - File IO
Systems Programming - File IO
HelpWithAssignment.com
 
Linux System Programming - Buffered I/O
Linux System Programming - Buffered I/O
YourHelper1
 
File Management
File Management
jani parth
 
COM1407: File Processing
COM1407: File Processing
Hemantha Kulathilake
 
Linux 系統程式--第一章 i/o 函式
Linux 系統程式--第一章 i/o 函式
艾鍗科技
 
File management
File management
Mohammed Sikander
 
File handling in c
File handling in c
aakanksha s
 
File_Handling in C.ppt
File_Handling in C.ppt
lakshmanarao027MVGRC
 
File_Handling in C.ppt
File_Handling in C.ppt
lakshmanarao027MVGRC
 
MODULE 8-File and preprocessor.pptx for c program learners easy learning
MODULE 8-File and preprocessor.pptx for c program learners easy learning
a50905877
 
File handling in C
File handling in C
Kamal Acharya
 
File Handling in C Programming for Beginners
File Handling in C Programming for Beginners
VSKAMCSPSGCT
 
File Organization
File Organization
RAMPRAKASH REDDY ARAVA
 
File_Management_in_C
File_Management_in_C
NabeelaNousheen
 
File handling in c
File handling in c
Vikash Dhal
 
File handling(some slides only)
File handling(some slides only)
Kamlesh Nishad
 
7.0 files and c input
7.0 files and c input
Abdullah Basheer
 
C 檔案輸入與輸出
C 檔案輸入與輸出
PingLun Liao
 
14. fiile io
14. fiile io
웅식 전
 
The Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOs
Divye Kapoor
 
Systems Programming - File IO
Systems Programming - File IO
HelpWithAssignment.com
 
Linux System Programming - Buffered I/O
Linux System Programming - Buffered I/O
YourHelper1
 
File Management
File Management
jani parth
 
COM1407: File Processing
COM1407: File Processing
Hemantha Kulathilake
 
Linux 系統程式--第一章 i/o 函式
Linux 系統程式--第一章 i/o 函式
艾鍗科技
 
File management
File management
Mohammed Sikander
 
File handling in c
File handling in c
aakanksha s
 
File_Handling in C.ppt
File_Handling in C.ppt
lakshmanarao027MVGRC
 
File_Handling in C.ppt
File_Handling in C.ppt
lakshmanarao027MVGRC
 
MODULE 8-File and preprocessor.pptx for c program learners easy learning
MODULE 8-File and preprocessor.pptx for c program learners easy learning
a50905877
 
File handling in C
File handling in C
Kamal Acharya
 
File Handling in C Programming for Beginners
File Handling in C Programming for Beginners
VSKAMCSPSGCT
 
File Organization
File Organization
RAMPRAKASH REDDY ARAVA
 
File_Management_in_C
File_Management_in_C
NabeelaNousheen
 
File handling in c
File handling in c
Vikash Dhal
 
File handling(some slides only)
File handling(some slides only)
Kamlesh Nishad
 
Ad

Recently uploaded (20)

AI Agents and FME: A How-to Guide on Generating Synthetic Metadata
AI Agents and FME: A How-to Guide on Generating Synthetic Metadata
Safe Software
 
2025_06_18 - OpenMetadata Community Meeting.pdf
2025_06_18 - OpenMetadata Community Meeting.pdf
OpenMetadata
 
OpenACC and Open Hackathons Monthly Highlights June 2025
OpenACC and Open Hackathons Monthly Highlights June 2025
OpenACC
 
WebdriverIO & JavaScript: The Perfect Duo for Web Automation
WebdriverIO & JavaScript: The Perfect Duo for Web Automation
digitaljignect
 
CapCut Pro Crack For PC Latest Version {Fully Unlocked} 2025
CapCut Pro Crack For PC Latest Version {Fully Unlocked} 2025
pcprocore
 
AI vs Human Writing: Can You Tell the Difference?
AI vs Human Writing: Can You Tell the Difference?
Shashi Sathyanarayana, Ph.D
 
"Scaling in space and time with Temporal", Andriy Lupa.pdf
"Scaling in space and time with Temporal", Andriy Lupa.pdf
Fwdays
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
cnc-processing-centers-centateq-p-110-en.pdf
cnc-processing-centers-centateq-p-110-en.pdf
AmirStern2
 
