Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Play with FILE Structure
Yet Another Binary Exploit Technique
angelboy@chroot.org
1
About me
• Angelboy

• CTF player 

• WCTF / Boston Key Party 1st

• DEFCON / HITB 2nd

• Chroot / HITCON / 217

• Blog

•...
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable ve...
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable ve...
Introduction
• What happen when we use a raw io function
read/write
Kernel Buffer
User space
Kernel space
Disk
5
Introduction
• What happen when we use a raw io function
read/write
Kernel Buffer
User space
Kernel space
Disk
Reduce the ...
Introduction
• What is File stream

• A higher-level interface on the primitive file descriptor facilities

• Stream bufferi...
Introduction
• What happen when we use stdio function
read/write
Kernel Buffer
User space
Kernel space
Disk
stdio Buffer
f...
Introduction
• What happen when we use stdio function
read/write
Kernel Buffer
User space
Kernel space
Disk
stdio Buffer
f...
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable ve...
Introduction
• FILE structure

• A complex structure

• Flags

• Stream buffer

• File descriptor

• FILE_plus

• Virtual f...
Introduction
• FILE structure

• Flags

• Record the attribute of the File stream

• Read only

• Append

• …
12
Introduction
• FILE structure

• Stream buffer

• Read buffer

• Write buffer

• Reserve buffer
13
Introduction
• FILE structure

• _fileno

• File descriptor

• Return by sys_open
14
Introduction
• FILE structure

• FILE plus

• stdin/stdout/stderr

• fopen also use it

• Extra Virtual function table

• ...
Introduction
• FILE structure

• FILE plus 

• stdin/stdout/stderr

• fopen also use it

• Extra Virtual function table

•...
Introduction
• FILE structure

• Every FILE associate with a _chain (linked list)
17
_IO_list_all
_flag
……
chain
_flag
……
ch...
Introduction
• fopen workflow

• Allocate FILE structure

• Initial the FILE structure

• Link the FILE structure

• open fi...
Introduction
• fopen workflow

• Allocate FILE structure
_IO_list_all
_flag
……
chain
……
vtable
_flag
……
chain
……
vtable
_flag
...
Introduction
• fopen workflow

• Initialize the FILE structure

• Link the FILE structure
_IO_list_all
_flag
……
chain
……
vta...
Introduction
• fopen workflow

• Initial the FILE structure

• Link the FILE structure
_IO_list_all
_flag
……
chain
……
vtable...
Introduction
• fopen workflow

• open file
_IO_list_all
_flag
……
chain
……
vtable
_flag
……
chain
……
vtable
_flag
……
0
……
vtable
...
Introduction
• fread workflow

• If stream buffer is NULL

• Allocate buffer

• Read data to the stream buffer

• Copy data fr...
Introduction
• fread workflow

• If stream buffer is NULL

• Allocate buffer
_flag
read_ptr (0)
read_end (0)
……
buf_base (0)
b...
Introduction
• fread workflow

• Read data to the stream buffer
_flag
read_ptr (0)
read_end (0)
……
0x603010
0x604010
……
vtabl...
Introduction
• fread workflow

• Copy data from stream buffer 

to destination
_flag
0x603010
0x604010
……
0x603010
0x604010
…...
AAAA
AAAA
BBBB
BBBB
CCCC
CCCC
…
…
…
ZZZZ
Introduction
• fread workflow

• Copy data from stream buffer 

to destination
_flag...
Introduction
• fwrite workflow

• If stream buffer is NULL

• Allocate buffer

• Copy user data to the stream buffer

• If the...
Introduction
• fclose workflow

• Unlink the FILE structure

• Flush & Release the stream buffer

• Close the file

• Release...
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable ve...
Exploitation of FILE
• There are a good target in FILE structure

• Virtual Function Table
31
• Let’s overwrite with buffer address
Exploitation of FILE
Buffer overflow
Sample code
payload
Buffer address
32
//variable bu...
• Let’s overwrite with buffer address
Exploitation of FILE
33
Buffer
fp
fp
_flag
read_ptr (0)
read_end (0)
……
vtable
• Let’s overwrite with buffer address
Exploitation of FILE
34
AAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAAAA
……
……
AAAAAAAA
……
Buffer
0...
Exploitation of FILE
• Not call vtable directly…

• RDX is our input

but not call instruction
35
Exploitation of FILE
• Let’s see what happened in fclose

