SlideShare uma empresa Scribd logo

Play with FILE Structure - Yet Another Binary Exploit Technique

A
Angel Boy

Play with FILE Structure - Yet Another Binary Exploit Technique

Tecnologia
1 de 81
Baixar para ler offline
Play with FILE Structure Yet Another Binary Exploit Technique angelboy@chroot.org 1
About me • Angelboy • CTF player • WCTF / Boston Key Party 1st • DEFCON / HITB 2nd • Chroot / HITCON / 217 • Blog • blog.angelboy.tw 2
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 3
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 4
Introduction • What happen when we use a raw io function read/write Kernel Buffer User space Kernel space Disk 5
Introduction • What happen when we use a raw io function read/write Kernel Buffer User space Kernel space Disk Reduce the number of HD I/O 6
Introduction • What is File stream • A higher-level interface on the primitive file descriptor facilities • Stream buffering • Portable and High performance • What is FILE structure • A File stream descriptor • Created by fopen 7
Introduction • What happen when we use stdio function read/write Kernel Buffer User space Kernel space Disk stdio Buffer fread/fwrite 8
Introduction • What happen when we use stdio function read/write Kernel Buffer User space Kernel space Disk stdio Buffer fread/fwrite Reduce the number of syscall 9
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 10
Introduction • FILE structure • A complex structure • Flags • Stream buffer • File descriptor • FILE_plus • Virtual function table 11
Introduction • FILE structure • Flags • Record the attribute of the File stream • Read only • Append • … 12
Introduction • FILE structure • Stream buffer • Read buffer • Write buffer • Reserve buffer 13
Introduction • FILE structure • _fileno • File descriptor • Return by sys_open 14
Introduction • FILE structure • FILE plus • stdin/stdout/stderr • fopen also use it • Extra Virtual function table • Any operation on file is via vtable 15
Introduction • FILE structure • FILE plus • stdin/stdout/stderr • fopen also use it • Extra Virtual function table • Any operation on file is via vtable 16
Introduction • FILE structure • Every FILE associate with a _chain (linked list) 17 _IO_list_all _flag …… chain _flag …… chain _flag …… 0 stderr stdout stdin
Introduction • fopen workflow • Allocate FILE structure • Initial the FILE structure • Link the FILE structure • open file 18 fopen malloc _IO_link_in sys_open _IO_new_file_init_internal _IO_new_file_open
Introduction • fopen workflow • Allocate FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin 19 malloc
Introduction • fopen workflow • Initialize the FILE structure • Link the FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin 0 …… 0 …… 0 fp 20 _IO_new_file_init_internal _IO_link_in
Introduction • fopen workflow • Initial the FILE structure • Link the FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin _flag …… chain …… vtable fp 21 _IO_link_in _IO_new_file_init_internal
Introduction • fopen workflow • open file _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin _flag …… chain …… vtable fp 22 sys_open
Introduction • fread workflow • If stream buffer is NULL • Allocate buffer • Read data to the stream buffer • Copy data from stream buffer to destination 23 fread vtable->_IO_file_xsgetn vtable->doallocate vtable->_IO_file_underflow sys_read
Introduction • fread workflow • If stream buffer is NULL • Allocate buffer _flag read_ptr (0) read_end (0) …… buf_base (0) buf_end (0) …… vtable fp _IO_file_finish _IO_file_overflow … _IO_file_doallocate … … … _IO_default_imbue vtable 24 fread vtable->_IO_file_xsgetn vtable->doallocate
Introduction • fread workflow • Read data to the stream buffer _flag read_ptr (0) read_end (0) …… 0x603010 0x604010 …… vtable fp stdio buffer 25 vtable->_IO_file_underflow sys_read
Introduction • fread workflow • Copy data from stream buffer 
 to destination _flag 0x603010 0x604010 …… 0x603010 0x604010 …… vtable fp AAAA AAAA BBBB BBBB CCCC CCCC … … … ZZZZ stdio buffer Destination 26 vtable->_IO_file_xsgetn
AAAA AAAA BBBB BBBB CCCC CCCC … … … ZZZZ Introduction • fread workflow • Copy data from stream buffer 
 to destination _flag 0x603040 0x604010 …… 0x603010 0x604010 …… vtable fp stdio buffer AAAAAAAA Copy to destination 27 vtable->_IO_file_xsgetn
Introduction • fwrite workflow • If stream buffer is NULL • Allocate buffer • Copy user data to the stream buffer • If the stream buffer is filled or flush the stream • write data from stream buffer to the file 28 fwrite vtable->_IO_file_xsputn vtable->_IO_file_overflow vtable->doallocate sys_write
Introduction • fclose workflow • Unlink the FILE structure • Flush & Release the stream buffer • Close the file • Release the FILE structure 29 fclose _IO_unlink_it _IO_new_file_close_it _IO_do_flush sys_close vtable—>_IO_file_finish free
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 30
Exploitation of FILE • There are a good target in FILE structure • Virtual Function Table 31
• Let’s overwrite with buffer address Exploitation of FILE Buffer overflow Sample code payload Buffer address 32 //variable buf at 0x6009a0
• Let’s overwrite with buffer address Exploitation of FILE 33 Buffer fp fp _flag read_ptr (0) read_end (0) …… vtable
• Let’s overwrite with buffer address Exploitation of FILE 34 AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA …… …… AAAAAAAA …… Buffer 0x6009a0 fp _flag read_ptr (0) read_end (0) …… vtable Buffer overflow
Exploitation of FILE • Not call vtable directly… • RDX is our input
 but not call instruction 35
Exploitation of FILE • Let’s see what happened in fclose • We can get information of segfault in gdb and located it in source code Segfault 36
Exploitation of FILE • FILE structure • _lock • Prevent race condition in multithread • Very common in stdio related function • Usually need to construct it for Exploitation 37
• Let’s fix the lock Exploitation of FILE Find a global buffer as our lock Fix our payload offset of _lock 38 0x100 bytes
• We control PC ! Exploitation of FILE 39
Exploitation of FILE • Another interesting • stdin/stdout/stderr is also a FILE structure in glibc • We can overwrite the global variable in glibc to control the flow 40 GLIBC SYMBOL TABLE Global offset
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 41