Lessons Learned from Developing Secure AI Workflows.pdf
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
Wenn alles versagt - IBM Tape schützt, was zählt! Und besonders mit dem neust...
Wenn alles versagt - IBM Tape schützt, was zählt! Und besonders mit dem neust...
Josef Weingand
 
" How to survive with 1 billion vectors and not sell a kidney: our low-cost c...
" How to survive with 1 billion vectors and not sell a kidney: our low-cost c...
Fwdays
 
Mastering AI Workflows with FME by Mark Döring
Mastering AI Workflows with FME by Mark Döring
Safe Software
 
Salesforce Summer '25 Release Frenchgathering.pptx.pdf
Salesforce Summer '25 Release Frenchgathering.pptx.pdf
yosra Saidani
 
Daily Lesson Log MATATAG ICT TEchnology 8
Daily Lesson Log MATATAG ICT TEchnology 8
LOIDAALMAZAN3
 
Using the SQLExecutor for Data Quality Management: aka One man's love for the...
Using the SQLExecutor for Data Quality Management: aka One man's love for the...
Safe Software
 
Quantum AI Discoveries: Fractal Patterns Consciousness and Cyclical Universes
Quantum AI Discoveries: Fractal Patterns Consciousness and Cyclical Universes
Saikat Basu
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
AI Agents and FME: A How-to Guide on Generating Synthetic Metadata
AI Agents and FME: A How-to Guide on Generating Synthetic Metadata
Safe Software
 
2025_06_18 - OpenMetadata Community Meeting.pdf
2025_06_18 - OpenMetadata Community Meeting.pdf
OpenMetadata
 
OpenACC and Open Hackathons Monthly Highlights June 2025
OpenACC and Open Hackathons Monthly Highlights June 2025
OpenACC
 
WebdriverIO & JavaScript: The Perfect Duo for Web Automation
WebdriverIO & JavaScript: The Perfect Duo for Web Automation
digitaljignect
 
CapCut Pro Crack For PC Latest Version {Fully Unlocked} 2025
CapCut Pro Crack For PC Latest Version {Fully Unlocked} 2025
pcprocore
 
AI vs Human Writing: Can You Tell the Difference?
AI vs Human Writing: Can You Tell the Difference?
Shashi Sathyanarayana, Ph.D
 
"Scaling in space and time with Temporal", Andriy Lupa.pdf
"Scaling in space and time with Temporal", Andriy Lupa.pdf
Fwdays
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
cnc-processing-centers-centateq-p-110-en.pdf
cnc-processing-centers-centateq-p-110-en.pdf
AmirStern2
 
Lessons Learned from Developing Secure AI Workflows.pdf
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
Wenn alles versagt - IBM Tape schützt, was zählt! Und besonders mit dem neust...
Wenn alles versagt - IBM Tape schützt, was zählt! Und besonders mit dem neust...
Josef Weingand
 
" How to survive with 1 billion vectors and not sell a kidney: our low-cost c...
" How to survive with 1 billion vectors and not sell a kidney: our low-cost c...
Fwdays
 
Mastering AI Workflows with FME by Mark Döring
Mastering AI Workflows with FME by Mark Döring
Safe Software
 
Salesforce Summer '25 Release Frenchgathering.pptx.pdf
Salesforce Summer '25 Release Frenchgathering.pptx.pdf
yosra Saidani
 
Daily Lesson Log MATATAG ICT TEchnology 8
Daily Lesson Log MATATAG ICT TEchnology 8
LOIDAALMAZAN3
 
Using the SQLExecutor for Data Quality Management: aka One man's love for the...
Using the SQLExecutor for Data Quality Management: aka One man's love for the...
Safe Software
 
Quantum AI Discoveries: Fractal Patterns Consciousness and Cyclical Universes
Quantum AI Discoveries: Fractal Patterns Consciousness and Cyclical Universes
Saikat Basu
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 

