sábado, 29 de agosto de 2020

C++ Std::String Buffer Overflow And Integer Overflow

Interators are usually implemented using signed integers like the typical "for (int i=0; ..." and in fact is the type used indexing "cstr[i]", most of methods use the signed int, int by default is signed.
Nevertheless, the "std::string::operator[]" index is size_t which is unsigned, and so does size(), and same happens with vectors.
Besides the operator[] lack of negative index control, I will explain this later.

Do the compilers doesn't warn about this?


If his code got a large input it would index a negative numer, let see g++ and clang++ warnings:



No warnings so many bugs out there...

In order to reproduce the crash we can load a big string or vector from file, for example:


I've implemented a loading function, getting the file size with tellg() and malloc to allocate the buffer, then in this case used as a string.
Let see how the compiler write asm code based on this c++ code.



So the string constructor, getting size and adding -2 is clear. Then come the operator<< to concat the strings.
Then we see the operator[] when it will crash with the negative index.
In assembly is more clear, it will call operator[] to get the value, and there will hapen the magic dereference happens. The operator[] will end up returning an invalid address that will crash at [RAX]



In gdb the operator[] is a  allq  0x555555555180 <_znst7__cxx1112basic_stringicst11char_traitsicesaiceeixem plt="">

(gdb) i r rsi
rsi            0xfffffffffffefffe  -65538


The implmementation of operator ins in those functions below:

(gdb) bt
#0  0x00007ffff7feebf3 in strcmp () from /lib64/ld-linux-x86-64.so.2
#1  0x00007ffff7fdc9a5 in check_match () from /lib64/ld-linux-x86-64.so.2
#2  0x00007ffff7fdce7b in do_lookup_x () from /lib64/ld-linux-x86-64.so.2
#3  0x00007ffff7fdd739 in _dl_lookup_symbol_x () from /lib64/ld-linux-x86-64.so.2
#4  0x00007ffff7fe1eb7 in _dl_fixup () from /lib64/ld-linux-x86-64.so.2
#5  0x00007ffff7fe88ee in _dl_runtime_resolve_xsavec () from /lib64/ld-linux-x86-64.so.2
#6  0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29

Then crashes on the MOVZX EAX, byte ptr [RAX]

Program received signal SIGSEGV, Segmentation fault.
0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29
29     cout << "penultimate byte is " << hex << s[i] << endl;
(gdb)


What about negative indexing in std::string::operator[] ?
It's exploitable!

In a C char array is known that having control of the index, we can address memory.
Let's see what happens with C++ strings:






The operator[] function call returns the address of string plus 10, and yes, we can do abitrary writes.



Note that gdb displays by default with at&t asm format wich the operands are in oposite order:


And having a string that is in the stack, controlling the index we can perform a write on the stack.



To make sure we are writing outside the string, I'm gonna do 3 writes:


 See below the command "i r rax" to view the address where the write will be performed.


The beginning of the std::string object is 0x7fffffffde50.
Write -10 writes before the string 0x7fffffffde46.
And write -100 segfaults because is writting in non paged address.



So, C++ std::string probably is not vulnerable to buffer overflow based in concatenation, but the std::string::operator[] lack of negative indexing control and this could create vulnerable and exploitable situations, some times caused by a signed used of the unsigned std::string.size()