FSOP • File-Stream Oriented Programing • Control the linked list of File stream • _chain • _IO_list_all • Powerful function • _IO_flush_all_lockp 42
FSOP • _IO_flush_all_lockp • fflush all file stream • When will call it • Glib abort routine • exit function • Main return 43 malloc_printerr _libc_message(error msg) abort _IO_flush_all_lockp JUMP_FIELD(_IO_overflow_t, __overflow) If the condition is satisfied Glibc abort routine
FSOP • _IO_flush_all_lockp • It will process all FILE
 in FILE linked list • We can construct the
 linked list to do oriented
 programing 44 fp = _IO_list_all condition Trigger virtual funcition Point to next
FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable 45
FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … Trigger abort() 46
FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call foo(_flags) 47
FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call foo(“bar”) 48
FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … fp = fp->chain 49
FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call system(_flags) 50
FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call system(_flags) GET SHELL !! 51
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 52
Vtable verification • Unfortunately, there are a virtual function table in latest libc • Check the address of vtable before all virtual function call • If vtable is invalid, it would abort 53
Vtable verification • Vtable verification in File • The vtable must be in libc _IO_vtable section • If it’s not in _IO_vtable section, it will check if the vtable are permitted 54
• _IO_vtable_check • Check the foreign vtables Vtable verification 55 For overriding For share library
Vtable verification • Bypass ? • Overwrite IO_accept_foreign_vtables ? • It’s very difficult because of the pointer guard 56 Demangle with pointer guard
Vtable verification • Bypass ? • Overwrite _dl_open_hook ? • Sounds good, but if you can control the value, you can also control other good target 57
Vtable verification • Summary of the vtable verification • It very hard to bypass it. • Exploitation of FILE structure is died ? 58
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 59
Make FILE structure great again • How about change the target from vtable to other element ? • Stream Buffer & File Descriptor 60
Make FILE structure great again • If we can overwrite the FILE structure and use fread and fwrite with the FILE structure • We can • Arbitrary memory reading • Arbitrary memory writing 61
Make FILE structure great again • Arbitrary memory reading • fwrite • Set the _fileno to the file descriptor of stdout • Set _flag & ~_IO_NO_WRITES • Set _flag |= _IO_CURRENTLY_PUTTING • Set the write_base & write_ptr to memory address which you want to read • _IO_read_end equal to _IO_write_base 62
Make FILE structure great again • Arbitrary memory reading • Set _flag &~ _IO_NO_WRITES • Set _flag |= _IO_CURRENTLY_PUTTING 63 Our goal It will adjust the stream buffer A piece of code in fwrite
Make FILE structure great again • Arbitrary memory reading • Let _IO_read_end equal to _IO_write_base • If it’s not, it would adjust to the current offset. 64 It will adjust the stream buffer Our goal
Make FILE structure great again • Arbitrary memory reading • Sample code 65
Make FILE structure great again • Arbitrary memory writing • fread • Set the _fileno to file descriptor of stdin • Set _flag &~ _IO_NO_READS • Set read_base & read_ptr to NULL • Set the buf_base & buf_end to memory address which you want to wirte • buf_end - buf_base < size of fread 66
Make FILE structure great again • Arbitrary memory writing • Set read_base & read_ptr to NULL 67 It will copy data from buffer to destination Buffer size must be smaller than read size
Make FILE structure great again • Arbitrary memory writing • Set _flag &~ _IO_NO_READS 68 Our goal
Make FILE structure great again • Arbitrary memory writing • Sample code 69
Make FILE structure great again • If you have arbitrary memory address read and write, you can control the flow very easy • GOT hijack • __malloc_hook_/__free_hook_/__realloc_hook_ • … • By the way, you can not only use fread and fwrite but also use any stdio related function 70
Make FILE structure great again • If we don’t have any file operation in the program • We can use stdin/stdout/stderr • put/printf/scanf • … 71
Make FILE structure great again • Scenario • Use any stdin related function • scanf/fgets/gets … • Stdin is unbuffer • Very common in normal stdio program 72 … _IO_buf_base _IO_buf_end … _short_buf … stdin buffer stdin
Make FILE structure great again • Overwrite buf_end with a pointer behind the stdin • Unsorted bin attack • Very common in heap exploitation 73 … _IO_buf_base _IO_buf_end … _short_buf … stdin buffer stdin
Make FILE structure great again • Overwrite buf_end with a pointer behind the stdin • Unsorted bin attack • Very common in heap exploitation 74 … _IO_buf_base Unsorted bin … _short_buf … vtable … stdin stdin buffer … main_arena malloc_hook
Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) 75 … _IO_buf_base Unsorted bin … _short_buf … vtable … stdin stdin buffer … main_arena malloc_hook
Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) • It can overwrite many global variable in glibc • Input: aaaa……. 76 … _IO_buf_base Unsorted bin … aaaaaaaa … aaaaaaaa … stdin stdin buffer … main_arena aaaaaaaa
Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) • It can overwrite many global variable in glibc • Input: aaaa……. 77 … _IO_buf_base aaaaaaaa … aaaaaaaa … aaaaaaaa … stdin stdin buffer … main_arena aaaaaaaa Control PC again !
Make FILE structure great again • How about Windows ? • No vtable in FILE • It also has stream buffer pointer • You can corrupt it to achieve arbitrary memory read and write 78
Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 79
Conclusion • FILE structure is a good target for binary exploit • It can be used to • Arbitrary memory read and write • Control the PC and do oriented programing • Other exploit technology • Arbitrary free/unmmap • … 80
Conclusion • FILE structure is a good target for binary Exploit • It’s very powerful in some unexploitable case • Let’s try to find more and more exploit technology in FILE structure 81 Mail : angelboy@chroot.org Blog : blog.angelboy.tw Twitter : scwuaptx