Play with FILE Structure - Yet Another Binary Exploit Technique

  • 1. Play with FILE Structure Yet Another Binary Exploit Technique [email protected] 1
  • 2. About me • Angelboy • CTF player • WCTF / Boston Key Party 1st • DEFCON / HITB 2nd • Chroot / HITCON / 217 • Blog • blog.angelboy.tw 2
  • 3. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 3
  • 4. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 4
  • 5. Introduction • What happen when we use a raw io function read/write Kernel Buffer User space Kernel space Disk 5
  • 6. Introduction • What happen when we use a raw io function read/write Kernel Buffer User space Kernel space Disk Reduce the number of HD I/O 6
  • 7. Introduction • What is File stream • A higher-level interface on the primitive file descriptor facilities • Stream buffering • Portable and High performance • What is FILE structure • A File stream descriptor • Created by fopen 7
  • 8. Introduction • What happen when we use stdio function read/write Kernel Buffer User space Kernel space Disk stdio Buffer fread/fwrite 8
  • 9. Introduction • What happen when we use stdio function read/write Kernel Buffer User space Kernel space Disk stdio Buffer fread/fwrite Reduce the number of syscall 9
  • 10. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 10
  • 11. Introduction • FILE structure • A complex structure • Flags • Stream buffer • File descriptor • FILE_plus • Virtual function table 11
  • 12. Introduction • FILE structure • Flags • Record the attribute of the File stream • Read only • Append • … 12
  • 13. Introduction • FILE structure • Stream buffer • Read buffer • Write buffer • Reserve buffer 13
  • 14. Introduction • FILE structure • _fileno • File descriptor • Return by sys_open 14
  • 15. Introduction • FILE structure • FILE plus • stdin/stdout/stderr • fopen also use it • Extra Virtual function table • Any operation on file is via vtable 15
  • 16. Introduction • FILE structure • FILE plus • stdin/stdout/stderr • fopen also use it • Extra Virtual function table • Any operation on file is via vtable 16
  • 17. Introduction • FILE structure • Every FILE associate with a _chain (linked list) 17 _IO_list_all _flag …… chain _flag …… chain _flag …… 0 stderr stdout stdin
  • 18. Introduction • fopen workflow • Allocate FILE structure • Initial the FILE structure • Link the FILE structure • open file 18 fopen malloc _IO_link_in sys_open _IO_new_file_init_internal _IO_new_file_open
  • 19. Introduction • fopen workflow • Allocate FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin 19 malloc
  • 20. Introduction • fopen workflow • Initialize the FILE structure • Link the FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin 0 …… 0 …… 0 fp 20 _IO_new_file_init_internal _IO_link_in
  • 21. Introduction • fopen workflow • Initial the FILE structure • Link the FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin _flag …… chain …… vtable fp 21 _IO_link_in _IO_new_file_init_internal
  • 22. Introduction • fopen workflow • open file _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin _flag …… chain …… vtable fp 22 sys_open
  • 23. Introduction • fread workflow • If stream buffer is NULL • Allocate buffer • Read data to the stream buffer • Copy data from stream buffer to destination 23 fread vtable->_IO_file_xsgetn vtable->doallocate vtable->_IO_file_underflow sys_read
  • 24. Introduction • fread workflow • If stream buffer is NULL • Allocate buffer _flag read_ptr (0) read_end (0) …… buf_base (0) buf_end (0) …… vtable fp _IO_file_finish _IO_file_overflow … _IO_file_doallocate … … … _IO_default_imbue vtable 24 fread vtable->_IO_file_xsgetn vtable->doallocate
  • 25. Introduction • fread workflow • Read data to the stream buffer _flag read_ptr (0) read_end (0) …… 0x603010 0x604010 …… vtable fp stdio buffer 25 vtable->_IO_file_underflow sys_read
  • 26. Introduction • fread workflow • Copy data from stream buffer 
 to destination _flag 0x603010 0x604010 …… 0x603010 0x604010 …… vtable fp AAAA AAAA BBBB BBBB CCCC CCCC … … … ZZZZ stdio buffer Destination 26 vtable->_IO_file_xsgetn
  • 27. AAAA AAAA BBBB BBBB CCCC CCCC … … … ZZZZ Introduction • fread workflow • Copy data from stream buffer 
 to destination _flag 0x603040 0x604010 …… 0x603010 0x604010 …… vtable fp stdio buffer AAAAAAAA Copy to destination 27 vtable->_IO_file_xsgetn
