Hypnotic on my Heart

Interators are usually implemented using signed integers like the typical "for (int i=0; ..." and in fact is the type used indexing "cstr[i]", most of methods use the signed int, int by default is signed.
Nevertheless, the "std::string::operator[]" index is size_t which is unsigned, and so does size(), and same happens with vectors.
Besides the operator[] lack of negative index control, I will explain this later.

Do the compilers doesn't warn about this?


If his code got a large input it would index a negative numer, let see g++ and clang++ warnings:



No warnings so many bugs out there...

In order to reproduce the crash we can load a big string or vector from file, for example:


I've implemented a loading function, getting the file size with tellg() and malloc to allocate the buffer, then in this case used as a string.
Let see how the compiler write asm code based on this c++ code.



So the string constructor, getting size and adding -2 is clear. Then come the operator<< to concat the strings.
Then we see the operator[] when it will crash with the negative index.
In assembly is more clear, it will call operator[] to get the value, and there will hapen the magic dereference happens. The operator[] will end up returning an invalid address that will crash at [RAX]



In gdb the operator[] is a  allq  0x555555555180 <_znst7__cxx1112basic_stringicst11char_traitsicesaiceeixem plt="">

(gdb) i r rsi
rsi            0xfffffffffffefffe  -65538


The implmementation of operator ins in those functions below:

(gdb) bt
#0  0x00007ffff7feebf3 in strcmp () from /lib64/ld-linux-x86-64.so.2
#1  0x00007ffff7fdc9a5 in check_match () from /lib64/ld-linux-x86-64.so.2
#2  0x00007ffff7fdce7b in do_lookup_x () from /lib64/ld-linux-x86-64.so.2
#3  0x00007ffff7fdd739 in _dl_lookup_symbol_x () from /lib64/ld-linux-x86-64.so.2
#4  0x00007ffff7fe1eb7 in _dl_fixup () from /lib64/ld-linux-x86-64.so.2
#5  0x00007ffff7fe88ee in _dl_runtime_resolve_xsavec () from /lib64/ld-linux-x86-64.so.2
#6  0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29
0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29
29     cout << "penultimate byte is " << hex << s[i] << endl;
(gdb)


What about negative indexing in std::string::operator[] ?
It's exploitable!

In a C char array is known that having control of the index, we can address memory.
Let's see what happens with C++ strings:






The operator[] function call returns the address of string plus 10, and yes, we can do abitrary writes.



Note that gdb displays by default with at&t asm format wich the operands are in oposite order:


And having a string that is in the stack, controlling the index we can perform a write on the stack.



To make sure we are writing outside the string, I'm gonna do 3 writes:

 See below the command "i r rax" to view the address where the write will be performed.


The beginning of the std::string object is 0x7fffffffde50.
Write -10 writes before the string 0x7fffffffde46.
And write -100 segfaults because is writting in non paged address.



So, C++ std::string probably is not vulnerable to buffer overflow based in concatenation, but the std::string::operator[] lack of negative indexing control and this could create vulnerable and exploitable situations, some times caused by a signed used of the unsigned std::string.size()

More articles

1. Game Hacking
2. Hacker Tools For Windows
3. Hacker Tools Free Download
4. Hacking Tools For Windows
5. Hacking Tools For Mac
6. Termux Hacking Tools 2019
7. What Is Hacking Tools
8. Hacker Security Tools
9. Pentest Tools For Android
10. Usb Pentest Tools
11. Hacker Tools For Ios
12. Pentest Tools Apk
13. Hack Tools Pc
14. Hack Rom Tools
15. Hack Tool Apk
16. Hacker Tool Kit
17. Pentest Tools Download
18. Physical Pentest Tools
19. Hack Apps
20. Pentest Tools Find Subdomains
21. Hacking Tools Hardware
22. Android Hack Tools Github
23. Pentest Tools List
24. Hacking Tools Software
25. Hacking Tools
26. Hacker Tools
27. Pentest Tools Url Fuzzer
28. Underground Hacker Sites
29. Hack Tools Github
30. Pentest Tools For Windows
31. Hacking Tools For Mac
32. Hack Tools Mac
33. Computer Hacker
34. Hacking Tools For Windows Free Download
35. Hack Tools
36. Hacking Tools Online
37. Usb Pentest Tools
38. Hacker Tools Apk Download
39. Hack Tools For Mac
40. Blackhat Hacker Tools
41. Hackers Toolbox
42. Physical Pentest Tools
43. Pentest Tools Port Scanner
44. Pentest Tools Download
45. Hacker Tools Online
46. Growth Hacker Tools
47. Underground Hacker Sites
48. Best Hacking Tools 2020
49. Hacking Tools Online
50. Hacker Tools Github
51. Hacker Security Tools
52. Hack Tools
53. Underground Hacker Sites
54. Hack Tools Pc
55. Hack Tools For Windows
56. Hacker Tools Free Download
57. Hacker Tools
58. Hacker Tools For Mac
59. Hacking Tools For Windows Free Download
60. Hacking Tools 2020
61. Hacking Tools Name
62. Pentest Tools For Mac
63. Hackers Toolbox
64. Best Hacking Tools 2020
65. Hacking Apps
66. Top Pentest Tools
67. Nsa Hack Tools Download
68. Top Pentest Tools
69. Hack Tools Mac
70. Pentest Tools List
71. Pentest Tools Url Fuzzer
72. Best Pentesting Tools 2018
73. Pentest Tools Website Vulnerability
74. Hacker Tools
75. Tools 4 Hack
76. Hacking Tools Mac
77. Wifi Hacker Tools For Windows
78. Top Pentest Tools
79. Pentest Tools Bluekeep
80. Hacking Tools 2019
81. Hack Tools For Windows
82. Hacking Tools
83. Hack Tools For Games
84. Pentest Tools Subdomain
85. Hack Apps
86. Pentest Tools Free
87. Hacker Tools Apk Download
88. Pentest Box Tools Download
89. Best Pentesting Tools 2018
90. Pentest Tools Download
91. Pentest Recon Tools
92. Hack Tools Mac
93. Install Pentest Tools Ubuntu
94. Hacker Tools Apk Download
95. Pentest Tools For Windows
96. Hacker Tools Apk
97. Hacker Security Tools
98. Hacker Tools Hardware
99. Pentest Tools For Windows
100. Hacking Tools 2020
101. Pentest Tools Linux
102. Pentest Reporting Tools
103. Hacking Tools 2019
104. Hacking Tools 2020
105. Android Hack Tools Github
106. Hack Tools For Mac
107. Hacking Tools Windows
108. Pentest Automation Tools
109. Install Pentest Tools Ubuntu
110. Usb Pentest Tools
111. Hacking Tools Hardware
112. Hacking Tools Windows 10
113. Game Hacking
114. Pentest Tools List
115. Hacker Tools Github
116. Hacking Tools Usb
117. How To Hack
118. New Hack Tools
119. Hacking Tools
120. Hackers Toolbox
121. