SlideShare a Scribd company logo
1 of 81
Download to read offline
Play with FILE Structure
Yet Another Binary Exploit Technique
angelboy@chroot.org
1
About me
• Angelboy

• CTF player 

• WCTF / Boston Key Party 1st

• DEFCON / HITB 2nd

• Chroot / HITCON / 217

• Blog

• blog.angelboy.tw
2
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable verification in FILE structure

• Make FILE structure great again

• Conclusion
3
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable verification in FILE structure

• Make FILE structure great again

• Conclusion
4
Introduction
• What happen when we use a raw io function
read/write
Kernel Buffer
User space
Kernel space
Disk
5
Introduction
• What happen when we use a raw io function
read/write
Kernel Buffer
User space
Kernel space
Disk
Reduce the number of HD I/O
6
Introduction
• What is File stream

• A higher-level interface on the primitive file descriptor facilities

• Stream buffering

• Portable and High performance

• What is FILE structure

• A File stream descriptor

• Created by fopen
7
Introduction
• What happen when we use stdio function
read/write
Kernel Buffer
User space
Kernel space
Disk
stdio Buffer
fread/fwrite
8
Introduction
• What happen when we use stdio function
read/write
Kernel Buffer
User space
Kernel space
Disk
stdio Buffer
fread/fwrite
Reduce the number of syscall
9
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable verification in FILE structure

• Make FILE structure great again

• Conclusion
10
Introduction
• FILE structure

• A complex structure

• Flags

• Stream buffer

• File descriptor

• FILE_plus

• Virtual function table
11
Introduction
• FILE structure

• Flags

• Record the attribute of the File stream

• Read only

• Append

• …
12
Introduction
• FILE structure

• Stream buffer

• Read buffer

• Write buffer

• Reserve buffer
13
Introduction
• FILE structure

• _fileno

• File descriptor

• Return by sys_open
14
Introduction
• FILE structure

• FILE plus

• stdin/stdout/stderr

• fopen also use it

• Extra Virtual function table

• Any operation on file is via vtable
15
Introduction
• FILE structure

• FILE plus 

• stdin/stdout/stderr

• fopen also use it

• Extra Virtual function table

• Any operation on file is via vtable
16
Introduction
• FILE structure

• Every FILE associate with a _chain (linked list)
17
_IO_list_all
_flag
……
chain
_flag
……
chain
_flag
……
0
stderr stdout stdin
Introduction
• fopen workflow

• Allocate FILE structure

• Initial the FILE structure

• Link the FILE structure

• open file
18
fopen
malloc
_IO_link_in
sys_open
_IO_new_file_init_internal
_IO_new_file_open
Introduction
• fopen workflow

• Allocate FILE structure
_IO_list_all
_flag
……
chain
……
vtable
_flag
……
chain
……
vtable
_flag
……
0
……
vtable
stderr stdout stdin
19
malloc
Introduction
• fopen workflow

• Initialize the FILE structure

• Link the FILE structure
_IO_list_all
_flag
……
chain
……
vtable
_flag
……
chain
……
vtable
_flag
……
0
……
vtable
stderr stdout stdin
0
……
0
……
0
fp
20
_IO_new_file_init_internal
_IO_link_in
Introduction
• fopen workflow

• Initial the FILE structure

• Link the FILE structure
_IO_list_all
_flag
……
chain
……
vtable
_flag
……
chain
……
vtable
_flag
……
0
……
vtable
stderr stdout stdin
_flag
……
chain
……
vtable
fp
21
_IO_link_in
_IO_new_file_init_internal
Introduction
• fopen workflow

• open file
_IO_list_all
_flag
……
chain
……
vtable
_flag
……
chain
……
vtable
_flag
……
0
……
vtable
stderr stdout stdin
_flag
……
chain
……
vtable
fp
22
sys_open
Introduction
• fread workflow

• If stream buffer is NULL

• Allocate buffer

• Read data to the stream buffer

• Copy data from stream buffer to destination
23
fread
vtable->_IO_file_xsgetn
vtable->doallocate
vtable->_IO_file_underflow
sys_read
Introduction
• fread workflow

• If stream buffer is NULL

• Allocate buffer
_flag
read_ptr (0)
read_end (0)
……
buf_base (0)
buf_end (0)
……
vtable
fp
_IO_file_finish
_IO_file_overflow
…
_IO_file_doallocate
…
…
…
_IO_default_imbue
vtable
24
fread
vtable->_IO_file_xsgetn
vtable->doallocate
Introduction
• fread workflow

• Read data to the stream buffer
_flag
read_ptr (0)
read_end (0)
……
0x603010
0x604010
……
vtable
fp
stdio buffer
25
vtable->_IO_file_underflow
sys_read
Introduction
• fread workflow

