Play With File Structure

Play with FILE Structure
Yet Another Binary Exploit Technique
angelboy@chroot.org
1
About me
• Angelboy
• CTF player
• WCTF / Boston Key Party 1st
• DEFCON / HITB 2nd
• Chroot / HITCON / 217
• Blog
• blog.angelboy.tw
2
Agenda
• Introduction
• File stream
• Overview the FILE structure
• Exploitation of FILE structure
• FSOP
• Vtable verification in FILE structure
• Make FILE structure great again
• Conclusion
3
Agenda
• Introduction
• File stream
• FSOP
• Conclusion
4
Introduction
• What happen when we use a raw io function
read/write
User space
Kernel space
Kernel Buffer
Disk
5
Introduction
• What happen when we use a raw io function
read/write
User space
Kernel space
Kernel Buffer
Reduce the number of HD I/O

Disk
6
Introduction
• What is File stream
• A higher-level interface on the primitive file descriptor facilities
• Stream buffering
• Portable and High performance
• What is FILE structure
• A File stream descriptor
• Created by fopen
7
Introduction
• What happen when we use stdio function
fread/fwrite
stdio Buffer
read/write
User space
Kernel Buffer Kernel space
Disk
8
Introduction
• What happen when we use stdio function
fread/fwrite
stdio Buffer
Reduce the number of syscall

read/write
User space
Kernel Buffer Kernel space
Disk
9
Agenda
• Introduction
• File stream
• FSOP
• Conclusion
10
Introduction
• FILE structure
• A complex structure
• Flags
• Stream buffer
• File descriptor
• FILE_plus
• Virtual function table

11
Introduction
• FILE structure
• Flags
• Record the attribute of the File stream
• Read only
• Append
• …
12
Introduction
• FILE structure
• Stream buffer
• Read buffer
• Write buffer
• Reserve buffer
13
Introduction
• FILE structure
• _fileno
• File descriptor
• Return by sys_open
14
Introduction
• FILE structure
• FILE plus
• stdin/stdout/stderr
• fopen also use it
• Extra Virtual function table
• Any operation on file is via vtable
15
Introduction
• FILE structure
• FILE plus
• stdin/stdout/stderr
• fopen also use it
• Extra Virtual function table
• Any operation on file is via vtable
16
Introduction
• FILE structure
• Every FILE associate with a _chain (linked list)
stderr stdout stdin

_IO_list_all
_flag _flag _flag
…… …… ……
chain chain 0
17
Introduction
• fopen workflow
malloc
• Allocate FILE structure
_IO_new_file_init_internal
• Initial the FILE structure
fopen
_IO_link_in
• Link the FILE structure
• open file _IO_new_file_open
sys_open
18
Introduction
• fopen workflow
• Allocate FILE structure

malloc
stderr stdout stdin

_IO_list_all
_flag _flag _flag
…… …… ……
chain chain 0
…… …… ……
vtable vtable vtable
19
Introduction
• fopen workflow
fp
0
• Initialize the FILE structure
…… _IO_new_file_init_internal
0
…… _IO_link_in
0
stderr stdout stdin

_IO_list_all
_flag _flag _flag
…… …… ……
chain chain 0
…… …… ……
20
Introduction
• fopen workflow
fp
_flag
• Initial the FILE structure
…… _IO_new_file_init_internal
chain
…… _IO_link_in
vtable
stderr stdout stdin

_IO_list_all
_flag _flag _flag
…… …… ……
chain chain 0
…… …… ……
21
Introduction
• fopen workflow
fp
_flag
• open file ……
chain sys_open
……
vtable
_IO_list_all stderr stdout stdin