More articles
  1. Hacker Tools Github
  2. Hack Apps
  3. Hacking Tools Kit
  4. Top Pentest Tools
  5. Hack Tool Apk No Root
  6. Hack Tools For Pc
  7. Nsa Hack Tools Download
  8. Hacking Tools For Pc
  9. Github Hacking Tools
  10. Hacking Tools For Windows 7
  11. Pentest Tools Port Scanner
  12. Hacking Tools Name
  13. Hacking Tools Github
  14. Computer Hacker
  15. Blackhat Hacker Tools
  16. Hacker Tools List
  17. New Hacker Tools
  18. Best Pentesting Tools 2018
  19. Ethical Hacker Tools
  20. Hacker Tools For Ios
  21. Pentest Tools Framework
  22. Pentest Tools For Ubuntu
  23. Hack Tools Github
  24. Pentest Tools Alternative
  25. Hack And Tools
  26. Android Hack Tools Github
  27. Hacker Tools For Pc
  28. Hacks And Tools
  29. Hacking Tools And Software
  30. Termux Hacking Tools 2019
  31. Pentest Tools Framework
  32. Hacks And Tools
  33. Hack Tools For Mac
  34. Hacker Hardware Tools
  35. Pentest Tools Website Vulnerability
  36. Best Hacking Tools 2019
  37. Hacking Tools Online
  38. Best Hacking Tools 2020
  39. Pentest Tools Android
  40. How To Install Pentest Tools In Ubuntu
  41. Pentest Tools Apk
  42. Hack Apps
  43. Hacking Tools Usb
  44. Hacking Tools Pc
  45. Hacker Tools For Pc
  46. Hackrf Tools
  47. Computer Hacker
  48. Top Pentest Tools
  49. Hacking Tools Software
  50. Pentest Tools
  51. Kik Hack Tools
  52. Pentest Tools Linux
  53. Hacking Tools Hardware
  54. Hacker Tools For Pc
  55. Best Pentesting Tools 2018
  56. Hack Apps
  57. Pentest Tools Linux
  58. Pentest Tools Download
  59. Computer Hacker
  60. Pentest Tools Online
  61. Pentest Tools Download
  62. Hacker Tools Apk
  63. Hacker Tools Mac
  64. Hacking Tools Hardware
  65. Bluetooth Hacking Tools Kali
  66. Easy Hack Tools
  67. Hacking Tools For Windows Free Download
  68. Kik Hack Tools
  69. Hacks And Tools
  70. Hacking Tools Name
  71. Hacker Tool Kit
  72. Hacker Tools Hardware
  73. Hacker Tools For Mac
  74. Hack Tools
  75. Hackers Toolbox
  76. Hacking Tools Software
  77. Pentest Box Tools Download
  78. Growth Hacker Tools
  79. Pentest Tools Port Scanner
  80. Hack Tools Pc
  81. Hackers Toolbox
  82. Hacker Tools 2019
  83. Hack Tool Apk No Root
  84. Hacking Tools And Software
  85. Hacking Tools Hardware
  86. Hacking Tools Download
  87. Nsa Hacker Tools
  88. Hacker Tools Free
  89. Hacks And Tools
  90. Install Pentest Tools Ubuntu
  91. Hack Tools Online
  92. Pentest Tools Framework
  93. Hacking Tools For Windows
  94. How To Make Hacking Tools
  95. Hacker Tool Kit
  96. Pentest Tools Free
  97. Hacker Tools Apk Download
  98. Pentest Tools Github
  99. Hacker Tools Mac
  100. Pentest Tools Framework
  101. Hacker Tools List
  102. Hack Website Online Tool
  103. Pentest Tools Github
  104. Tools 4 Hack
  105. Pentest Tools Free
  106. Computer Hacker
  107. Pentest Tools For Windows
  108. Pentest Tools Alternative
  109. Hack Tool Apk No Root
  110. Free Pentest Tools For Windows
  111. Hacking Tools For Mac
  112. Pentest Tools Github
  113. Nsa Hacker Tools
  114. Pentest Tools Apk
  115. Hackrf Tools
  116. Hack App
  117. Hacker Tools
  118. Hacking Tools Pc
  119. Hacker Tools Free
  120. Pentest Tools Port Scanner
  121. Hacking Tools Online
  122. Hack App
  123. Hak5 Tools
  124. Hacker Tools Free Download
  125. Hacker Security Tools
  126. Pentest Tools List
  127. Best Hacking Tools 2020
  128. Tools Used For Hacking
  129. What Are Hacking Tools
  130. Hacking Tools 2020
  131. How To Install Pentest Tools In Ubuntu
  132. Hacking Tools
  133. Hack Tools
  134. Hackrf Tools
  135. Hacker Tools For Mac
  136. Hackrf Tools
Publicado por Valinvest en 5:49

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)