Try   HackMD

FILE STRUCTURE

Introduction

When a new FILE structure is allocated and its pointer returned from fopen(). , glibc has actually allocated an internal structure called struct _IO_FILE_plus, which contains struct _IO_FILE and a pointer to struct _IO_jump_t, which in turn contains a list of pointers for all the functions attached to the FILE. Overwrites a ‘FILE’ pointer (stdin, stdout, stderr or any other file handler opened by fopen()) to point to own forged structure for gain control over execution flow.
File structure contains vtable, which is a pointer to a table which contains functions which are called when the original ‘FILE’ pointer is used to perform different operations (such as fread, fwrite, ).

File stream

  • Stream buffering: fprint, open, stdout, stdin, stderr,…

File structure

  • a file stream descriptor
  • Created by fopen
    _IO_FILE or other link
  • flags: 
    ​​​​int _flags; /* High-order word is _IO_MAGIC; rest is flags. */
    • record the attribute of the file stream: 'r', 'r+', 'w', 'w+', 'a', 'a+'.
  • Stream buffer: 
    ​​​​/* The following pointers correspond to the C++ streambuf protocol. */
​​char *_IO_read_ptr;  /* Current read pointer */
​​char *_IO_read_end;  /* End of get area. */
​​char *_IO_read_base; /* Start of putback+get area. */
​​char *_IO_write_base;/* Start of put area. */
​​char *_IO_write_ptr; /* Current put pointer. */
​​char *_IO_write_end; /* End of put area. */
​​char *_IO_buf_base;  /* Start of reserve area. */
​​char *_IO_buf_end;   /* End of reserve area. */
    • read buffer
    • write buffer
    • reserve buffer
  • _fileno 
    ​​​​int _fileno;
    • File descriptor
    • return by sys_open
  • _IO_FILE_plus struct is the extended version of _IO_FILE struct, which is _IO_FILE + vtable (virtual table = array of pointers to the helper fucntions during executing the IO operation): 
    ​​​​// in FILE.h
​​​​typedef struct _IO_FILE FILE;

​​​​// This contains a pointer to the function jump table used.
​​​​struct _IO_FILE_plus
​​​​{
​​​​  FILE file;
​​​​  const struct _IO_jump_t *vtable;
​​​​};

How the vtable will be filled during creating a new extended File struct. Depending on the method u use. Ex: fopen(), the vtable initialized with the existed vtable called _IO_file_jumps (other vtavle like _IO_str_jumps).

_IO_FILE *
__fopen_internal (const char *filename, const char *mode, int is32)
{
...
  _IO_JUMPS (&new_f->fp) = &_IO_file_jumps;
...
}

​​​​[_IO_jump_t](https://code.woboq.org/userspace/glibc/libio/libioP.h.html#_IO_jump_t)/ [glibc2.35](https://elixir.bootlin.com/glibc/glibc-2.35/source/libio/libioP.h#L293):
​​​​- stdin/stdout/stderr, fopen also use it.
​​​​- Extra Virtual function table.
​​​​- The export symbol of this type in the libc file is [_IO_file_jumps](https://code.woboq.org/userspace/glibc/libio/fileops.c.html#_IO_file_jumps).
  • Every FILE associate with a _chain (linked list). The head of linked list is called _IO_list_all
struct _IO_FILE
{   ...
    struct _IO_FILE *_chain;
    ...
}

Exploitation of File

Some good targets in FILE structure:

vtable (Virtual function Table)

_lock (usually need to construct it for exploitation)

  • prevent race condition in multithread
    c struct _IO_FILE { ... _IO_lock_t *_lock; }
    We can find out the offset of _lock = 0x88
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

stdin/stdout/stderr

This is also a FILE structure in glibc. We can overwrite the global variable in glibc to control the flow execution. (in glibc symbol table)

FSOP (File stream oriented programing)

Control the linked list of File stream:

  • _chain
  • _IO_list_all

Powerful function:
_IO_flush_all_lockp












for (fp = (FILE *) _IO_list_all; fp != NULL; fp = fp->_chain)
{
  run_fp = fp;
  ...
  if (( (fp->_mode <= 0 && fp->_IO_write_ptr > fp->_IO_write_base)
        || (_IO_vtable_offset (fp) == 0
        && fp->_mode > 0 
        && (fp->_wide_data->_IO_write_ptr > fp->_wide_data->_IO_write_base) )
      ) && _IO_OVERFLOW (fp, EOF) == EOF)
    result = EOF;
}

It will process all FILE in FILE linked list. We can construct the linked list to do oriented programing. Then line 9 will trigger virtual function.

