Professional Documents
Culture Documents
Play With File Structure
Play With File Structure
Play With File Structure
angelboy@chroot.org
1
About me
• Angelboy
• CTF player
• Blog
• blog.angelboy.tw
2
Agenda
• Introduction
• File stream
• FSOP
• Conclusion
3
Agenda
• Introduction
• File stream
• FSOP
• Conclusion
4
Introduction
• What happen when we use a raw io function
read/write
User space
Kernel space
Kernel Buffer
Disk
5
Introduction
• What happen when we use a raw io function
read/write
User space
Kernel space
Kernel Buffer
6
Introduction
• What is File stream
• Stream buffering
• Created by fopen
7
Introduction
• What happen when we use stdio function
fread/fwrite
stdio Buffer
read/write
User space
Disk
8
Introduction
• What happen when we use stdio function
fread/fwrite
stdio Buffer
Disk
9
Agenda
• Introduction
• File stream
• FSOP
• Conclusion
10
Introduction
• FILE structure
• A complex structure
• Flags
• Stream buffer
• File descriptor
• FILE_plus
• Flags
• Read only
• Append
• …
12
Introduction
• FILE structure
• Stream buffer
• Read buffer
• Write buffer
• Reserve buffer
13
Introduction
• FILE structure
• _fileno
• File descriptor
• Return by sys_open
14
Introduction
• FILE structure
• FILE plus
• stdin/stdout/stderr
15
Introduction
• FILE structure
• FILE plus
• stdin/stdout/stderr
16
Introduction
• FILE structure
…… …… ……
chain chain 0
17
Introduction
• fopen workflow
malloc
• Allocate FILE structure
_IO_new_file_init_internal
• Initial the FILE structure
fopen
_IO_link_in
• Link the FILE structure
sys_open
18
Introduction
• fopen workflow
…… …… ……
chain chain 0
…… …… ……
vtable vtable vtable
19
Introduction
• fopen workflow
fp
0
• Initialize the FILE structure
…… _IO_new_file_init_internal
0
• Link the FILE structure
…… _IO_link_in
0
…… …… ……
chain chain 0
…… …… ……
vtable vtable vtable
20
Introduction
• fopen workflow
fp
_flag
• Initial the FILE structure
…… _IO_new_file_init_internal
chain
• Link the FILE structure
…… _IO_link_in
vtable
…… …… ……
chain chain 0
…… …… ……
vtable vtable vtable
21
Introduction
• fopen workflow
fp
_flag
• open file ……
chain sys_open
……
vtable
…… …… ……
chain chain 0
…… …… ……
vtable vtable vtable
22
Introduction
• fread workflow
fread
vtable->_IO_file_xsgetn
• Allocate buffer
vtable->doallocate
• Read data to the stream buffer
vtable->_IO_file_underflow
• Copy data from stream buffer to destination
sys_read
23
Introduction
• fread workflow
fp
_flag vtable
• If stream buffer is NULL
_IO_file_finish
read_ptr (0)
_IO_file_overflow
• Allocate buffer read_end (0) …
…… _IO_file_doallocate
…
buf_base (0)
fread …
buf_end (0) …
…… _IO_default_imbue
vtable->_IO_file_xsgetn
vtable
vtable->doallocate
24
Introduction
• fread workflow
fp
_flag stdio buffer
• Read data to the stream buffer
read_ptr (0)
read_end (0)
……
0x603010
vtable->_IO_file_underflow
0x604010
……
sys_read
vtable
25
Introduction
• fread workflow
fp
_flag stdio buffer
• Copy data from stream buffer
AAAA
0x603010
to destination AAAA
0x604010 BBBB
BBBB
……
CCCC
0x603010 CCCC
…
0x604010
…
vtable->_IO_file_xsgetn
…… …
ZZZZ
vtable
Destination
26
Introduction
• fread workflow
fp
_flag stdio buffer
• Copy data from stream buffer
AAAA
0x603040
to destination AAAA
0x604010 BBBB
BBBB
……
CCCC
0x603010 CCCC
…
0x604010
…
vtable->_IO_file_xsgetn
…… …
ZZZZ
vtable
Copy to destination
AAAAAAAA
27
Introduction
• fwrite workflow
fwrite
vtable->_IO_file_xsputn
• Allocate buffer
28
Introduction
• fclose workflow
_IO_unlink_it
_IO_new_file_close_it
_IO_do_flush
sys_close
• Release the FILE structure
vtable—>_IO_file_finish
free
29
Agenda
• Introduction
• File stream
• FSOP
• Conclusion
30
Exploitation of FILE
• There are a good target in FILE structure
31
Exploitation of FILE
• Let’s overwrite with buffer address
payload
Buffer overflow
Sample code
32
Exploitation of FILE
• Let’s overwrite with buffer address
Buffer fp
_flag
read_ptr (0)
read_end (0)
……
vtable
fp
33
Exploitation of FILE
• Let’s overwrite with buffer address
Buffer fp
_flag
AAAAAAAA
AAAAAAAA read_ptr (0)
AAAAAAAA
AAAAAAAA read_end (0)
…… ……
……
AAAAAAAA vtable
……
0x6009a0
Buffer overflow
34
Exploitation of FILE
• Not call vtable directly…
35
Exploitation of FILE
• Let’s see what happened in fclose
Segfault
36
Exploitation of FILE
• FILE structure
• _lock
37
Exploitation of FILE
• Let’s fix the lock
0x100 bytes
offset of _lock
38
Exploitation of FILE
• We control PC !