Recomendados

Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaionAngel Boy
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitationAngel Boy
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented ProgrammingAngel Boy
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache ExploitationAngel Boy
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolveAngel Boy
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeAngel Boy
 

Recomendados

Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaionAngel Boy
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitationAngel Boy
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented ProgrammingAngel Boy
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache ExploitationAngel Boy
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolveAngel Boy
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeAngel Boy
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3Angel Boy
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowAngel Boy
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Angel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Angel Boy
 
[232] 성능어디까지쥐어짜봤니 송태웅
[232] 성능어디까지쥐어짜봤니 송태웅[232] 성능어디까지쥐어짜봤니 송태웅
[232] 성능어디까지쥐어짜봤니 송태웅NAVER D2
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernelAdrian Huang
 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBrendan Gregg
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationAngel Boy
 
Handling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVMHandling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVMMin-Yih Hsu
 
Linux Profiling at Netflix
Linux Profiling at NetflixLinux Profiling at Netflix
Linux Profiling at NetflixBrendan Gregg
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsoViller Hsiao
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg
 
Linux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringGeorg Schönberger
 
Klee and angr
Klee and angrKlee and angr
Klee and angrWei-Bo Chen
 
Execution
ExecutionExecution
ExecutionAngel Boy
 
滲透測試基本技巧與經驗分享
滲透測試基本技巧與經驗分享滲透測試基本技巧與經驗分享
滲透測試基本技巧與經驗分享WEI CHIEH CHAO
 

Mais conteúdo relacionado

Mais procurados

Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3Angel Boy
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowAngel Boy
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Angel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Angel Boy
 