_flag _flag _flag
…… …… ……
chain chain 0
…… …… ……
22
Introduction
• fread workflow
fread
• If stream buffer is NULL
vtable->_IO_file_xsgetn
• Allocate buffer
vtable->doallocate
• Read data to the stream buffer
vtable->_IO_file_underflow
• Copy data from stream buffer to destination
sys_read
23
Introduction
• fread workflow
fp
_flag vtable
_IO_file_finish
read_ptr (0)
_IO_file_overflow
• Allocate buffer read_end (0) …
…… _IO_file_doallocate
…
buf_base (0)
fread …
buf_end (0) …
…… _IO_default_imbue
vtable
vtable->doallocate
24
Introduction
• fread workflow
fp
_flag stdio buffer
• Read data to the stream buffer
read_ptr (0)
read_end (0)
……
0x603010
vtable->_IO_file_underflow
0x604010
……
sys_read
vtable
25
Introduction
• fread workflow
fp
_flag stdio buffer
• Copy data from stream buffer   AAAA
0x603010
to destination AAAA
0x604010 BBBB
BBBB
……
CCCC
0x603010 CCCC
…
0x604010
…
…… …
ZZZZ
vtable
Destination
26
Introduction
• fread workflow
fp
_flag stdio buffer
• Copy data from stream buffer   AAAA
0x603040
to destination AAAA
0x604010 BBBB
BBBB
……
CCCC
0x603010 CCCC
…
0x604010
…
…… …
ZZZZ
vtable
Copy to destination
AAAAAAAA
27
Introduction
• fwrite workflow
fwrite
vtable->_IO_file_xsputn
• Allocate buffer
• Copy user data to the stream buffer

vtable->_IO_file_overflow
• If the stream buffer is filled or flush the stream

vtable->doallocate
• write data from stream buffer to the file sys_write
28
Introduction
• fclose workflow
_IO_unlink_it
• Unlink the FILE structure
_IO_new_file_close_it
• Flush & Release the stream buffer

fclose
_IO_do_flush
• Close the file
sys_close
• Release the FILE structure
vtable—>_IO_file_finish
free
29
Agenda
• Introduction
• File stream
• FSOP
• Conclusion
30
Exploitation of FILE
• There are a good target in FILE structure
• Virtual Function Table
31
• Let’s overwrite with buffer address
//variable buf at 0x6009a0

Buffer address
payload
Buffer overflow
Sample code
32
Buffer fp
_flag
read_ptr (0)
read_end (0)
……
vtable
fp
33
Buffer fp
_flag
AAAAAAAA
AAAAAAAA read_ptr (0)
AAAAAAAA
AAAAAAAA read_end (0)
…… ……
……
AAAAAAAA vtable
……
0x6009a0
Buffer overflow
34
• Not call vtable directly…
• RDX is our input 

but not call instruction
35
• Let’s see what happened in fclose
• We can get information of segfault in gdb and located it in source code
Segfault
36
• FILE structure
• _lock
• Prevent race condition in multithread
• Very common in stdio related function
• Usually need to construct it for Exploitation
37
• Let’s fix the lock
Find a global buffer as our lock
Fix our payload
0x100 bytes
offset of _lock
38
• We control PC !
39
• Another interesting
• stdin/stdout/stderr is also a FILE structure in glibc
• We can overwrite the global variable in glibc to control the flow
GLIBC SYMBOL TABLE
Global offset
40
Agenda
• Introduction
• File stream
• FSOP
• Conclusion
41
FSOP
• File-Stream Oriented Programing
• Control the linked list of File stream
• _chain
• _IO_list_all
• Powerful function
• _IO_flush_all_lockp
42
FSOP
Glibc abort routine
• fflush all file stream

malloc_printerr
• When will call it
_libc_message(error msg)
• Glib abort routine
JUMP_FIELD(_IO_overflow_t,
abort
__overflow)
• exit function
• Main return _IO_flush_all_lockp
If the condition is satisfied
43
FSOP
fp = _IO_list_all
• It will process all FILE 
in FILE linked list
condition
• We can construct the 
linked list to do oriented 
programing
Trigger virtual funcition
Point to next
44
FSOP
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
45
FSOP
Trigger abort()
_IO_list_all
_flags _flags(“bar”) _flags(“sh”) system

system
_IO_read_ptr _IO_read_ptr _IO_read_ptr
system
… … … …
… … … …
… … …
_IO_FILE *chain _IO_FILE *chain _IO_FILE *chain foo
foo
… … …
foo
… … … …
…
vtable fake_vtable
vtable fake_vtable2
vtable
46
FSOP
call foo(_flags)
_IO_list_all