  • 28. Introduction • fwrite workflow • If stream buffer is NULL • Allocate buffer • Copy user data to the stream buffer • If the stream buffer is filled or flush the stream • write data from stream buffer to the file 28 fwrite vtable->_IO_file_xsputn vtable->_IO_file_overflow vtable->doallocate sys_write
  • 29. Introduction • fclose workflow • Unlink the FILE structure • Flush & Release the stream buffer • Close the file • Release the FILE structure 29 fclose _IO_unlink_it _IO_new_file_close_it _IO_do_flush sys_close vtable—>_IO_file_finish free
  • 30. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 30
  • 31. Exploitation of FILE • There are a good target in FILE structure • Virtual Function Table 31
  • 32. • Let’s overwrite with buffer address Exploitation of FILE Buffer overflow Sample code payload Buffer address 32 //variable buf at 0x6009a0
  • 33. • Let’s overwrite with buffer address Exploitation of FILE 33 Buffer fp fp _flag read_ptr (0) read_end (0) …… vtable
  • 34. • Let’s overwrite with buffer address Exploitation of FILE 34 AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA …… …… AAAAAAAA …… Buffer 0x6009a0 fp _flag read_ptr (0) read_end (0) …… vtable Buffer overflow
  • 35. Exploitation of FILE • Not call vtable directly… • RDX is our input
 but not call instruction 35
  • 36. Exploitation of FILE • Let’s see what happened in fclose • We can get information of segfault in gdb and located it in source code Segfault 36
  • 37. Exploitation of FILE • FILE structure • _lock • Prevent race condition in multithread • Very common in stdio related function • Usually need to construct it for Exploitation 37
  • 38. • Let’s fix the lock Exploitation of FILE Find a global buffer as our lock Fix our payload offset of _lock 38 0x100 bytes
  • 39. • We control PC ! Exploitation of FILE 39
  • 40. Exploitation of FILE • Another interesting • stdin/stdout/stderr is also a FILE structure in glibc • We can overwrite the global variable in glibc to control the flow 40 GLIBC SYMBOL TABLE Global offset
  • 41. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 41
  • 42. FSOP • File-Stream Oriented Programing • Control the linked list of File stream • _chain • _IO_list_all • Powerful function • _IO_flush_all_lockp 42
  • 43. FSOP • _IO_flush_all_lockp • fflush all file stream • When will call it • Glib abort routine • exit function • Main return 43 malloc_printerr _libc_message(error msg) abort _IO_flush_all_lockp JUMP_FIELD(_IO_overflow_t, __overflow) If the condition is satisfied Glibc abort routine
  • 44. FSOP • _IO_flush_all_lockp • It will process all FILE
 in FILE linked list • We can construct the
 linked list to do oriented
 programing 44 fp = _IO_list_all condition Trigger virtual funcition Point to next
  • 45. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable 45
  • 46. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … Trigger abort() 46
  • 47. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call foo(_flags) 47
  • 48. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call foo(“bar”) 48
  • 49. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … fp = fp->chain 49
  • 50. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call system(_flags) 50
  • 51. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call system(_flags) GET SHELL !! 51
  • 52. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 52
  • 53. Vtable verification • Unfortunately, there are a virtual function table in latest libc • Check the address of vtable before all virtual function call • If vtable is invalid, it would abort 53
  • 54. Vtable verification • Vtable verification in File • The vtable must be in libc _IO_vtable section • If it’s not in _IO_vtable section, it will check if the vtable are permitted 54
  • 55. • _IO_vtable_check • Check the foreign vtables Vtable verification 55 For overriding For share library
  • 56. Vtable verification • Bypass ? • Overwrite IO_accept_foreign_vtables ? • It’s very difficult because of the pointer guard 56 Demangle with pointer guard
  • 57. Vtable verification • Bypass ? • Overwrite _dl_open_hook ? • Sounds good, but if you can control the value, you can also control other good target 57
  • 58. Vtable verification • Summary of the vtable verification • It very hard to bypass it. • Exploitation of FILE structure is died ? 58