[232] 성능어디까지쥐어짜봤니 송태웅
[232] 성능어디까지쥐어짜봤니 송태웅[232] 성능어디까지쥐어짜봤니 송태웅
[232] 성능어디까지쥐어짜봤니 송태웅NAVER D2
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernelAdrian Huang
 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBrendan Gregg
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationAngel Boy
 
Handling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVMHandling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVMMin-Yih Hsu
 
Linux Profiling at Netflix
Linux Profiling at NetflixLinux Profiling at Netflix
Linux Profiling at NetflixBrendan Gregg
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsoViller Hsiao
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg
 
Linux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringGeorg Schönberger
 

Mais procurados (20)

Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflow
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
 
[232] 성능어디까지쥐어짜봤니 송태웅
[232] 성능어디까지쥐어짜봤니 송태웅[232] 성능어디까지쥐어짜봤니 송태웅
[232] 성능어디까지쥐어짜봤니 송태웅
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernel
 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame Graphs
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
 
Handling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVMHandling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVM
 
Linux Profiling at Netflix
Linux Profiling at NetflixLinux Profiling at Netflix
Linux Profiling at Netflix
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdso
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux Kernel
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
 
Linux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and Monitoring
 
Klee and angr
Klee and angrKlee and angr
Klee and angr
 

Destaque

滲透測試基本技巧與經驗分享
滲透測試基本技巧與經驗分享滲透測試基本技巧與經驗分享
滲透測試基本技巧與經驗分享WEI CHIEH CHAO
 
2016.9.10 hackfoldr課
2016.9.10 hackfoldr課2016.9.10 hackfoldr課
2016.9.10 hackfoldr課佩琪 羅
 
Bug hunting through_reverse_engineering
Bug hunting through_reverse_engineeringBug hunting through_reverse_engineering
Bug hunting through_reverse_engineeringarif
 
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)Sehan Lee
 
Introduction to Reverse Engineering
Introduction to Reverse EngineeringIntroduction to Reverse Engineering
Introduction to Reverse EngineeringDobromir Enchev
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineeringYuffie Valen
 
Introduction to Reverse Engineering
Introduction to Reverse EngineeringIntroduction to Reverse Engineering
Introduction to Reverse EngineeringGopinath Chintala
 
Reverse Engineering
Reverse EngineeringReverse Engineering
Reverse Engineeringdswanson
 
Reverse engineering & its application
Reverse engineering & its applicationReverse engineering & its application
Reverse engineering & its applicationmapqrs
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineeringananya0122
 
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017Carol Smith
 

Destaque (14)

Execution
ExecutionExecution
Execution
 
滲透測試基本技巧與經驗分享
滲透測試基本技巧與經驗分享滲透測試基本技巧與經驗分享
滲透測試基本技巧與經驗分享
 
2016.9.10 hackfoldr課
2016.9.10 hackfoldr課2016.9.10 hackfoldr課
2016.9.10 hackfoldr課
 
Bug hunting through_reverse_engineering
Bug hunting through_reverse_engineeringBug hunting through_reverse_engineering
Bug hunting through_reverse_engineering
 
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
SECCON 2016 Online CTF [Memory Analysis] Write-Up (ver.korean)
 
Glibc malloc internal
Glibc malloc internalGlibc malloc internal
Glibc malloc internal
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
 
Introduction to Reverse Engineering
Introduction to Reverse EngineeringIntroduction to Reverse Engineering
Introduction to Reverse Engineering
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
 
Introduction to Reverse Engineering
Introduction to Reverse EngineeringIntroduction to Reverse Engineering
Introduction to Reverse Engineering
 
Reverse Engineering
Reverse EngineeringReverse Engineering
Reverse Engineering
 
Reverse engineering & its application
Reverse engineering & its applicationReverse engineering & its application
Reverse engineering & its application
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
 
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
 

Semelhante a Play with FILE Structure - Yet Another Binary Exploit Technique

File handing in C
File handing in CFile handing in C
File handing in Cshrishcg
 
File management
File managementFile management
File managementsumathiv9
 
NiFi Developer Guide
NiFi Developer GuideNiFi Developer Guide
NiFi Developer GuideDeon Huang
 
06 file processing
06 file processing06 file processing
06 file processingIssay Meii
 
Speed up large-scale ML/DL offline inference job with Alluxio
Speed up large-scale ML/DL offline inference job with AlluxioSpeed up large-scale ML/DL offline inference job with Alluxio
Speed up large-scale ML/DL offline inference job with AlluxioAlluxio, Inc.
 