• Copy data from stream buffer 

to destination
_flag
0x603010
0x604010
……
0x603010
0x604010
……
vtable
fp
AAAA
AAAA
BBBB
BBBB
CCCC
CCCC
…
…
…
ZZZZ
stdio buffer
Destination
26
vtable->_IO_file_xsgetn
AAAA
AAAA
BBBB
BBBB
CCCC
CCCC
…
…
…
ZZZZ
Introduction
• fread workflow

• Copy data from stream buffer 

to destination
_flag
0x603040
0x604010
……
0x603010
0x604010
……
vtable
fp
stdio buffer
AAAAAAAA
Copy to destination
27
vtable->_IO_file_xsgetn
Introduction
• fwrite workflow

• If stream buffer is NULL

• Allocate buffer

• Copy user data to the stream buffer

• If the stream buffer is filled or flush the stream

• write data from stream buffer to the file
28
fwrite
vtable->_IO_file_xsputn
vtable->_IO_file_overflow
vtable->doallocate
sys_write
Introduction
• fclose workflow

• Unlink the FILE structure

• Flush & Release the stream buffer

• Close the file

• Release the FILE structure
29
fclose
_IO_unlink_it
_IO_new_file_close_it
_IO_do_flush
sys_close
vtable—>_IO_file_finish
free
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable verification in FILE structure

• Make FILE structure great again

• Conclusion
30
Exploitation of FILE
• There are a good target in FILE structure

• Virtual Function Table
31
• Let’s overwrite with buffer address
Exploitation of FILE
Buffer overflow
Sample code
payload
Buffer address
32
//variable buf at 0x6009a0
• Let’s overwrite with buffer address
Exploitation of FILE
33
Buffer
fp
fp
_flag
read_ptr (0)
read_end (0)
……
vtable
• Let’s overwrite with buffer address
Exploitation of FILE
34
AAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAAAA
……
……
AAAAAAAA
……
Buffer
0x6009a0
fp
_flag
read_ptr (0)
read_end (0)
……
vtable
Buffer overflow
Exploitation of FILE
• Not call vtable directly…

• RDX is our input

but not call instruction
35
Exploitation of FILE
• Let’s see what happened in fclose

• We can get information of segfault in gdb and located it in source code
Segfault
36
Exploitation of FILE
• FILE structure

• _lock

• Prevent race condition in multithread

• Very common in stdio related function

• Usually need to construct it for Exploitation
37
• Let’s fix the lock
Exploitation of FILE
Find a global buffer as our lock
Fix our payload
offset of _lock
38
0x100 bytes
• We control PC !
Exploitation of FILE
39
Exploitation of FILE
• Another interesting

• stdin/stdout/stderr is also a FILE structure in glibc

• We can overwrite the global variable in glibc to control the flow
40
GLIBC SYMBOL TABLE
Global offset
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable verification in FILE structure

• Make FILE structure great again

• Conclusion
41
FSOP
• File-Stream Oriented Programing

• Control the linked list of File stream

• _chain

• _IO_list_all

• Powerful function

• _IO_flush_all_lockp
42
FSOP
• _IO_flush_all_lockp

• fflush all file stream

• When will call it

• Glib abort routine

• exit function

• Main return
43
malloc_printerr
_libc_message(error msg)
abort
_IO_flush_all_lockp
JUMP_FIELD(_IO_overflow_t,
__overflow)
If the condition is satisfied
Glibc abort routine
FSOP
• _IO_flush_all_lockp

• It will process all FILE

in FILE linked list

• We can construct the

linked list to do oriented

programing
44
fp = _IO_list_all
condition
Trigger virtual funcition
Point to next
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
45
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“sh”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtablefake_vtable fake_vtable2
system
system
system
…
…
foo
foo
foo
…
…
Trigger abort()
46
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“sh”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtablefake_vtable fake_vtable2
system
system
system
…
…
foo
foo
foo
…
…
call foo(_flags)
47
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“sh”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtablefake_vtable fake_vtable2
system
system
system
…
…
foo
foo
foo
…
…
call foo(“bar”)
48
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“sh”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtablefake_vtable fake_vtable2
system
system
system
…
…
foo
foo
foo
…
…
fp = fp->chain
49
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“sh”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtablefake_vtable fake_vtable2
system
system
system
…
…
foo
foo
foo
…
…
call system(_flags)
50
FSOP
• File-Stream Oriented Programing
_IO_list_all
_flags
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“bar”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtable
_flags(“sh”)
_IO_read_ptr
…
…
…
_IO_FILE *chain
…
…
vtablefake_vtable fake_vtable2
system
system
system
…
…
foo
foo
foo
…
…
call system(_flags)
GET SHELL !!
51
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable verification in FILE structure

• Make FILE structure great again

• Conclusion
52
Vtable verification
• Unfortunately, there are a virtual function table in latest libc

• Check the address of vtable before all virtual function call

• If vtable is invalid, it would abort
53
Vtable verification
• Vtable verification in File

• The vtable must be in libc _IO_vtable section

• If it’s not in _IO_vtable section, it will check if the vtable are permitted
54
• _IO_vtable_check

• Check the foreign vtables
Vtable verification
55
For overriding
For share library
Vtable verification
• Bypass ?