39
Exploitation of FILE
• Another interesting
Global offset
40
Agenda
• Introduction
• File stream
• FSOP
• Conclusion
41
FSOP
• File-Stream Oriented Programing
• _chain
• _IO_list_all
• Powerful function
• _IO_flush_all_lockp
42
FSOP
• _IO_flush_all_lockp
Glibc abort routine
_libc_message(error msg)
JUMP_FIELD(_IO_overflow_t,
abort
__overflow)
• exit function
43
FSOP
• _IO_flush_all_lockp
fp = _IO_list_all
• It will process all FILE
in FILE linked list
condition
• We can construct the
linked list to do oriented
programing
Trigger virtual funcition
Point to next
44
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
45
FSOP
• File-Stream Oriented Programing
Trigger abort()
_IO_list_all
… … …
_IO_FILE *chain _IO_FILE *chain _IO_FILE *chain foo
foo
… … …
foo
… … … …
…
vtable fake_vtable
vtable fake_vtable2
vtable
46
FSOP
• File-Stream Oriented Programing
call foo(_flags)
_IO_list_all
… … …
_IO_FILE *chain _IO_FILE *chain _IO_FILE *chain foo
foo
… … …
foo
… … … …
…
vtable fake_vtable
vtable fake_vtable2
vtable
47
FSOP
• File-Stream Oriented Programing
call foo(“bar”)
_IO_list_all
… … …
_IO_FILE *chain _IO_FILE *chain _IO_FILE *chain foo
foo
… … …
foo
… … … …
…
vtable fake_vtable
vtable fake_vtable2
vtable
48
FSOP
• File-Stream Oriented Programing
fp = fp->chain
_IO_list_all
… … …
_IO_FILE *chain _IO_FILE *chain _IO_FILE *chain foo
foo
… … …
foo
… … … …
…
vtable fake_vtable
vtable fake_vtable2
vtable
49
FSOP
• File-Stream Oriented Programing
call system(_flags)
_IO_list_all
… … …
_IO_FILE *chain _IO_FILE *chain _IO_FILE *chain foo
foo
… … …
foo
… … … …
…
vtable fake_vtable
vtable fake_vtable2
vtable
50
FSOP
• File-Stream Oriented Programing
call system(_flags)
_IO_list_all
… … …
_IO_FILE *chain _IO_FILE *chain _IO_FILE *chain foo
foo
… … …
foo
… … … …
…
vtable fake_vtable
vtable fake_vtable2
vtable
51
Agenda
• Introduction
• File stream
• FSOP
• Conclusion
52
Vtable verification
• Unfortunately, there are a virtual function table in latest libc
53
Vtable verification
• Vtable verification in File
• If it’s not in _IO_vtable section, it will check if the vtable are permitted
54
Vtable verification
• _IO_vtable_check
55
Vtable verification
• Bypass ?
• Overwrite IO_accept_foreign_vtables ?
56
Vtable verification
• Bypass ?
• Overwrite _dl_open_hook ?
• Sounds good, but if you can control the value, you can also control
other good target
57
Vtable verification
• Summary of the vtable verification
58
Agenda
• Introduction
• File stream
• FSOP
• Conclusion
59
Make FILE structure great again
• How about change the target from vtable to other element ?
60
Make FILE structure great again
• If we can overwrite the FILE structure and use fread and fwrite with the
FILE structure
• We can
61
Make FILE structure great again
• Arbitrary memory reading
• fwrite
• Set the write_base & write_ptr to memory address which you want to read
Our goal
64
Make FILE structure great again
• Arbitrary memory reading
• Sample code
65
Make FILE structure great again
• Arbitrary memory writing
• fread
• Set the buf_base & buf_end to memory address which you want to wirte
67
Make FILE structure great again
• Arbitrary memory writing
Our goal
68
Make FILE structure great again
• Arbitrary memory writing
• Sample code
69
Make FILE structure great again
• If you have arbitrary memory address read and write, you can control the
flow very easy
• GOT hijack
• __malloc_hook_/__free_hook_/__realloc_hook_
• …
• By the way, you can not only use fread and fwrite but also use any stdio
related function
70
Make FILE structure great again
• If we don’t have any file operation in the program
• put/printf/scanf
• …
71
Make FILE structure great again
• Scenario
stdin
• Use any stdin related function
…
_IO_buf_base
• scanf/fgets/gets …
_IO_buf_end
stdin buffer …
• Stdin is unbuffer
_short_buf
…
• Very common in normal stdio program
72
Make FILE structure great again
• Overwrite buf_end with a pointer behind the stdin
stdin
• Unsorted bin attack
…
_IO_buf_base
• Very common in heap exploitation _IO_buf_end
stdin buffer …
_short_buf
…
73
Make FILE structure great again
• Overwrite buf_end with a pointer behind the stdin
stdin
…
• Unsorted bin attack
_IO_buf_base
main_arena
74
Make FILE structure great again
• Stdin related function
stdin
…
• scanf(“%d”,&var)
_IO_buf_base
main_arena
75
Make FILE structure great again
• Stdin related function
stdin
…
• scanf(“%d”,&var)
_IO_buf_base
• Input: aaaa……. …
main_arena
76
Make FILE structure great again
• Stdin related function
stdin
…
• scanf(“%d”,&var)
_IO_buf_base
Control PC again
• read(0,buf_base,sizeof(stdin buffer))
! aaaaaaaa
…
aaaaaaaa
• Input: aaaa……. …
main_arena
77
Make FILE structure great again
• How about Windows ?
• No vtable in FILE
78
Agenda
• Introduction
• File stream
• FSOP
• Conclusion
79
Conclusion
• FILE structure is a good target for binary exploit
• It can be used to
• Arbitrary free/unmmap
• …
80
Conclusion
• FILE structure is a good target for binary Exploit
• Let’s try to find more and more exploit technology in FILE structure
Mail : angelboy@chroot.org
Blog : blog.angelboy.tw
Twitter : scwuaptx
81