Linux System Programming - Buffered I/O
Linux System Programming - Buffered I/O Linux System Programming - Buffered I/O
Linux System Programming - Buffered I/O YourHelper1
 
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...Alex Gorbachev
 
Working with files (concepts/pseudocode/python)
Working with files (concepts/pseudocode/python)Working with files (concepts/pseudocode/python)
Working with files (concepts/pseudocode/python)FerryKemperman
 
IS - section 1 - modifiedFinal information system.pptx
IS - section 1 - modifiedFinal information system.pptxIS - section 1 - modifiedFinal information system.pptx
IS - section 1 - modifiedFinal information system.pptxNaglaaAbdelhady
 
Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)
Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)
Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)Issac Buenrostro
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
NiFi - First approach
NiFi - First approachNiFi - First approach
NiFi - First approachMickael Cassy
 
Linux System Programming - File I/O
Linux System Programming - File I/O Linux System Programming - File I/O
Linux System Programming - File I/O YourHelper1
 
Linux operating system by Quontra Solutions
Linux operating system by Quontra SolutionsLinux operating system by Quontra Solutions
Linux operating system by Quontra SolutionsQUONTRASOLUTIONS
 
Still All on One Server: Perforce at Scale
Still All on One Server: Perforce at Scale Still All on One Server: Perforce at Scale
Still All on One Server: Perforce at Scale Perforce
 
Upgrade von TYPO3 4.5 auf 6.2 - CertiFUNcation Phantasialand 2015
Upgrade von TYPO3 4.5 auf 6.2 - CertiFUNcation Phantasialand 2015Upgrade von TYPO3 4.5 auf 6.2 - CertiFUNcation Phantasialand 2015
Upgrade von TYPO3 4.5 auf 6.2 - CertiFUNcation Phantasialand 2015Wolfgang Wagner
 

Semelhante a Play with FILE Structure - Yet Another Binary Exploit Technique (20)

File handing in C
File handing in CFile handing in C
File handing in C
 
Systems Programming - File IO
Systems Programming - File IOSystems Programming - File IO
Systems Programming - File IO
 
File Handling in C .pptx
File Handling in C .pptxFile Handling in C .pptx
File Handling in C .pptx
 
File management
File managementFile management
File management
 
NiFi Developer Guide
NiFi Developer GuideNiFi Developer Guide
NiFi Developer Guide
 
06 file processing
06 file processing06 file processing
06 file processing
 
Speed up large-scale ML/DL offline inference job with Alluxio
Speed up large-scale ML/DL offline inference job with AlluxioSpeed up large-scale ML/DL offline inference job with Alluxio
Speed up large-scale ML/DL offline inference job with Alluxio
 
Linux System Programming - Buffered I/O
Linux System Programming - Buffered I/O Linux System Programming - Buffered I/O
Linux System Programming - Buffered I/O
 
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
 
Working with files (concepts/pseudocode/python)
Working with files (concepts/pseudocode/python)Working with files (concepts/pseudocode/python)
Working with files (concepts/pseudocode/python)
 
File mangement
File mangementFile mangement
File mangement
 
IS - section 1 - modifiedFinal information system.pptx
IS - section 1 - modifiedFinal information system.pptxIS - section 1 - modifiedFinal information system.pptx
IS - section 1 - modifiedFinal information system.pptx
 
Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)
Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)
Open Source LinkedIn Analytics Pipeline - BOSS 2016 (VLDB)
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
Unix cmc
Unix cmcUnix cmc
Unix cmc
 
NiFi - First approach
NiFi - First approachNiFi - First approach
NiFi - First approach
 
Linux System Programming - File I/O
Linux System Programming - File I/O Linux System Programming - File I/O
Linux System Programming - File I/O
 
Linux operating system by Quontra Solutions
Linux operating system by Quontra SolutionsLinux operating system by Quontra Solutions
Linux operating system by Quontra Solutions
 
Still All on One Server: Perforce at Scale
Still All on One Server: Perforce at Scale Still All on One Server: Perforce at Scale
Still All on One Server: Perforce at Scale
 
Upgrade von TYPO3 4.5 auf 6.2 - CertiFUNcation Phantasialand 2015
Upgrade von TYPO3 4.5 auf 6.2 - CertiFUNcation Phantasialand 2015Upgrade von TYPO3 4.5 auf 6.2 - CertiFUNcation Phantasialand 2015
Upgrade von TYPO3 4.5 auf 6.2 - CertiFUNcation Phantasialand 2015
 