• Overwrite IO_accept_foreign_vtables ?

• It’s very difficult because of the pointer guard
56
Demangle with pointer guard
Vtable verification
• Bypass ?

• Overwrite _dl_open_hook ?

• Sounds good, but if you can control the value, you can also control
other good target
57
Vtable verification
• Summary of the vtable verification

• It very hard to bypass it.

• Exploitation of FILE structure is died ?
58
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable verification in FILE structure

• Make FILE structure great again

• Conclusion
59
Make FILE structure great again
• How about change the target from vtable to other element ?

• Stream Buffer & File Descriptor
60
Make FILE structure great again
• If we can overwrite the FILE structure and use fread and fwrite with the
FILE structure

• We can

• Arbitrary memory reading

• Arbitrary memory writing
61
Make FILE structure great again
• Arbitrary memory reading

• fwrite

• Set the _fileno to the file descriptor of stdout 

• Set _flag & ~_IO_NO_WRITES

• Set _flag |= _IO_CURRENTLY_PUTTING

• Set the write_base & write_ptr to memory address which you want to read

• _IO_read_end equal to _IO_write_base
62
Make FILE structure great again
• Arbitrary memory reading

• Set _flag &~ _IO_NO_WRITES

• Set _flag |= _IO_CURRENTLY_PUTTING
63
Our goal
It will adjust the stream buffer
A piece of code in fwrite
Make FILE structure great again
• Arbitrary memory reading

• Let _IO_read_end equal to _IO_write_base

• If it’s not, it would adjust to the current offset.
64
It will adjust the stream buffer
Our goal
Make FILE structure great again
• Arbitrary memory reading

• Sample code
65
Make FILE structure great again
• Arbitrary memory writing

• fread

• Set the _fileno to file descriptor of stdin

• Set _flag &~ _IO_NO_READS

• Set read_base & read_ptr to NULL

• Set the buf_base & buf_end to memory address which you want to wirte

• buf_end - buf_base < size of fread
66
Make FILE structure great again
• Arbitrary memory writing

• Set read_base & read_ptr to NULL
67
It will copy data from buffer to destination
Buffer size must be smaller than read size
Make FILE structure great again
• Arbitrary memory writing

• Set _flag &~ _IO_NO_READS
68
Our goal
Make FILE structure great again
• Arbitrary memory writing

• Sample code
69
Make FILE structure great again
• If you have arbitrary memory address read and write, you can control the
flow very easy

• GOT hijack

• __malloc_hook_/__free_hook_/__realloc_hook_

• …

• By the way, you can not only use fread and fwrite but also use any stdio
related function
70
Make FILE structure great again
• If we don’t have any file operation in the program

• We can use stdin/stdout/stderr 

• put/printf/scanf

• …
71
Make FILE structure great again
• Scenario

• Use any stdin related function

• scanf/fgets/gets …

• Stdin is unbuffer

• Very common in normal stdio program
72
…
_IO_buf_base
_IO_buf_end
…
_short_buf
…
stdin buffer
stdin
Make FILE structure great again
• Overwrite buf_end with a pointer behind the stdin

• Unsorted bin attack

• Very common in heap exploitation
73
…
_IO_buf_base
_IO_buf_end
…
_short_buf
…
stdin buffer
stdin
Make FILE structure great again
• Overwrite buf_end with a pointer behind the stdin

• Unsorted bin attack

• Very common in heap exploitation
74
…
_IO_buf_base
Unsorted bin
…
_short_buf
…
vtable
…
stdin
stdin buffer
…
main_arena
malloc_hook
Make FILE structure great again
• Stdin related function

• scanf(“%d”,&var)

• It will call

• read(0,buf_base,sizeof(stdin buffer))
75
…
_IO_buf_base
Unsorted bin
…
_short_buf
…
vtable
…
stdin
stdin buffer
…
main_arena
malloc_hook
Make FILE structure great again
• Stdin related function

• scanf(“%d”,&var)