system
system
… … … …
… … … …
… … …
foo
… … …
foo
… … … …
…
vtable fake_vtable
vtable fake_vtable2
vtable
47
FSOP
call foo(“bar”)
_IO_list_all

system
system
… … … …
… … … …
… … …
foo
… … …
foo
… … … …
…
vtable fake_vtable
vtable fake_vtable2
vtable
48
FSOP
fp = fp->chain
_IO_list_all

system
system
… … … …
… … … …
… … …
foo
… … …
foo
… … … …
…
vtable fake_vtable
vtable fake_vtable2
vtable
49
FSOP
call system(_flags)
_IO_list_all

system
system
… … … …
… … … …
… … …
foo
… … …
foo
… … … …
…
vtable fake_vtable
vtable fake_vtable2
vtable
50
FSOP
call system(_flags)
_IO_list_all

system
system
… GET SHELL !!…
… …
… … … …
… … …
foo
… … …
foo
… … … …
…
vtable fake_vtable
vtable fake_vtable2
vtable
51
Agenda
• Introduction
• File stream
• FSOP
• Conclusion
52
Vtable verification
• Unfortunately, there are a virtual function table in latest libc
• Check the address of vtable before all virtual function call
• If vtable is invalid, it would abort
53
Vtable verification
• Vtable verification in File
• The vtable must be in libc _IO_vtable section
• If it’s not in _IO_vtable section, it will check if the vtable are permitted
54
Vtable verification
• _IO_vtable_check
• Check the foreign vtables For overriding
For share library
55
Vtable verification
• Bypass ?
• Overwrite IO_accept_foreign_vtables ?
• It’s very difficult because of the pointer guard
Demangle with pointer guard
56
Vtable verification
• Bypass ?
• Overwrite _dl_open_hook ?
• Sounds good, but if you can control the value, you can also control
other good target
57
Vtable verification
• Summary of the vtable verification
• It very hard to bypass it.
• Exploitation of FILE structure is died ?
58
Agenda
• Introduction
• File stream
• FSOP
• Conclusion
59
Make FILE structure great again
• How about change the target from vtable to other element ?
• Stream Buffer & File Descriptor
60
• If we can overwrite the FILE structure and use fread and fwrite with the
FILE structure
• We can
• Arbitrary memory reading
• Arbitrary memory writing
61
• fwrite
• Set the _fileno to the file descriptor of stdout
• Set _flag & ~_IO_NO_WRITES
• Set _flag |= _IO_CURRENTLY_PUTTING
• Set the write_base & write_ptr to memory address which you want to read
• _IO_read_end equal to _IO_write_base

62
• Set _flag &~ _IO_NO_WRITES
• Set _flag |= _IO_CURRENTLY_PUTTING

It will adjust the stream buffer
A piece of code in fwrite

Our goal
63
• Let _IO_read_end equal to _IO_write_base
• If it’s not, it would adjust to the current offset.

It will adjust the stream buffer
Our goal
64
• Sample code
65
• fread
• Set the _fileno to file descriptor of stdin
• Set _flag &~ _IO_NO_READS
• Set read_base & read_ptr to NULL
• Set the buf_base & buf_end to memory address which you want to wirte
• buf_end - buf_base < size of fread

66
• Set read_base & read_ptr to NULL

It will copy data from buffer to destination
Buffer size must be smaller than read size
67
• Set _flag &~ _IO_NO_READS
Our goal
68
• Sample code
69
• If you have arbitrary memory address read and write, you can control the
flow very easy
• GOT hijack
• __malloc_hook_/__free_hook_/__realloc_hook_
• …
• By the way, you can not only use fread and fwrite but also use any stdio
related function
70
• If we don’t have any file operation in the program
• We can use stdin/stdout/stderr
• put/printf/scanf
• …
71
• Scenario
stdin
• Use any stdin related function
…
_IO_buf_base
• scanf/fgets/gets …
_IO_buf_end
stdin buffer …
• Stdin is unbuffer
_short_buf
…
• Very common in normal stdio program
72
• Overwrite buf_end with a pointer behind the stdin
stdin
• Unsorted bin attack
…
_IO_buf_base
• Very common in heap exploitation _IO_buf_end
stdin buffer …
_short_buf
…
73
• Overwrite buf_end with a pointer behind the stdin
stdin
…
• Unsorted bin attack
_IO_buf_base
stdin buffer Unsorted bin