• We can get information of segfault in gdb and located it in so...
Exploitation of FILE
• FILE structure

• _lock

• Prevent race condition in multithread

• Very common in stdio related fu...
• Let’s fix the lock
Exploitation of FILE
Find a global buffer as our lock
Fix our payload
offset of _lock
38
0x100 bytes
• We control PC !
Exploitation of FILE
39
Exploitation of FILE
• Another interesting

• stdin/stdout/stderr is also a FILE structure in glibc

• We can overwrite th...
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable ve...
FSOP
• File-Stream Oriented Programing

• Control the linked list of File stream

• _chain

• _IO_list_all

• Powerful fun...
FSOP
• _IO_flush_all_lockp

• fflush all file stream

• When will call it

• Glib abort routine

• exit function

• Main retur...
FSOP
• _IO_flush_all_lockp

• It will process all FILE

in FILE linked list

• We can construct the

linked list to do orie...
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
45
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_r...
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_r...
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_r...
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_r...
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_r...
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_r...
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable ve...
Vtable verification
• Unfortunately, there are a virtual function table in latest libc

• Check the address of vtable befor...
Vtable verification
• Vtable verification in File

• The vtable must be in libc _IO_vtable section

• If it’s not in _IO_vta...
• _IO_vtable_check

• Check the foreign vtables
Vtable verification
55
For overriding
For share library
Vtable verification
• Bypass ?

• Overwrite IO_accept_foreign_vtables ?

• It’s very difficult because of the pointer guard
5...
Vtable verification
• Bypass ?

• Overwrite _dl_open_hook ?

• Sounds good, but if you can control the value, you can also ...
Vtable verification
• Summary of the vtable verification

• It very hard to bypass it.

• Exploitation of FILE structure is ...
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable ve...
Make FILE structure great again
• How about change the target from vtable to other element ?

• Stream Buffer & File Descri...
Make FILE structure great again
• If we can overwrite the FILE structure and use fread and fwrite with the
FILE structure
...
Make FILE structure great again
• Arbitrary memory reading

• fwrite

• Set the _fileno to the file descriptor of stdout 

•...
Make FILE structure great again
• Arbitrary memory reading

• Set _flag &~ _IO_NO_WRITES

• Set _flag |= _IO_CURRENTLY_PUTTI...
Make FILE structure great again
• Arbitrary memory reading

• Let _IO_read_end equal to _IO_write_base

• If it’s not, it ...
Make FILE structure great again
• Arbitrary memory reading

• Sample code
65
Make FILE structure great again
• Arbitrary memory writing

• fread

• Set the _fileno to file descriptor of stdin

• Set _fl...
Make FILE structure great again
• Arbitrary memory writing

• Set read_base & read_ptr to NULL
67
It will copy data from b...
Make FILE structure great again
• Arbitrary memory writing

• Set _flag &~ _IO_NO_READS
68
Our goal
Make FILE structure great again
• Arbitrary memory writing

• Sample code
69
Make FILE structure great again
• If you have arbitrary memory address read and write, you can control the
flow very easy

...
Make FILE structure great again
• If we don’t have any file operation in the program

• We can use stdin/stdout/stderr 

• ...
Make FILE structure great again
• Scenario

• Use any stdin related function

• scanf/fgets/gets …

• Stdin is unbuffer

• ...
Make FILE structure great again
• Overwrite buf_end with a pointer behind the stdin

• Unsorted bin attack

• Very common ...
Make FILE structure great again
• Overwrite buf_end with a pointer behind the stdin

• Unsorted bin attack

• Very common ...
Make FILE structure great again
• Stdin related function

• scanf(“%d”,&var)

• It will call

• read(0,buf_base,sizeof(std...
Make FILE structure great again
• Stdin related function

• scanf(“%d”,&var)

• It will call

• read(0,buf_base,sizeof(std...
Make FILE structure great again
• Stdin related function

• scanf(“%d”,&var)

• It will call

• read(0,buf_base,sizeof(std...
Make FILE structure great again
• How about Windows ?

