play withe file structure(搬运)

play withe file structure(搬运)

八月 07, 2019

搬运自Angel Boy师傅的分享

多图预警

content

  • introduction
    • file stream
    • overwrite the file struction
  • Exploiation of FILE struction
    • FSOP
    • Vtable verfication in FILE struction
    • Make file struction great again
  • conclusion

introduction

what happen when we use a raw io function

image.png

image.png

what is file stream?

  • A higher-level interface on the primitive file descriptor facilites
  • Stream buffering
  • Portable and High performance

what is FILE structure

  • A file stream descripor
  • Created by fopen

what happen when we use stdio function

image.png
image.png

overwrite the file struction

  • File struction
    • A complex struction
      • Flags
      • Stream buffer
      • File descriptor
    • FILE_PUTS
      • virtul function table

结构体在我之前的文章有写,师傅们可以看之前的文章即可

flags

  • Record the attribute of the File stream
  • Read only
  • Append

image.png

Stream buffer

  • Read buffer
  • Write buffer
  • Reserve buffer

image.png

_fileno

  • File descriptor
  • Return by sys_open
    image.png

file_plus

  • stdin/stdout/stderr
  • fopen also use it
  • Extra Virtul function table
    • Any operation on file is via vtable

image.png
image.png

chain

Every FILE associate with a _chain (linked list)
image.png

fopen workflow

  • Allocate FILE Structure
  • initial the FILE structure
    • Link the FILE structure
  • open file

image.png

allocate file structure

image.png

initial the file structure

image.png

image.png

open file

image.png

fread workflow

  • IF stream buffer is NULL
    • Allocate buffer
  • Read data to the stream buffer
  • copy data from stream buffer to destination

image.png

If stream buffer is NULL

allocate buffer

image.png

read data to the stream buffer

image.png

copy data from stream buffer to destination

image.png

image.png

if the stream is filled or flush the stream

  • write data from stream buffer to the file

image.png

fclose workflow

  • If stream buffer is NULL
    • allocte buffer
  • copy user data to the stream buffer
  • if the steram buffer if filled or flush the stream
    • write data from stream buffer to the file

image.png

  • unlink the file structure
  • flush & realease the strean buffer
  • close the file
  • release the file structure

image.png

Exploitation of FILE structure

There are a good target in FILE structure

Virtual function table

1
2
3
4
5
struct _IO_FILE_plus
{
_IO_FILE file;
const struct _IO_jump_t *vtable;
}

let’s overwrite with buffer address

image.png

image.png

image.png

Not call vtable directly

  • RDX is our input but not call instruction

image.png

Let’s see what happened in fclose

  • we can get information of segfault in gdb and located it in source code

image.png

File structure

  • _lock
  • prevent race condition in multithread
  • Very common in stdio related function
  • Usually need to construct it for Exploitaion

image.png

Let’s fix the lock

image.png

we control PC

image.png

Another interesting

  • stdin/stdout/stderr is also a FILE struct in glibc
  • We can overwrite the global variable in glibc varible in glibc to control the flow

image.png

FSOP

  • File-Stream Oriented Programing
    • Control the linked list of File stream
      • _chain
      • _IO_list_all
    • Powerful function
      • _IO_flush_all_lockp

_IO_flush_all_lockp

  • flush all file stream

We can call it

  • glibc abort routine
  • exit function
  • Main return

image.png

  • It will process all FILE in FILE linked list
  • We can construct the linked list to do oriented programing

image.png

FILE-stream oriented programing

image.png

image.png

image.png

image.png

image.png

image.png

The we will ge shell!

Vtable verfication in FILE structure

  • Unfortunately, there are a virtual function table in latest libc
  • Check the address of vtable before all virtual function call
  • If vtable is invalid, it would abort

Vtable verification

  • Vtable verification in File
  • The vtable must be in libc _IO_vtable section
  • If it’s not in _IO_vtable section, it will check if the vtable are permitted

image.png

_IO_vtable_check

  • Check the foreign vtables Vtable verification
    image.png

BPASS

  • Overwrite IO_accept_foreign_vtables ?
  • It’s very difficult because of the pointer guard

image.png

  • Overwrite _dl_open_hook ?
  • Sounds good, but if you can control the value, you can also control other good target

image.png

Summary of the vtable verification

  • It very hard to bypass it
  • Exploitation of FILE structure is died ?

Make file structure greate again

how about change the target from vtable to other element

  • stream buffer & File Descripor

image.png

  • If we can overwrite the FILE structure and use fread and fwrite with the FILE structure
  • We can
    • Arbitrary memory reading
    • Arbitrary memory writing

Arbitrary memory reading

  • fwrite
    • Set the _fileno to the file descriptor of stdout
    • Set _flag & ~_IO_NO_WRITES
    • Set _flag |= _IO_CURRENTLY_PUTTING
    • Set the write_base & write_ptr to memory address which you want to read
    • _IO_read_end equal to _IO_write_base
      其中:
  • Set _flag &~ _IO_NO_WRITES
  • Set _flag |= _IO_CURRENTLY_PUTTING

image.png

  • Let _IO_read_end equal to _IO_write_base
  • If it’s not, it would adjust to the current offset

image.png

sample code

image.png

  • fread
    • Set the _fileno to file descriptor of stdin
    • Set _flag &~ _IO_NO_READS
    • Set read_base & read_ptr to NULL
    • Set the buf_base & buf_end to memory address which you want to wirte
    • buf_end - buf_base < size of fread

其中:

  • Set read_base & read_ptr to NULL
    image.png
  • Set _flag &~ _IO_NO_READS
    image.png

sample code
ima.png

  • If you have arbitrary memory address read and write, you can control the flow very easy
    • GOT hijack
    • malloc_hook_/free_hook_/__realloc_hook_
  • By the way, you can not only use fread and fwrite but also use any stdio related function

  • If we don’t have any file operation in the program,We can use:

    • stdin/stdout/stderr
    • put/printf/scanf
  • Scenario

    • use any stdin related function
      • scanf/fgets/gets
    • Stdin in unbuffer
      • very common in normal stdio program

i.png

  • Overwrite buf_end with a pointer behind the stdin
    • Unsorted bin attack
    • Very common in heap exploitation

i.png

q.png

  • stdin relatedd function
    • scanf(“%d”,&var)
      • It will call
        • read(0,buf_base,sizeof(stdin buffer))

r.png

  • It can overwrite many global variable in glibc
  • Input :aaa…

q.png

Control The PC

  • How about Windows ?
    • No vtable in FILE
    • It also has stream buffer pointer
      • You can corrupt it to achieve arbitrary memory read and write

Conclusion

  • FILE structure is a good target for binary exploit

    • It can be used to
      • Arbitrary memory read and write
      • Control the PC and do oriented programing
      • Other exploit technology
      • Arbitrary free/unmmap
    • It’s very powerful in some unexploitable case
    • Let’s try to find more and more exploit technology in FILE structure!

      over~