Friday, 28 August 2020

C++ Std::String Buffer Overflow And Integer Overflow

Interators are usually implemented using signed integers like the typical "for (int i=0; ..." and in fact is the type used indexing "cstr[i]", most of methods use the signed int, int by default is signed.
Nevertheless, the "std::string::operator[]" index is size_t which is unsigned, and so does size(), and same happens with vectors.
Besides the operator[] lack of negative index control, I will explain this later.

Do the compilers doesn't warn about this?


If his code got a large input it would index a negative numer, let see g++ and clang++ warnings:



No warnings so many bugs out there...

In order to reproduce the crash we can load a big string or vector from file, for example:


I've implemented a loading function, getting the file size with tellg() and malloc to allocate the buffer, then in this case used as a string.
Let see how the compiler write asm code based on this c++ code.



So the string constructor, getting size and adding -2 is clear. Then come the operator<< to concat the strings.
Then we see the operator[] when it will crash with the negative index.
In assembly is more clear, it will call operator[] to get the value, and there will hapen the magic dereference happens. The operator[] will end up returning an invalid address that will crash at [RAX]



In gdb the operator[] is a  allq  0x555555555180 <_znst7__cxx1112basic_stringicst11char_traitsicesaiceeixem plt="">

(gdb) i r rsi
rsi            0xfffffffffffefffe  -65538


The implmementation of operator ins in those functions below:

(gdb) bt
#0  0x00007ffff7feebf3 in strcmp () from /lib64/ld-linux-x86-64.so.2
#1  0x00007ffff7fdc9a5 in check_match () from /lib64/ld-linux-x86-64.so.2
#2  0x00007ffff7fdce7b in do_lookup_x () from /lib64/ld-linux-x86-64.so.2
#3  0x00007ffff7fdd739 in _dl_lookup_symbol_x () from /lib64/ld-linux-x86-64.so.2
#4  0x00007ffff7fe1eb7 in _dl_fixup () from /lib64/ld-linux-x86-64.so.2
#5  0x00007ffff7fe88ee in _dl_runtime_resolve_xsavec () from /lib64/ld-linux-x86-64.so.2
#6  0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29

Then crashes on the MOVZX EAX, byte ptr [RAX]

Program received signal SIGSEGV, Segmentation fault.
0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29
29     cout << "penultimate byte is " << hex << s[i] << endl;
(gdb)


What about negative indexing in std::string::operator[] ?
It's exploitable!

In a C char array is known that having control of the index, we can address memory.
Let's see what happens with C++ strings:






The operator[] function call returns the address of string plus 10, and yes, we can do abitrary writes.



Note that gdb displays by default with at&t asm format wich the operands are in oposite order:


And having a string that is in the stack, controlling the index we can perform a write on the stack.



To make sure we are writing outside the string, I'm gonna do 3 writes:


 See below the command "i r rax" to view the address where the write will be performed.


The beginning of the std::string object is 0x7fffffffde50.
Write -10 writes before the string 0x7fffffffde46.
And write -100 segfaults because is writting in non paged address.



So, C++ std::string probably is not vulnerable to buffer overflow based in concatenation, but the std::string::operator[] lack of negative indexing control and this could create vulnerable and exploitable situations, some times caused by a signed used of the unsigned std::string.size()