Último

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Play with FILE Structure - Yet Another Binary Exploit Technique

  • 1. Play with FILE Structure Yet Another Binary Exploit Technique angelboy@chroot.org 1
  • 2. About me • Angelboy • CTF player • WCTF / Boston Key Party 1st • DEFCON / HITB 2nd • Chroot / HITCON / 217 • Blog • blog.angelboy.tw 2
  • 3. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 3
  • 4. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 4
  • 5. Introduction • What happen when we use a raw io function read/write Kernel Buffer User space Kernel space Disk 5
  • 6. Introduction • What happen when we use a raw io function read/write Kernel Buffer User space Kernel space Disk Reduce the number of HD I/O 6
  • 7. Introduction • What is File stream • A higher-level interface on the primitive file descriptor facilities • Stream buffering • Portable and High performance • What is FILE structure • A File stream descriptor • Created by fopen 7
  • 8. Introduction • What happen when we use stdio function read/write Kernel Buffer User space Kernel space Disk stdio Buffer fread/fwrite 8
  • 9. Introduction • What happen when we use stdio function read/write Kernel Buffer User space Kernel space Disk stdio Buffer fread/fwrite Reduce the number of syscall 9
  • 10. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 10
  • 11. Introduction • FILE structure • A complex structure • Flags • Stream buffer • File descriptor • FILE_plus • Virtual function table 11
  • 12. Introduction • FILE structure • Flags • Record the attribute of the File stream • Read only • Append • … 12
  • 13. Introduction • FILE structure • Stream buffer • Read buffer • Write buffer • Reserve buffer 13
  • 14. Introduction • FILE structure • _fileno • File descriptor • Return by sys_open 14
  • 15. Introduction • FILE structure • FILE plus • stdin/stdout/stderr • fopen also use it • Extra Virtual function table • Any operation on file is via vtable 15
  • 16. Introduction • FILE structure • FILE plus • stdin/stdout/stderr • fopen also use it • Extra Virtual function table • Any operation on file is via vtable 16
  • 17. Introduction • FILE structure • Every FILE associate with a _chain (linked list) 17 _IO_list_all _flag …… chain _flag …… chain _flag …… 0 stderr stdout stdin
  • 18. Introduction • fopen workflow • Allocate FILE structure • Initial the FILE structure • Link the FILE structure • open file 18 fopen malloc _IO_link_in sys_open _IO_new_file_init_internal _IO_new_file_open
  • 19. Introduction • fopen workflow • Allocate FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin 19 malloc
  • 20. Introduction • fopen workflow • Initialize the FILE structure • Link the FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin 0 …… 0 …… 0 fp 20 _IO_new_file_init_internal _IO_link_in
  • 21. Introduction • fopen workflow • Initial the FILE structure • Link the FILE structure _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin _flag …… chain …… vtable fp 21 _IO_link_in _IO_new_file_init_internal
  • 22. Introduction • fopen workflow • open file _IO_list_all _flag …… chain …… vtable _flag …… chain …… vtable _flag …… 0 …… vtable stderr stdout stdin _flag …… chain …… vtable fp 22 sys_open
  • 23. Introduction • fread workflow • If stream buffer is NULL • Allocate buffer • Read data to the stream buffer • Copy data from stream buffer to destination 23 fread vtable->_IO_file_xsgetn vtable->doallocate vtable->_IO_file_underflow sys_read
  • 24. Introduction • fread workflow • If stream buffer is NULL • Allocate buffer _flag read_ptr (0) read_end (0) …… buf_base (0) buf_end (0) …… vtable fp _IO_file_finish _IO_file_overflow … _IO_file_doallocate … … … _IO_default_imbue vtable 24 fread vtable->_IO_file_xsgetn vtable->doallocate
  • 25. Introduction • fread workflow • Read data to the stream buffer _flag read_ptr (0) read_end (0) …… 0x603010 0x604010 …… vtable fp stdio buffer 25 vtable->_IO_file_underflow sys_read
  • 26. Introduction • fread workflow • Copy data from stream buffer 
 to destination _flag 0x603010 0x604010 …… 0x603010 0x604010 …… vtable fp AAAA AAAA BBBB BBBB CCCC CCCC … … … ZZZZ stdio buffer Destination 26 vtable->_IO_file_xsgetn
  • 27. AAAA AAAA BBBB BBBB CCCC CCCC … … … ZZZZ Introduction • fread workflow • Copy data from stream buffer 
 to destination _flag 0x603040 0x604010 …… 0x603010 0x604010 …… vtable fp stdio buffer AAAAAAAA Copy to destination 27 vtable->_IO_file_xsgetn