• No vtable in FILE

• It also has stream buffer pointer

• You can ...
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable ve...
Conclusion
• FILE structure is a good target for binary exploit

• It can be used to

• Arbitrary memory read and write

•...
Conclusion
• FILE structure is a good target for binary Exploit

• It’s very powerful in some unexploitable case

• Let’s ...
Próxima SlideShare
Cargando en…5
×

Play with FILE Structure - Yet Another Binary Exploit Technique

13.185 visualizaciones

Publicado el

Play with FILE Structure - Yet Another Binary Exploit Technique

Publicado en: Tecnología
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí

Play with FILE Structure - Yet Another Binary Exploit Technique

  1. 1. Play with FILE Structure Yet Another Binary Exploit Technique angelboy@chroot.org 1
  2. 2. About me • Angelboy • CTF player • WCTF / Boston Key Party 1st • DEFCON / HITB 2nd • Chroot / HITCON / 217 • Blog • blog.angelboy.tw 2
  3. 3. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 3
  4. 4. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 4
  5. 5. Introduction • What happen when we use a raw io function read/write Kernel Buffer User space Kernel space Disk 5
  6. 6. Introduction • What happen when we use a raw io function read/write Kernel Buffer User space Kernel space Disk Reduce the number of HD I/O 6
  7. 7. Introduction • What is File stream • A higher-level interface on the primitive file descriptor facilities • Stream buffering • Portable and High performance • What is FILE structure • A File stream descriptor • Created by fopen 7
  8. 8. Introduction • What happen when we use stdio function read/write Kernel Buffer User space Kernel space Disk stdio Buffer fread/fwrite 8
  9. 9. Introduction • What happen when we use stdio function read/write Kernel Buffer User space Kernel space Disk stdio Buffer fread/fwrite Reduce the number of syscall 9
  10. 10. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 10
  11. 11. Introduction • FILE structure • A complex structure • Flags • Stream buffer • File descriptor • FILE_plus • Virtual function table 11
  12. 12. Introduction • FILE structure • Flags • Record the attribute of the File stream • Read only • Append • … 12
  13. 13. Introduction • FILE structure • Stream buffer • Read buffer • Write buffer • Reserve buffer 13
  14. 14. Introduction • FILE structure • _fileno • File descriptor • Return by sys_open 14
  15. 15. Introduction • FILE structure • FILE plus • stdin/stdout/stderr • fopen also use it • Extra Virtual function table • Any operation on file is via vtable 15
  16. 16. Introduction • FILE structure • FILE plus • stdin/stdout/stderr • fopen also use it • Extra Virtual function table • Any operation on file is via vtable 16
  17. 17. Introduction • FILE structure • Every FILE associate with a _chain (linked list) 17 _IO_list_all _flag …… chain _flag …… chain _flag …… 0 stderr stdout stdin
  18. 18. Introduction • fopen workflow • Allocate FILE structure • Initial the FILE structure • Link the FILE structure • open file 18 fopen malloc _IO_link_in sys_open _IO_new_file_init_internal _IO_new_file_open
  19. 19. Introduction • fopen workflow • Allocate FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin 19 malloc
  20. 20. Introduction • fopen workflow • Initialize the FILE structure • Link the FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin 0 …… 0 …… 0 fp 20 _IO_new_file_init_internal _IO_link_in
  21. 21. Introduction • fopen workflow • Initial the FILE structure • Link the FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin _flag …… chain …… vtable fp 21 _IO_link_in _IO_new_file_init_internal
  22. 22. Introduction • fopen workflow • open file _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin _flag …… chain …… vtable fp 22 sys_open
  23. 23. Introduction • fread workflow • If stream buffer is NULL • Allocate buffer • Read data to the stream buffer • Copy data from stream buffer to destination 23 fread vtable->_IO_file_xsgetn vtable->doallocate vtable->_IO_file_underflow sys_read
  24. 24. Introduction • fread workflow • If stream buffer is NULL • Allocate buffer _flag read_ptr (0) read_end (0) …… buf_base (0) buf_end (0) …… vtable fp _IO_file_finish _IO_file_overflow … _IO_file_doallocate … … … _IO_default_imbue vtable 24 fread vtable->_IO_file_xsgetn vtable->doallocate
  25. 25. Introduction • fread workflow • Read data to the stream buffer _flag read_ptr (0) read_end (0) …… 0x603010 0x604010 …… vtable fp stdio buffer 25 vtable->_IO_file_underflow sys_read
  26. 26. Introduction • fread workflow • Copy data from stream buffer 