• Very common in heap exploitation …
_short_buf
…
vtable
…
malloc_hook
…
main_arena
74
• Stdin related function
stdin
…
• scanf(“%d”,&var)
_IO_buf_base

• It will call
…
_short_buf
• read(0,buf_base,sizeof(stdin buffer)) …
vtable
…
malloc_hook
…
main_arena
75
stdin
…
_IO_buf_base

• It will call
…
aaaaaaaa
• read(0,buf_base,sizeof(stdin buffer))
…
aaaaaaaa
• It can overwrite many global variable in glibc

…
aaaaaaaa
• Input: aaaa……. …
main_arena
76
stdin
…
_IO_buf_base
stdin buffer aaaaaaaa

• It will call
…
Control PC again
• read(0,buf_base,sizeof(stdin buffer))
! aaaaaaaa
…
aaaaaaaa
• It can overwrite many global variable in glibc

…
aaaaaaaa
• Input: aaaa……. …
main_arena
77
• How about Windows ?
• No vtable in FILE
• It also has stream buffer pointer
• You can corrupt it to achieve arbitrary memory read and write
78
Agenda
• Introduction
• File stream
• FSOP
• Conclusion
79
Conclusion
• FILE structure is a good target for binary exploit
• It can be used to
• Arbitrary memory read and write
• Control the PC and do oriented programing
• Other exploit technology
• Arbitrary free/unmmap
• …
80
Conclusion
• FILE structure is a good target for binary Exploit
• It’s very powerful in some unexploitable case
• Let’s try to find more and more exploit technology in FILE structure
Mail : angelboy@chroot.org
Blog : blog.angelboy.tw
Twitter : scwuaptx
81

Play With File Structure

Uploaded by

Copyright:

Available Formats

You might also like

Play With File Structure

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Play With File Structure

Uploaded by

Copyright:

Available Formats

Play with FILE Structure

Yet Another Binary Exploit Technique

• WCTF / Boston Key Party 1st

• DEFCON / HITB 2nd

• Chroot / HITCON / 217

• Overview the FILE structure

• Exploitation of FILE structure

• Vtable verification in FILE structure

• Make FILE structure great again

• Overview the FILE structure

• Exploitation of FILE structure

• Vtable verification in FILE structure

• Make FILE structure great again

Reduce the number of HD I/O

• A higher-level interface on the primitive file descriptor facilities

• Portable and High performance

• What is FILE structure

• A File stream descriptor

Kernel Buffer Kernel space

Reduce the number of syscall

Kernel Buffer Kernel space

• Overview the FILE structure

• Exploitation of FILE structure

• Vtable verification in FILE structure

• Make FILE structure great again

• Virtual function table

• Record the attribute of the File stream

• fopen also use it

• Extra Virtual function table

• Any operation on file is via vtable

• fopen also use it

• Extra Virtual function table

• Any operation on file is via vtable

• Every FILE associate with a _chain (linked list)

stderr stdout stdin

• open file _IO_new_file_open

• Allocate FILE structure

stderr stdout stdin

stderr stdout stdin

stderr stdout stdin

_IO_list_all stderr stdout stdin

• If stream buﬀer is NULL

• If stream buﬀer is NULL

• Copy user data to the stream buﬀer

• If the stream buﬀer is filled or flush the stream

• write data from stream buﬀer to the file sys_write

• Unlink the FILE structure

• Flush & Release the stream buﬀer

• Close the file

• Overview the FILE structure

• Exploitation of FILE structure

• Vtable verification in FILE structure

• Make FILE structure great again

• Virtual Function Table

//variable buf at 0x6009a0

• RDX is our input

• We can get information of segfault in gdb and located it in source code

• RDX is our input 