• It will call

• read(0,buf_base,sizeof(stdin buffer))

• It can overwrite many global variable in glibc

• Input: aaaa…….
76
…
_IO_buf_base
Unsorted bin
…
aaaaaaaa
…
aaaaaaaa
…
stdin
stdin buffer
…
main_arena
aaaaaaaa
Make FILE structure great again
• Stdin related function

• scanf(“%d”,&var)

• It will call

• read(0,buf_base,sizeof(stdin buffer))

• It can overwrite many global variable in glibc

• Input: aaaa…….
77
…
_IO_buf_base
aaaaaaaa
…
aaaaaaaa
…
aaaaaaaa
…
stdin
stdin buffer
…
main_arena
aaaaaaaa
Control PC again !
Make FILE structure great again
• How about Windows ?

• No vtable in FILE

• It also has stream buffer pointer

• You can corrupt it to achieve arbitrary memory read and write
78
Agenda
• Introduction

• File stream

• Overview the FILE structure

• Exploitation of FILE structure

• FSOP

• Vtable verification in FILE structure

• Make FILE structure great again

• Conclusion
79
Conclusion
• FILE structure is a good target for binary exploit

• It can be used to

• Arbitrary memory read and write

• Control the PC and do oriented programing

• Other exploit technology

• Arbitrary free/unmmap

• …
80
Conclusion
• FILE structure is a good target for binary Exploit

• It’s very powerful in some unexploitable case

• Let’s try to find more and more exploit technology in FILE structure
81
Mail : angelboy@chroot.org
Blog : blog.angelboy.tw
Twitter : scwuaptx

More Related Content

What's hot

DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Angel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowAngel Boy
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Angel Boy
 
Linux SMEP bypass techniques
Linux SMEP bypass techniquesLinux SMEP bypass techniques
Linux SMEP bypass techniquesVitaly Nikolenko
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolveAngel Boy
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsoViller Hsiao
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented ProgrammingAngel Boy
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCanSecWest
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machineAlexei Starovoitov
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Brendan Gregg
 
Linux MMAP & Ioremap introduction
Linux MMAP & Ioremap introductionLinux MMAP & Ioremap introduction
Linux MMAP & Ioremap introductionGene Chang
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File SystemAdrian Huang
 
[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹
[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹
[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹CODE BLUE
 

What's hot (20)

DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflow
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
 
Linux SMEP bypass techniques
Linux SMEP bypass techniquesLinux SMEP bypass techniques
Linux SMEP bypass techniques
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolve
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdso
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented Programming
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
 
Linux MMAP & Ioremap introduction
Linux MMAP & Ioremap introductionLinux MMAP & Ioremap introduction
Linux MMAP & Ioremap introduction
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File System
 
[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹
[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹
[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹
 

Viewers also liked

滲透測試基本技巧與經驗分享
滲透測試基本技巧與經驗分享滲透測試基本技巧與經驗分享
滲透測試基本技巧與經驗分享WEI CHIEH CHAO
 
2016.9.10 hackfoldr課
2016.9.10 hackfoldr課2016.9.10 hackfoldr課
2016.9.10 hackfoldr課佩琪 羅
 
Bug hunting through_reverse_engineering
Bug hunting through_reverse_engineeringBug hunting through_reverse_engineering
Bug hunting through_reverse_engineeringarif
 
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)Sehan Lee
 
Introduction to Reverse Engineering
Introduction to Reverse EngineeringIntroduction to Reverse Engineering
Introduction to Reverse EngineeringDobromir Enchev
 
Reverse engineering
Reverse  engineeringReverse  engineering
Reverse engineeringYuffie Valen
 
Introduction to Reverse Engineering
Introduction to Reverse EngineeringIntroduction to Reverse Engineering
Introduction to Reverse EngineeringGopinath Chintala
 
Reverse Engineering
Reverse EngineeringReverse Engineering
Reverse Engineeringdswanson
 
Reverse engineering & its application
Reverse engineering & its applicationReverse engineering & its application
Reverse engineering & its applicationmapqrs
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineeringananya0122
 
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017Carol Smith
 

Viewers also liked (14)

Klee and angr
Klee and angrKlee and angr
Klee and angr
 
滲透測試基本技巧與經驗分享
滲透測試基本技巧與經驗分享滲透測試基本技巧與經驗分享
滲透測試基本技巧與經驗分享
 
2016.9.10 hackfoldr課
2016.9.10 hackfoldr課2016.9.10 hackfoldr課
2016.9.10 hackfoldr課
 
Bug hunting through_reverse_engineering
Bug hunting through_reverse_engineeringBug hunting through_reverse_engineering
Bug hunting through_reverse_engineering
 