  • 59. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 59
  • 60. Make FILE structure great again • How about change the target from vtable to other element ? • Stream Buffer & File Descriptor 60
  • 61. Make FILE structure great again • If we can overwrite the FILE structure and use fread and fwrite with the FILE structure • We can • Arbitrary memory reading • Arbitrary memory writing 61
  • 62. Make FILE structure great again • Arbitrary memory reading • fwrite • Set the _fileno to the file descriptor of stdout • Set _flag & ~_IO_NO_WRITES • Set _flag |= _IO_CURRENTLY_PUTTING • Set the write_base & write_ptr to memory address which you want to read • _IO_read_end equal to _IO_write_base 62
  • 63. Make FILE structure great again • Arbitrary memory reading • Set _flag &~ _IO_NO_WRITES • Set _flag |= _IO_CURRENTLY_PUTTING 63 Our goal It will adjust the stream buffer A piece of code in fwrite
  • 64. Make FILE structure great again • Arbitrary memory reading • Let _IO_read_end equal to _IO_write_base • If it’s not, it would adjust to the current offset. 64 It will adjust the stream buffer Our goal
  • 65. Make FILE structure great again • Arbitrary memory reading • Sample code 65
  • 66. Make FILE structure great again • Arbitrary memory writing • fread • Set the _fileno to file descriptor of stdin • Set _flag &~ _IO_NO_READS • Set read_base & read_ptr to NULL • Set the buf_base & buf_end to memory address which you want to wirte • buf_end - buf_base < size of fread 66
  • 67. Make FILE structure great again • Arbitrary memory writing • Set read_base & read_ptr to NULL 67 It will copy data from buffer to destination Buffer size must be smaller than read size
  • 68. Make FILE structure great again • Arbitrary memory writing • Set _flag &~ _IO_NO_READS 68 Our goal
  • 69. Make FILE structure great again • Arbitrary memory writing • Sample code 69
  • 70. Make FILE structure great again • If you have arbitrary memory address read and write, you can control the flow very easy • GOT hijack • __malloc_hook_/__free_hook_/__realloc_hook_ • … • By the way, you can not only use fread and fwrite but also use any stdio related function 70
  • 71. Make FILE structure great again • If we don’t have any file operation in the program • We can use stdin/stdout/stderr • put/printf/scanf • … 71
  • 72. Make FILE structure great again • Scenario • Use any stdin related function • scanf/fgets/gets … • Stdin is unbuffer • Very common in normal stdio program 72 … _IO_buf_base _IO_buf_end … _short_buf … stdin buffer stdin
  • 73. Make FILE structure great again • Overwrite buf_end with a pointer behind the stdin • Unsorted bin attack • Very common in heap exploitation 73 … _IO_buf_base _IO_buf_end … _short_buf … stdin buffer stdin
  • 74. Make FILE structure great again • Overwrite buf_end with a pointer behind the stdin • Unsorted bin attack • Very common in heap exploitation 74 … _IO_buf_base Unsorted bin … _short_buf … vtable … stdin stdin buffer … main_arena malloc_hook
  • 75. Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) 75 … _IO_buf_base Unsorted bin … _short_buf … vtable … stdin stdin buffer … main_arena malloc_hook
  • 76. Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) • It can overwrite many global variable in glibc • Input: aaaa……. 76 … _IO_buf_base Unsorted bin … aaaaaaaa … aaaaaaaa … stdin stdin buffer … main_arena aaaaaaaa
  • 77. Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) • It can overwrite many global variable in glibc • Input: aaaa……. 77 … _IO_buf_base aaaaaaaa … aaaaaaaa … aaaaaaaa … stdin stdin buffer … main_arena aaaaaaaa Control PC again !
  • 78. Make FILE structure great again • How about Windows ? • No vtable in FILE • It also has stream buffer pointer • You can corrupt it to achieve arbitrary memory read and write 78
  • 79. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 79
  • 80. Conclusion • FILE structure is a good target for binary exploit • It can be used to • Arbitrary memory read and write • Control the PC and do oriented programing • Other exploit technology • Arbitrary free/unmmap • … 80
  • 81. Conclusion • FILE structure is a good target for binary Exploit • It’s very powerful in some unexploitable case • Let’s try to find more and more exploit technology in FILE structure 81 Mail : [email protected] Blog : blog.angelboy.tw Twitter : scwuaptx