  • 28. Introduction • fwrite workflow • If stream buffer is NULL • Allocate buffer • Copy user data to the stream buffer • If the stream buffer is filled or flush the stream • write data from stream buffer to the file 28 fwrite vtable->_IO_file_xsputn vtable->_IO_file_overflow vtable->doallocate sys_write
  • 29. Introduction • fclose workflow • Unlink the FILE structure • Flush & Release the stream buffer • Close the file • Release the FILE structure 29 fclose _IO_unlink_it _IO_new_file_close_it _IO_do_flush sys_close vtable—>_IO_file_finish free
  • 30. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 30
  • 31. Exploitation of FILE • There are a good target in FILE structure • Virtual Function Table 31
  • 32. • Let’s overwrite with buffer address Exploitation of FILE Buffer overflow Sample code payload Buffer address 32 //variable buf at 0x6009a0
  • 33. • Let’s overwrite with buffer address Exploitation of FILE 33 Buffer fp fp _flag read_ptr (0) read_end (0) …… vtable
  • 34. • Let’s overwrite with buffer address Exploitation of FILE 34 AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA …… …… AAAAAAAA …… Buffer 0x6009a0 fp _flag read_ptr (0) read_end (0) …… vtable Buffer overflow
  • 35. Exploitation of FILE • Not call vtable directly… • RDX is our input
 but not call instruction 35
  • 36. Exploitation of FILE • Let’s see what happened in fclose • We can get information of segfault in gdb and located it in source code Segfault 36
  • 37. Exploitation of FILE • FILE structure • _lock • Prevent race condition in multithread • Very common in stdio related function • Usually need to construct it for Exploitation 37
  • 38. • Let’s fix the lock Exploitation of FILE Find a global buffer as our lock Fix our payload offset of _lock 38 0x100 bytes
  • 39. • We control PC ! Exploitation of FILE 39
  • 40. Exploitation of FILE • Another interesting • stdin/stdout/stderr is also a FILE structure in glibc • We can overwrite the global variable in glibc to control the flow 40 GLIBC SYMBOL TABLE Global offset
  • 41. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 41
  • 42. FSOP • File-Stream Oriented Programing • Control the linked list of File stream • _chain • _IO_list_all • Powerful function • _IO_flush_all_lockp 42
  • 43. FSOP • _IO_flush_all_lockp • fflush all file stream • When will call it • Glib abort routine • exit function • Main return 43 malloc_printerr _libc_message(error msg) abort _IO_flush_all_lockp JUMP_FIELD(_IO_overflow_t, __overflow) If the condition is satisfied Glibc abort routine
  • 44. FSOP • _IO_flush_all_lockp • It will process all FILE
 in FILE linked list • We can construct the
 linked list to do oriented
 programing 44 fp = _IO_list_all condition Trigger virtual funcition Point to next
  • 45. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable 45
  • 46. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … Trigger abort() 46
  • 47. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call foo(_flags) 47
  • 48. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call foo(“bar”) 48
  • 49. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … fp = fp->chain 49
  • 50. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call system(_flags) 50
  • 51. FSOP • File-Stream Oriented Programing _IO_list_all _flags _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“bar”) _IO_read_ptr … … … _IO_FILE *chain … … vtable _flags(“sh”) _IO_read_ptr … … … _IO_FILE *chain … … vtablefake_vtable fake_vtable2 system system system … … foo foo foo … … call system(_flags) GET SHELL !! 51
  • 52. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 52
  • 53. Vtable verification • Unfortunately, there are a virtual function table in latest libc • Check the address of vtable before all virtual function call • If vtable is invalid, it would abort 53
  • 54. Vtable verification • Vtable verification in File • The vtable must be in libc _IO_vtable section • If it’s not in _IO_vtable section, it will check if the vtable are permitted 54
  • 55. • _IO_vtable_check • Check the foreign vtables Vtable verification 55 For overriding For share library
  • 56. Vtable verification • Bypass ? • Overwrite IO_accept_foreign_vtables ? • It’s very difficult because of the pointer guard 56 Demangle with pointer guard
  • 57. Vtable verification • Bypass ? • Overwrite _dl_open_hook ? • Sounds good, but if you can control the value, you can also control other good target 57
  • 58. Vtable verification • Summary of the vtable verification • It very hard to bypass it. • Exploitation of FILE structure is died ? 58
  • 59. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 59