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
 
Glibc malloc internal
Glibc malloc internalGlibc malloc internal
Glibc malloc internal
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
 
Introduction to Reverse Engineering
Introduction to Reverse EngineeringIntroduction to Reverse Engineering
Introduction to Reverse Engineering
 
Reverse engineering
Reverse  engineeringReverse  engineering
Reverse engineering
 
Introduction to Reverse Engineering
Introduction to Reverse EngineeringIntroduction to Reverse Engineering
Introduction to Reverse Engineering
 
Reverse Engineering
Reverse EngineeringReverse Engineering
Reverse Engineering
 
Reverse engineering & its application
Reverse engineering & its applicationReverse engineering & its application
Reverse engineering & its application
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
 
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
 

Similar to Play with FILE Structure - Yet Another Binary Exploit Technique

File handing in C
File handing in CFile handing in C
File handing in Cshrishcg
 
File management
File managementFile management
File managementsumathiv9
 
NiFi Developer Guide
NiFi Developer GuideNiFi Developer Guide
NiFi Developer GuideDeon Huang
 
06 file processing
06 file processing06 file processing
06 file processingIssay Meii
 
Speed up large-scale ML/DL offline inference job with Alluxio
Speed up large-scale ML/DL offline inference job with AlluxioSpeed up large-scale ML/DL offline inference job with Alluxio
Speed up large-scale ML/DL offline inference job with AlluxioAlluxio, Inc.
 
Linux System Programming - Buffered I/O
Linux System Programming - Buffered I/O Linux System Programming - Buffered I/O
Linux System Programming - Buffered I/O YourHelper1
 
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...Alex Gorbachev
 
IS - section 1 - modifiedFinal information system.pptx
IS - section 1 - modifiedFinal information system.pptxIS - section 1 - modifiedFinal information system.pptx
IS - section 1 - modifiedFinal information system.pptxNaglaaAbdelhady
 
Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)
Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)
Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)Issac Buenrostro
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
NiFi - First approach
NiFi - First approachNiFi - First approach
NiFi - First approachMickael Cassy
 
Linux System Programming - File I/O
Linux System Programming - File I/O Linux System Programming - File I/O
Linux System Programming - File I/O YourHelper1
 
Linux operating system by Quontra Solutions
Linux operating system by Quontra SolutionsLinux operating system by Quontra Solutions
Linux operating system by Quontra SolutionsQUONTRASOLUTIONS
 
Still All on One Server: Perforce at Scale
Still All on One Server: Perforce at Scale Still All on One Server: Perforce at Scale
Still All on One Server: Perforce at Scale Perforce
 
Upgrade von TYPO3 4.5 auf 6.2 - CertiFUNcation Phantasialand 2015
Upgrade von TYPO3 4.5 auf 6.2 - CertiFUNcation Phantasialand 2015Upgrade von TYPO3 4.5 auf 6.2 - CertiFUNcation Phantasialand 2015
Upgrade von TYPO3 4.5 auf 6.2 - CertiFUNcation Phantasialand 2015Wolfgang Wagner
 

Similar to Play with FILE Structure - Yet Another Binary Exploit Technique (20)

File handing in C
File handing in CFile handing in C
File handing in C
 
Systems Programming - File IO
Systems Programming - File IOSystems Programming - File IO
Systems Programming - File IO
 
File Handling in C .pptx
File Handling in C .pptxFile Handling in C .pptx
File Handling in C .pptx
 
File management
File managementFile management
File management
 
NiFi Developer Guide
NiFi Developer GuideNiFi Developer Guide
NiFi Developer Guide
 
06 file processing
06 file processing06 file processing
06 file processing
 
Speed up large-scale ML/DL offline inference job with Alluxio
Speed up large-scale ML/DL offline inference job with AlluxioSpeed up large-scale ML/DL offline inference job with Alluxio
Speed up large-scale ML/DL offline inference job with Alluxio
 
Linux System Programming - Buffered I/O
Linux System Programming - Buffered I/O Linux System Programming - Buffered I/O
Linux System Programming - Buffered I/O
 
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
 
File mangement
File mangementFile mangement
File mangement
 
IS - section 1 - modifiedFinal information system.pptx
IS - section 1 - modifiedFinal information system.pptxIS - section 1 - modifiedFinal information system.pptx
IS - section 1 - modifiedFinal information system.pptx
 
Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)
Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)
Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
Unix cmc
Unix cmcUnix cmc
Unix cmc
 
NiFi - First approach
NiFi - First approachNiFi - First approach
NiFi - First approach
 
Linux System Programming - File I/O
Linux System Programming - File I/O Linux System Programming - File I/O
Linux System Programming - File I/O
 
