↪ file seethefile seethefile: ELF 32-bit LSB executable, Intel i386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=04e6f2f8c85fca448d351ef752ff295581c2650d, not stripped
checksec
1 2 3
↪ checksec --file=seethefile RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 95 Symbols No 0 3 seethefile
./seethefile
1 2 3 4 5 6 7 8 9 10 11 12 13
####################################################### This is a simple program to open,read,write a file You can open what you want to see Can you read everything ? ####################################################### ---------------MENU--------------- 1. Open 2. Read 3. Write to screen 4. Close 5. Exit ---------------------------------- Your choice :
intopenfile() { int v1; // [esp-Ch] [ebp-14h] int v2; // [esp-8h] [ebp-10h] int v3; // [esp-4h] [ebp-Ch]
if ( fp ) { puts("You need to close the file first"); return0; } else { memset(&magicbuf, 0, 400); printf("What do you want to see :"); __isoc99_scanf("%63s", &filename); if ( strstr(&filename, "flag") ) { puts("Danger !"); exit(0, v1, v2, v3); } fp = fopen(&filename, "r"); if ( fp ) returnputs("Open Successful"); else returnputs("Open failed"); } }
readfile
1 2 3 4 5 6 7 8 9 10 11 12
intreadfile() { int result; // eax
memset(&magicbuf, 0, 400); if ( !fp ) returnputs("You need to open a file first"); result = fread(&magicbuf, 399, 1, fp); if ( result ) returnputs("Read Successful"); return result; }
writefile
1 2 3 4 5 6 7 8 9 10 11 12 13
intwritefile() { int v1; // [esp-Ch] [ebp-14h] int v2; // [esp-8h] [ebp-10h] int v3; // [esp-4h] [ebp-Ch]
struct _IO_FILE { int _flags; /* High-order word is _IO_MAGIC; rest is flags. */ #define _IO_file_flags _flags
/* The following pointers correspond to the C++ streambuf protocol. */ /* Note: Tk uses the _IO_read_ptr and _IO_read_end fields directly. */ char* _IO_read_ptr; /* Current read pointer */ char* _IO_read_end; /* End of get area. */ char* _IO_read_base; /* Start of putback+get area. */ char* _IO_write_base; /* Start of put area. */ char* _IO_write_ptr; /* Current put pointer. */ char* _IO_write_end; /* End of put area. */ char* _IO_buf_base; /* Start of reserve area. */ char* _IO_buf_end; /* End of reserve area. */ /* The following fields are used to support backing up and undo. */ char *_IO_save_base; /* Pointer to start of non-current get area. */ char *_IO_backup_base; /* Pointer to first valid character of backup area */ char *_IO_save_end; /* Pointer to end of non-current get area. */
struct _IO_marker *_markers;
struct _IO_FILE *_chain;
int _fileno; #if 0 int _blksize; #else int _flags2; #endif _IO_off_t _old_offset; /* This used to be _offset but it's too small. */
#define __HAVE_COLUMN /* temporary */ /* 1+column number of pbase(); 0 is unknown. */ unsignedshort _cur_column; signedchar _vtable_offset; char _shortbuf[1];
We can also read the file and store the content to magicbuf, print the content to the screen. You can use fread the second time to read the next 400 bytes. You can also close the file if you want. The last option is exit, after that you can write whatever you want with your desire length to an array char name[32] just right above fp variable.
0x4. Exploit
You can open the file /proc/self/maps to leak the libc address. When exit the process, they call fclose too, before that you can overwrite fp variable, and create a fake _IO_FILE_PLUS too. Let’s see the fclose function in libc 2.23:
int attribute_compat_text_section _IO_old_fclose (_IO_FILE *fp) { int status;
CHECK_FILE(fp, EOF);
/* We desperately try to help programs which are using streams in a strange way and mix old and new functions. Detect new streams here. */ if (fp->_vtable_offset == 0) return _IO_new_fclose (fp);
/* First unlink the stream. */ if (fp->_IO_file_flags & _IO_IS_FILEBUF) _IO_un_link ((struct _IO_FILE_plus *) fp);
_IO_acquire_lock (fp); if (fp->_IO_file_flags & _IO_IS_FILEBUF) status = _IO_old_file_close_it (fp); else status = fp->_flags & _IO_ERR_SEEN ? -1 : 0; _IO_release_lock (fp); _IO_FINISH (fp); if (_IO_have_backup (fp)) _IO_free_backup_area (fp); if (fp != _IO_stdin && fp != _IO_stdout && fp != _IO_stderr) { fp->_IO_file_flags = 0; free(fp); }
return status; }
As you can see, in old fclose funtion ,with vtable_offset marked, they call _IO_FINISH, which expands to ((struct _IO_jump_t *)(fp->vtable))->__finish (fp). That means if you overwrite system address to __finish field in vtable, you can call system (fp). Oke now, before you can reach _IO_FINISH (fp), they could call CHECK_FILE, _IO_un_link, _IO_old_file_close_it. The last 2 functions are only called if _IO_IS_FILEBUF state is marked in fp->file._flags, thus the easiest way to bypass is set these state unmarked. The first function only checks whether are some states marked ? To bypass, just need to set all bits to 1 except _IO_IS_FILEBUF. Oh I forgot _IO_acquire_lock and _IO_release_lock. As you can see above that they have _IO_lock_t *_lock; in _IO_FILE struct. This field is created to prevent race conditions when multiple threads access the same FILE stream.
1 2 3 4 5
typedefstruct { int lock; int cnt; void *owner; } _IO_lock_t;
A FILE is lock if _lock->cnt != 0, _IO_acquire_lock will increase it by 1 and _IO_release_lock decrease it by 1. If the FILE is locked before _IO_acquire_lock, there would be segmentation fault. You can assign _lock field to an address with three null variables to bypass.