  • 60. Make FILE structure great again • How about change the target from vtable to other element ? • Stream Buffer & File Descriptor 60
  • 61. Make FILE structure great again • If we can overwrite the FILE structure and use fread and fwrite with the FILE structure • We can • Arbitrary memory reading • Arbitrary memory writing 61
  • 62. Make FILE structure great again • Arbitrary memory reading • fwrite • Set the _fileno to the file descriptor of stdout • Set _flag & ~_IO_NO_WRITES • Set _flag |= _IO_CURRENTLY_PUTTING • Set the write_base & write_ptr to memory address which you want to read • _IO_read_end equal to _IO_write_base 62
  • 63. Make FILE structure great again • Arbitrary memory reading • Set _flag &~ _IO_NO_WRITES • Set _flag |= _IO_CURRENTLY_PUTTING 63 Our goal It will adjust the stream buffer A piece of code in fwrite
  • 64. Make FILE structure great again • Arbitrary memory reading • Let _IO_read_end equal to _IO_write_base • If it’s not, it would adjust to the current offset. 64 It will adjust the stream buffer Our goal
  • 65. Make FILE structure great again • Arbitrary memory reading • Sample code 65
  • 66. Make FILE structure great again • Arbitrary memory writing • fread • Set the _fileno to file descriptor of stdin • Set _flag &~ _IO_NO_READS • Set read_base & read_ptr to NULL • Set the buf_base & buf_end to memory address which you want to wirte • buf_end - buf_base < size of fread 66
  • 67. Make FILE structure great again • Arbitrary memory writing • Set read_base & read_ptr to NULL 67 It will copy data from buffer to destination Buffer size must be smaller than read size
  • 68. Make FILE structure great again • Arbitrary memory writing • Set _flag &~ _IO_NO_READS 68 Our goal
  • 69. Make FILE structure great again • Arbitrary memory writing • Sample code 69
  • 70. Make FILE structure great again • If you have arbitrary memory address read and write, you can control the flow very easy • GOT hijack • __malloc_hook_/__free_hook_/__realloc_hook_ • … • By the way, you can not only use fread and fwrite but also use any stdio related function 70
  • 71. Make FILE structure great again • If we don’t have any file operation in the program • We can use stdin/stdout/stderr • put/printf/scanf • … 71
  • 72. Make FILE structure great again • Scenario • Use any stdin related function • scanf/fgets/gets … • Stdin is unbuffer • Very common in normal stdio program 72 … _IO_buf_base _IO_buf_end … _short_buf … stdin buffer stdin
  • 73. Make FILE structure great again • Overwrite buf_end with a pointer behind the stdin • Unsorted bin attack • Very common in heap exploitation 73 … _IO_buf_base _IO_buf_end … _short_buf … stdin buffer stdin
  • 74. Make FILE structure great again • Overwrite buf_end with a pointer behind the stdin • Unsorted bin attack • Very common in heap exploitation 74 … _IO_buf_base Unsorted bin … _short_buf … vtable … stdin stdin buffer … main_arena malloc_hook
  • 75. Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) 75 … _IO_buf_base Unsorted bin … _short_buf … vtable … stdin stdin buffer … main_arena malloc_hook
  • 76. Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) • It can overwrite many global variable in glibc • Input: aaaa……. 76 … _IO_buf_base Unsorted bin … aaaaaaaa … aaaaaaaa … stdin stdin buffer … main_arena aaaaaaaa
  • 77. Make FILE structure great again • Stdin related function • scanf(“%d”,&var) • It will call • read(0,buf_base,sizeof(stdin buffer)) • It can overwrite many global variable in glibc • Input: aaaa……. 77 … _IO_buf_base aaaaaaaa … aaaaaaaa … aaaaaaaa … stdin stdin buffer … main_arena aaaaaaaa Control PC again !
  • 78. Make FILE structure great again • How about Windows ? • No vtable in FILE • It also has stream buffer pointer • You can corrupt it to achieve arbitrary memory read and write 78
  • 79. Agenda • Introduction • File stream • Overview the FILE structure • Exploitation of FILE structure • FSOP • Vtable verification in FILE structure • Make FILE structure great again • Conclusion 79
  • 80. Conclusion • FILE structure is a good target for binary exploit • It can be used to • Arbitrary memory read and write • Control the PC and do oriented programing • Other exploit technology • Arbitrary free/unmmap • … 80
  • 81. Conclusion • FILE structure is a good target for binary Exploit • It’s very powerful in some unexploitable case • Let’s try to find more and more exploit technology in FILE structure 81 Mail : angelboy@chroot.org Blog : blog.angelboy.tw Twitter : scwuaptx