Linux operating system by Quontra Solutions
Linux operating system by Quontra SolutionsLinux operating system by Quontra Solutions
Linux operating system by Quontra Solutions
 
Still All on One Server: Perforce at Scale
Still All on One Server: Perforce at Scale Still All on One Server: Perforce at Scale
Still All on One Server: Perforce at Scale
 
Upgrade von TYPO3 4.5 auf 6.2 - CertiFUNcation Phantasialand 2015
Upgrade von TYPO3 4.5 auf 6.2 - CertiFUNcation Phantasialand 2015Upgrade von TYPO3 4.5 auf 6.2 - CertiFUNcation Phantasialand 2015
Upgrade von TYPO3 4.5 auf 6.2 - CertiFUNcation Phantasialand 2015
 
AHUG Presentation: Fun with Hadoop File Systems
AHUG Presentation: Fun with Hadoop File SystemsAHUG Presentation: Fun with Hadoop File Systems
AHUG Presentation: Fun with Hadoop File Systems
 

Recently uploaded

Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 

Recently uploaded (20)

Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 

Play with FILE Structure - Yet Another Binary Exploit Technique

  • 1. Play with FILE Structure Yet Another Binary Exploit Technique angelboy@chroot.org 1
  • 2. About me • Angelboy • CTF player • WCTF / Boston Key Party 1st • DEFCON / HITB 2nd • Chroot / HITCON / 217 • Blog • blog.angelboy.tw 2
  • 3. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 3
  • 4. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 4
  • 5. Introduction • What happen when we use a raw io function read/write Kernel Buffer User space Kernel space Disk 5
  • 6. Introduction • What happen when we use a raw io function read/write Kernel Buffer User space Kernel space Disk Reduce the number of HD I/O 6
  • 7. Introduction • What is File stream • A higher-level interface on the primitive file descriptor facilities • Stream buffering • Portable and High performance • What is FILE structure • A File stream descriptor • Created by fopen 7
  • 8. Introduction • What happen when we use stdio function read/write Kernel Buffer User space Kernel space Disk stdio Buffer fread/fwrite 8
  • 9. Introduction • What happen when we use stdio function read/write Kernel Buffer User space Kernel space Disk stdio Buffer fread/fwrite Reduce the number of syscall 9
  • 10. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 10
  • 11. Introduction • FILE structure • A complex structure • Flags • Stream buffer • File descriptor • FILE_plus • Virtual function table 11
  • 12. Introduction • FILE structure • Flags • Record the attribute of the File stream • Read only • Append • … 12
  • 13. Introduction • FILE structure • Stream buffer • Read buffer • Write buffer • Reserve buffer 13
  • 14. Introduction • FILE structure • _fileno • File descriptor • Return by sys_open 14
  • 15. Introduction • FILE structure • FILE plus • stdin/stdout/stderr • fopen also use it • Extra Virtual function table • Any operation on file is via vtable 15
  • 16. Introduction • FILE structure • FILE plus • stdin/stdout/stderr • fopen also use it • Extra Virtual function table • Any operation on file is via vtable 16
  • 17. Introduction • FILE structure • Every FILE associate with a _chain (linked list) 17 _IO_list_all _flag …… chain _flag …… chain _flag …… 0 stderr stdout stdin
  • 18. Introduction • fopen workflow • Allocate FILE structure • Initial the FILE structure • Link the FILE structure • open file 18 fopen malloc _IO_link_in sys_open _IO_new_file_init_internal _IO_new_file_open
  • 19. Introduction • fopen workflow • Allocate FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin 19 malloc
  • 20. Introduction • fopen workflow • Initialize the FILE structure • Link the FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin 0 …… 0 …… 0 fp 20 _IO_new_file_init_internal _IO_link_in
  • 21. Introduction • fopen workflow • Initial the FILE structure • Link the FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin _flag …… chain …… vtable fp 21 _IO_link_in _IO_new_file_init_internal
  • 22. Introduction • fopen workflow • open file _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin _flag …… chain …… vtable fp 22 sys_open
  • 23. Introduction • fread workflow • If stream buffer is NULL • Allocate buffer • Read data to the stream buffer • Copy data from stream buffer to destination 23 fread vtable->_IO_file_xsgetn vtable->doallocate vtable->_IO_file_underflow sys_read
  • 24. Introduction • fread workflow • If stream buffer is NULL • Allocate buffer _flag read_ptr (0) read_end (0) …… buf_base (0) buf_end (0) …… vtable fp _IO_file_finish _IO_file_overflow … _IO_file_doallocate … … … _IO_default_imbue vtable 24 fread vtable->_IO_file_xsgetn vtable->doallocate