 to destination _flag 0x603010 0x604010 …… 0x603010 0x604010 …… vtable fp AAAA AAAA BBBB BBBB CCCC CCCC … … … ZZZZ stdio buffer Destination 26 vtable->_IO_file_xsgetn
  27. 27. AAAA AAAA BBBB BBBB CCCC CCCC … … … ZZZZ Introduction • fread workflow • Copy data from stream buffer 
 to destination _flag 0x603040 0x604010 …… 0x603010 0x604010 …… vtable fp stdio buffer AAAAAAAA Copy to destination 27 vtable->_IO_file_xsgetn
  28. 28. Introduction • fwrite workflow • If stream buffer is NULL • Allocate buffer • Copy user data to the stream buffer • If the stream buffer is filled or flush the stream • write data from stream buffer to the file 28 fwrite vtable->_IO_file_xsputn vtable->_IO_file_overflow vtable->doallocate sys_write
  29. 29. Introduction • fclose workflow • Unlink the FILE structure • Flush & Release the stream buffer • Close the file • Release the FILE structure 29 fclose _IO_unlink_it _IO_new_file_close_it _IO_do_flush sys_close vtable—>_IO_file_finish free
  30. 30. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 30
  31. 31. Exploitation of FILE • There are a good target in FILE structure • Virtual Function Table 31
  32. 32. • Let’s overwrite with buffer address Exploitation of FILE Buffer overflow Sample code payload Buffer address 32 //variable buf at 0x6009a0
  33. 33. • Let’s overwrite with buffer address Exploitation of FILE 33 Buffer fp fp _flag read_ptr (0) read_end (0) …… vtable
  34. 34. • Let’s overwrite with buffer address Exploitation of FILE 34 AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA …… …… AAAAAAAA …… Buffer 0x6009a0 fp _flag read_ptr (0) read_end (0) …… vtable Buffer overflow
  35. 35. Exploitation of FILE • Not call vtable directly… • RDX is our input
 but not call instruction 35
  36. 36. Exploitation of FILE • Let’s see what happened in fclose • We can get information of segfault in gdb and located it in source code Segfault 36
  37. 37. Exploitation of FILE • FILE structure • _lock • Prevent race condition in multithread • Very common in stdio related function • Usually need to construct it for Exploitation 37
  38. 38. • Let’s fix the lock Exploitation of FILE Find a global buffer as our lock Fix our payload offset of _lock 38 0x100 bytes
  39. 39. • We control PC ! Exploitation of FILE 39
  40. 40. Exploitation of FILE • Another interesting • stdin/stdout/stderr is also a FILE structure in glibc • We can overwrite the global variable in glibc to control the flow 40 GLIBC SYMBOL TABLE Global offset
  41. 41. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 41
  42. 42. FSOP • File-Stream Oriented Programing • Control the linked list of File stream • _chain • _IO_list_all • Powerful function • _IO_flush_all_lockp 42
  43. 43. FSOP • _IO_flush_all_lockp • fflush all file stream • When will call it • Glib abort routine • exit function • Main return 43 malloc_printerr _libc_message(error msg) abort _IO_flush_all_lockp JUMP_FIELD(_IO_overflow_t, __overflow) If the condition is satisfied Glibc abort routine
  44. 44. FSOP • _IO_flush_all_lockp • It will process all FILE
 in FILE linked list • We can construct the
 linked list to do oriented
 programing 44 fp = _IO_list_all condition Trigger virtual funcition Point to next
  45. 45. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable 45
  46. 46. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … Trigger abort() 46
  47. 47. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call foo(_flags) 47
  48. 48. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call foo(“bar”) 48
  49. 49. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … fp = fp->chain 49
  50. 50. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call system(_flags) 50
  51. 51. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call system(_flags) GET SHELL !! 51
  52. 52. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 52
  53. 53. Vtable verification • Unfortunately, there are a virtual function table in latest libc • Check the address of vtable before all virtual function call • If vtable is invalid, it would abort 53
  54. 54. Vtable verification • Vtable verification in File • The vtable must be in libc _IO_vtable section • If it’s not in _IO_vtable section, it will check if the vtable are permitted 54
  55. 55. • _IO_vtable_check • Check the foreign vtables Vtable verification 55 For overriding For share library
  56. 56. Vtable verification • Bypass ? • Overwrite IO_accept_foreign_vtables ? • It’s very difficult because of the pointer guard 56 Demangle with pointer guard
  57. 57. Vtable verification • Bypass ? • Overwrite _dl_open_hook ? • Sounds good, but if you can control the value, you can also control other good target 57
