Find FSOP code path that can hijack control flow and stack pointer in GLIBC Libio.
- Install this plugin
- Open
libc.so.6in Binary ninja, then clickTools -> Plugins -> Find FSOP code path - You should see the result in
Logwindows
// GLIBC 2.34-0ubuntu3.2
3. _IO_wfile_underflow_mmap@0x86030 -> _IO_wdoallocbuf@0x83be0
0x8614d: call(0x83be0)
RIP/RDI DATAFLOW:
rbx = rdi -> rdi = rbx -> call(0x83be0)
RBP DATAFLOW:
rbp = [rdi + 0x98].q
CODE PATH:
eax = [rdi].d
=> [condition] (al & 4) == 0
rax = [rdi + 0xa0].q
rdx = [rax].q
=> [condition] rdx u>= [rax + 8].q
rdx = [rdi + 8].q
=> [condition] rdx u< [rdi + 0x10].q
rdi = [rax + 0x40].q
=> [condition] rdi == 0
0x83c0b: call([rax + 0x68].q)
RIP/RDI DATAFLOW:
rax = [rdi + 0xa0].q -> rax = [rax + 0xe0].q -> call([rax + 0x68].q)
RBP DATAFLOW:
(N/A)
CODE PATH:
rax = [rdi + 0xa0].q
=> [condition] [rax + 0x30].q == 0
=> [condition] ([rdi].b & 2) == 0
([0x216020] is the location of _IO_wfile_underflow_mmap in __libc_IO_vtables)
A FSOP code path which can be used to perform stack migration with a single FSOP attack, available on GLIBC 2.24+. It's also known as house of apple2 independently found by roderick01.
I actually found this code path few weeks ago but was struggling to work on other stuffs these day, so I didn't notice someone has published this code path already X(
This plugin is released under an MIT license.