  • 25. Introduction • fread workflow • Read data to the stream buffer _flag read_ptr (0) read_end (0) …… 0x603010 0x604010 …… vtable fp stdio buffer 25 vtable->_IO_file_underflow sys_read
  • 26. Introduction • fread workflow • Copy data from stream buffer 
 to destination _flag 0x603010 0x604010 …… 0x603010 0x604010 …… vtable fp AAAA AAAA BBBB BBBB CCCC CCCC … … … ZZZZ stdio buffer Destination 26 vtable->_IO_file_xsgetn
  • 27. AAAA AAAA BBBB BBBB CCCC CCCC … … … ZZZZ Introduction • fread workflow • Copy data from stream buffer 
 to destination _flag 0x603040 0x604010 …… 0x603010 0x604010 …… vtable fp stdio buffer AAAAAAAA Copy to destination 27 vtable->_IO_file_xsgetn
  • 28. Introduction • fwrite workflow • If stream buffer is NULL • Allocate buffer • Copy user data to the stream buffer • If the stream buffer is filled or flush the stream • write data from stream buffer to the file 28 fwrite vtable->_IO_file_xsputn vtable->_IO_file_overflow vtable->doallocate sys_write
  • 29. Introduction • fclose workflow • Unlink the FILE structure • Flush & Release the stream buffer • Close the file • Release the FILE structure 29 fclose _IO_unlink_it _IO_new_file_close_it _IO_do_flush sys_close vtable—>_IO_file_finish free
  • 30. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 30
  • 31. Exploitation of FILE • There are a good target in FILE structure • Virtual Function Table 31
  • 32. • Let’s overwrite with buffer address Exploitation of FILE Buffer overflow Sample code payload Buffer address 32 //variable buf at 0x6009a0
  • 33. • Let’s overwrite with buffer address Exploitation of FILE 33 Buffer fp fp _flag read_ptr (0) read_end (0) …… vtable
  • 34. • Let’s overwrite with buffer address Exploitation of FILE 34 AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA …… …… AAAAAAAA …… Buffer 0x6009a0 fp _flag read_ptr (0) read_end (0) …… vtable Buffer overflow
  • 35. Exploitation of FILE • Not call vtable directly… • RDX is our input
 but not call instruction 35
  • 36. Exploitation of FILE • Let’s see what happened in fclose • We can get information of segfault in gdb and located it in source code Segfault 36
  • 37. Exploitation of FILE • FILE structure • _lock • Prevent race condition in multithread • Very common in stdio related function • Usually need to construct it for Exploitation 37
  • 38. • Let’s fix the lock Exploitation of FILE Find a global buffer as our lock Fix our payload offset of _lock 38 0x100 bytes
  • 39. • We control PC ! Exploitation of FILE 39
  • 40. Exploitation of FILE • Another interesting • stdin/stdout/stderr is also a FILE structure in glibc • We can overwrite the global variable in glibc to control the flow 40 GLIBC SYMBOL TABLE Global offset
  • 41. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 41
  • 42. FSOP • File-Stream Oriented Programing • Control the linked list of File stream • _chain • _IO_list_all • Powerful function • _IO_flush_all_lockp 42
  • 43. FSOP • _IO_flush_all_lockp • fflush all file stream • When will call it • Glib abort routine • exit function • Main return 43 malloc_printerr _libc_message(error msg) abort _IO_flush_all_lockp JUMP_FIELD(_IO_overflow_t, __overflow) If the condition is satisfied Glibc abort routine
  • 44. FSOP • _IO_flush_all_lockp • It will process all FILE
 in FILE linked list • We can construct the
 linked list to do oriented
 programing 44 fp = _IO_list_all condition Trigger virtual funcition Point to next
  • 45. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable 45
  • 46. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … Trigger abort() 46
  • 47. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call foo(_flags) 47
  • 48. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call foo(“bar”) 48
  • 49. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … fp = fp->chain 49
  • 50. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call system(_flags) 50
  • 51. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call system(_flags) GET SHELL !! 51
  • 52. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 52
  • 53. Vtable verification • Unfortunately, there are a virtual function table in latest libc • Check the address of vtable before all virtual function call • If vtable is invalid, it would abort 53
  • 54. Vtable verification • Vtable verification in File • The vtable must be in libc _IO_vtable section • If it’s not in _IO_vtable section, it will check if the vtable are permitted 54
  • 55. • _IO_vtable_check • Check the foreign vtables Vtable verification 55 For overriding For share library
  • 56. Vtable verification • Bypass ? • Overwrite IO_accept_foreign_vtables ? • It’s very difficult because of the pointer guard 56 Demangle with pointer guard