  58. 58. Vtable verification • Summary of the vtable verification • It very hard to bypass it. • Exploitation of FILE structure is died ? 58
  59. 59. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 59
  60. 60. Make FILE structure great again • How about change the target from vtable to other element ? • Stream Buffer & File Descriptor 60
  61. 61. Make FILE structure great again • If we can overwrite the FILE structure and use fread and fwrite with the FILE structure • We can • Arbitrary memory reading • Arbitrary memory writing 61
  62. 62. Make FILE structure great again • Arbitrary memory reading • fwrite • Set the _fileno to the file descriptor of stdout • Set _flag & ~_IO_NO_WRITES • Set _flag |= _IO_CURRENTLY_PUTTING • Set the write_base & write_ptr to memory address which you want to read • _IO_read_end equal to _IO_write_base 62
  63. 63. Make FILE structure great again • Arbitrary memory reading • Set _flag &~ _IO_NO_WRITES • Set _flag |= _IO_CURRENTLY_PUTTING 63 Our goal It will adjust the stream buffer A piece of code in fwrite
  64. 64. Make FILE structure great again • Arbitrary memory reading • Let _IO_read_end equal to _IO_write_base • If it’s not, it would adjust to the current offset. 64 It will adjust the stream buffer Our goal
  65. 65. Make FILE structure great again • Arbitrary memory reading • Sample code 65
  66. 66. Make FILE structure great again • Arbitrary memory writing • fread • Set the _fileno to file descriptor of stdin • Set _flag &~ _IO_NO_READS • Set read_base & read_ptr to NULL • Set the buf_base & buf_end to memory address which you want to wirte • buf_end - buf_base < size of fread 66
  67. 67. Make FILE structure great again • Arbitrary memory writing • Set read_base & read_ptr to NULL 67 It will copy data from buffer to destination Buffer size must be smaller than read size
  68. 68. Make FILE structure great again • Arbitrary memory writing • Set _flag &~ _IO_NO_READS 68 Our goal
  69. 69. Make FILE structure great again • Arbitrary memory writing • Sample code 69
  70. 70. Make FILE structure great again • If you have arbitrary memory address read and write, you can control the flow very easy • GOT hijack • __malloc_hook_/__free_hook_/__realloc_hook_ • … • By the way, you can not only use fread and fwrite but also use any stdio related function 70
  71. 71. Make FILE structure great again • If we don’t have any file operation in the program • We can use stdin/stdout/stderr • put/printf/scanf • … 71
  72. 72. Make FILE structure great again • Scenario • Use any stdin related function • scanf/fgets/gets … • Stdin is unbuffer • Very common in normal stdio program 72 … _IO_buf_base _IO_buf_end … _short_buf … stdin buffer stdin
  73. 73. Make FILE structure great again • Overwrite buf_end with a pointer behind the stdin • Unsorted bin attack • Very common in heap exploitation 73 … _IO_buf_base _IO_buf_end … _short_buf … stdin buffer stdin
  74. 74. Make FILE structure great again • Overwrite buf_end with a pointer behind the stdin • Unsorted bin attack • Very common in heap exploitation 74 … _IO_buf_base Unsorted bin … _short_buf … vtable … stdin stdin buffer … main_arena malloc_hook
  75. 75. Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) 75 … _IO_buf_base Unsorted bin … _short_buf … vtable … stdin stdin buffer … main_arena malloc_hook
  76. 76. Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) • It can overwrite many global variable in glibc • Input: aaaa……. 76 … _IO_buf_base Unsorted bin … aaaaaaaa … aaaaaaaa … stdin stdin buffer … main_arena aaaaaaaa
  77. 77. Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) • It can overwrite many global variable in glibc • Input: aaaa……. 77 … _IO_buf_base aaaaaaaa … aaaaaaaa … aaaaaaaa … stdin stdin buffer … main_arena aaaaaaaa Control PC again !
  78. 78. Make FILE structure great again • How about Windows ? • No vtable in FILE • It also has stream buffer pointer • You can corrupt it to achieve arbitrary memory read and write 78
  79. 79. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 79
  80. 80. Conclusion • FILE structure is a good target for binary exploit • It can be used to • Arbitrary memory read and write • Control the PC and do oriented programing • Other exploit technology • Arbitrary free/unmmap • … 80
  81. 81. Conclusion • FILE structure is a good target for binary Exploit • It’s very powerful in some unexploitable case • Let’s try to find more and more exploit technology in FILE structure 81 Mail : angelboy@chroot.org Blog : blog.angelboy.tw Twitter : scwuaptx

×