Related word

  1. Physical Pentest Tools
  2. Pentest Tools List
  3. Hackrf Tools
  4. Pentest Tools Download
  5. Tools For Hacker
  6. Hack Tool Apk
  7. Hacking Tools Windows 10
  8. What Are Hacking Tools
  9. Hacking Tools For Windows
  10. Hack Tools
  11. Free Pentest Tools For Windows
  12. Pentest Tools Kali Linux
  13. Nsa Hack Tools
  14. Android Hack Tools Github
  15. Hacking Tools For Kali Linux
  16. Bluetooth Hacking Tools Kali
  17. Hack Tools Github
  18. Pentest Tools Review
  19. Hack And Tools
  20. Hacking Tools For Windows Free Download
  21. Computer Hacker
  22. Hacking Tools Free Download
  23. Hack Tools Pc
  24. Pentest Tools Website
  25. Tools 4 Hack
  26. Hack Tools For Games
  27. Pentest Tools List
  28. Hacker Tools
  29. Pentest Tools Open Source
  30. Game Hacking
  31. Hacking Tools Hardware
  32. Pentest Tools Website
  33. Beginner Hacker Tools
  34. Hack Rom Tools
  35. Hacking Apps
  36. Hacker Tool Kit
  37. Hack Tool Apk
  38. Termux Hacking Tools 2019
  39. Top Pentest Tools
  40. Pentest Tools Apk
  41. Android Hack Tools Github
  42. Hack Tools Pc
  43. Pentest Tools Github
  44. Hacker Tools 2019
  45. Pentest Tools Apk
  46. Pentest Tools Website Vulnerability
  47. Wifi Hacker Tools For Windows
  48. Hacking Tools For Mac
  49. New Hack Tools
  50. Pentest Tools Online
  51. Nsa Hack Tools Download
  52. Hack Tools
  53. Pentest Tools Github
  54. Tools 4 Hack
  55. Hacker Techniques Tools And Incident Handling
  56. Hacker Tools For Ios
  57. Hack Rom Tools
  58. Game Hacking
  59. Beginner Hacker Tools
  60. Hacking Tools Windows 10
  61. Hacker Tools For Ios
  62. Pentest Tools
  63. Hacking Tools Kit
  64. Pentest Tools Android
  65. Hacking Tools 2019
  66. Hacker Tools For Mac
  67. World No 1 Hacker Software
  68. Hacking Tools For Beginners
  69. Hacker Tools Windows
  70. Hacking Tools Software
  71. Pentest Tools Website
  72. Pentest Tools Review
  73. Pentest Tools Url Fuzzer
  74. Hacker Tools Free
  75. Hacking Tools For Windows Free Download
  76. Top Pentest Tools
  77. Hack Tools For Windows
  78. Hacking Tools 2020
  79. Pentest Reporting Tools
  80. Hack Tools Github
  81. Pentest Tools Bluekeep
  82. Best Hacking Tools 2020
  83. Best Hacking Tools 2019
  84. Hacking Tools Free Download
  85. Hacker Tools For Ios
  86. Pentest Tools Bluekeep
  87. Kik Hack Tools
  88. Pentest Tools Tcp Port Scanner
  89. Hacker Tools For Mac
  90. Pentest Tools Open Source
  91. Hacking Tools Usb
  92. Pentest Tools Website Vulnerability
  93. Hacker Tools 2020
  94. Pentest Tools Kali Linux
  95. Hacking Tools Pc
  96. Pentest Tools Windows
  97. Pentest Tools Linux
  98. Pentest Tools Windows
  99. Beginner Hacker Tools
  100. Hacker Security Tools
  101. How To Make Hacking Tools
  102. How To Hack
  103. Hacker Tools 2020
  104. Pentest Tools For Mac
  105. Pentest Reporting Tools
  106. Pentest Recon Tools
  107. Pentest Tools
  108. Hack And Tools
  109. Top Pentest Tools
  110. Pentest Tools Url Fuzzer
  111. Hacking Tools For Windows Free Download
  112. Pentest Automation Tools
  113. Hacking Tools Free Download
  114. What Is Hacking Tools
  115. Hacking Tools For Windows 7
  116. Hack App
  117. Github Hacking Tools
  118. Hack Apps
  119. Hack Tool Apk
  120. Bluetooth Hacking Tools Kali
  121. Pentest Tools Linux
  122. How To Install Pentest Tools In Ubuntu
  123. Pentest Tools Website Vulnerability
  124. Pentest Tools For Mac
  125. Hack Tool Apk No Root
  126. What Are Hacking Tools
  127. Hacking App

No comments:

Post a Comment