  • 57. Vtable verification • Bypass ? • Overwrite _dl_open_hook ? • Sounds good, but if you can control the value, you can also control other good target 57
  • 58. Vtable verification • Summary of the vtable verification • It very hard to bypass it. • Exploitation of FILE structure is died ? 58
  • 59. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 59
  • 60. Make FILE structure great again • How about change the target from vtable to other element ? • Stream Buffer & File Descriptor 60
  • 61. Make FILE structure great again • If we can overwrite the FILE structure and use fread and fwrite with the FILE structure • We can • Arbitrary memory reading • Arbitrary memory writing 61
  • 62. Make FILE structure great again • Arbitrary memory reading • fwrite • Set the _fileno to the file descriptor of stdout • Set _flag & ~_IO_NO_WRITES • Set _flag |= _IO_CURRENTLY_PUTTING • Set the write_base & write_ptr to memory address which you want to read • _IO_read_end equal to _IO_write_base 62
  • 63. Make FILE structure great again • Arbitrary memory reading • Set _flag &~ _IO_NO_WRITES • Set _flag |= _IO_CURRENTLY_PUTTING 63 Our goal It will adjust the stream buffer A piece of code in fwrite
  • 64. Make FILE structure great again • Arbitrary memory reading • Let _IO_read_end equal to _IO_write_base • If it’s not, it would adjust to the current offset. 64 It will adjust the stream buffer Our goal
  • 65. Make FILE structure great again • Arbitrary memory reading • Sample code 65
  • 66. Make FILE structure great again • Arbitrary memory writing • fread • Set the _fileno to file descriptor of stdin • Set _flag &~ _IO_NO_READS • Set read_base & read_ptr to NULL • Set the buf_base & buf_end to memory address which you want to wirte • buf_end - buf_base < size of fread 66
  • 67. Make FILE structure great again • Arbitrary memory writing • Set read_base & read_ptr to NULL 67 It will copy data from buffer to destination Buffer size must be smaller than read size
  • 68. Make FILE structure great again • Arbitrary memory writing • Set _flag &~ _IO_NO_READS 68 Our goal
  • 69. Make FILE structure great again • Arbitrary memory writing • Sample code 69
  • 70. Make FILE structure great again • If you have arbitrary memory address read and write, you can control the flow very easy • GOT hijack • __malloc_hook_/__free_hook_/__realloc_hook_ • … • By the way, you can not only use fread and fwrite but also use any stdio related function 70
  • 71. Make FILE structure great again • If we don’t have any file operation in the program • We can use stdin/stdout/stderr • put/printf/scanf • … 71
  • 72. Make FILE structure great again • Scenario • Use any stdin related function • scanf/fgets/gets … • Stdin is unbuffer • Very common in normal stdio program 72 … _IO_buf_base _IO_buf_end … _short_buf … stdin buffer stdin
  • 73. Make FILE structure great again • Overwrite buf_end with a pointer behind the stdin • Unsorted bin attack • Very common in heap exploitation 73 … _IO_buf_base _IO_buf_end … _short_buf … stdin buffer stdin
  • 74. Make FILE structure great again • Overwrite buf_end with a pointer behind the stdin • Unsorted bin attack • Very common in heap exploitation 74 … _IO_buf_base Unsorted bin … _short_buf … vtable … stdin stdin buffer … main_arena malloc_hook
  • 75. Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) 75 … _IO_buf_base Unsorted bin … _short_buf … vtable … stdin stdin buffer … main_arena malloc_hook
  • 76. Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) • It can overwrite many global variable in glibc • Input: aaaa……. 76 … _IO_buf_base Unsorted bin … aaaaaaaa … aaaaaaaa … stdin stdin buffer … main_arena aaaaaaaa
  • 77. Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) • It can overwrite many global variable in glibc • Input: aaaa……. 77 … _IO_buf_base aaaaaaaa … aaaaaaaa … aaaaaaaa … stdin stdin buffer … main_arena aaaaaaaa Control PC again !
  • 78. Make FILE structure great again • How about Windows ? • No vtable in FILE • It also has stream buffer pointer • You can corrupt it to achieve arbitrary memory read and write 78
  • 79. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 79
  • 80. Conclusion • FILE structure is a good target for binary exploit • It can be used to • Arbitrary memory read and write • Control the PC and do oriented programing • Other exploit technology • Arbitrary free/unmmap • … 80
  • 81. Conclusion • FILE structure is a good target for binary Exploit • It’s very powerful in some unexploitable case • Let’s try to find more and more exploit technology in FILE structure 81 Mail : angelboy@chroot.org Blog : blog.angelboy.tw Twitter : scwuaptx