Vtable verification in File

The vtable must be in libc _IO_vtable section. Otherwise, it will check if the vtable permits virtual function call.

IO_validate_vtable (const struct _IO_jump_t *vtable)
{
  /* Fast path: The vtable pointer is within the __libc_IO_vtables
     section.  */
  uintptr_t section_length = __stop___libc_IO_vtables - __start___libc_IO_vtables;
  uintptr_t ptr = (uintptr_t) vtable;
  uintptr_t offset = ptr - (uintptr_t) __start___libc_IO_vtables;
  if (__glibc_unlikely (offset >= section_length))
    /* The vtable pointer is not in the expected section.  Use the
       slow path, which will terminate the process if necessary.  */
    _IO_vtable_check ();
  return vtable;
}

Check the foreign vtables

_IO_vtable_check
For compatibility:

/* Honor the compatibility flag.  */
void (*flag) (void) = atomic_load_relaxed (&IO_accept_foreign_vtables);
#ifdef PTR_DEMANGLE
    PTR_DEMANGLE (flag); // Demangle w/ pointer guard
#endif
if (flag == &_IO_vtable_check)
    return;
  • Can't overwirte _IO_accept_foreign_vtable, because of the ponter guard.
    For shared lib:
Dl_info di;
struct link_map *l;
if (!rtld_active ()
    || (_dl_addr (_IO_vtable_check, &di, &l, NULL) != 0
        && l->l_ns != LM_ID_BASE))
  return;

References

https://outflux.net/blog/archives/2011/12/22/abusing-the-file-structure/
https://www.slideshare.net/AngelBoy1/play-with-file-structure-yet-another-binary-exploit-technique

tags: research pwn
Last changed by 
VietDo
0
1434

Read more

Process injection (P1)

Đây là phương pháp thực thi mã nhằm tránh bị phát hiện dựa vào việc chạy thread dưới process hợp lệ của hệ điều hành.

Jan 27, 2024
AntiSanbox (p1)

Một vài artifacts: files, processes, registry keys, services, network device adapters... A. Delay execution: Evade sandbox by waiting timeout of sandbox: NtDelayExecution (lowest in user mode: Sleep -&gt; SleepEx -&gt; NtDelayExecution ) Sleep, SleepEx, WaitForSingleObject,WaitForSingleObjectE , NtWaitForSingleObject WaitForMultipleObjects WaitForMultipleObjectsEx, NtWaitForMultipleObjects

Oct 31, 2023
WMI

WMI allows admin to create their own objects: create a process, services, ... WMI provider host process WmiPrvse.exe, this executable responsible for executing WMI activity Components: WMI Providers: COM servers that monitor managed objects. A WMI provider normally consists of a MOF file, which defines the data and event classes for which the provider returns data, and a DLL file which contains the code that supplies data. These providers are typically DLLs and can be found in C:\Windows\System32\wbem\*. Managed objects: processes, services, operating system... WMI infrastructure: WMI service (winmgmt): 3.1. The CIM object manager (CIMON): this component handles the connect between management application and provider. 3.2. WMI/CIMON object repository is organized by WMI namespaces. Holding a collection of provider at C:\Windows\System32\wbem\Repository\ Management Application (WMI consumer): The client application (exe excutable, vbscript, powershell script,...) interacts with WMI infrastructure.

May 2, 2023
Anti-debug.Debug Flags (p1)

1. Using Win32 API: 1.1 kernel32!IsDebuggerPresent(): Xác định xem tiến trình hiện tại có bị debugging bởi trình debugger (ollyDbg, x64dbg) không? Bằng cách kiểm tra cờ BeingDebugged trong PEB. (Tiến trình bị debug sẽ được spawn từ tiến trình debugger). API cũng hoạt động khi process đang bị attached isDebuggerPresent() 32bit 64bit

Apr 7, 2023
Read more from VietDo
Published on HackMD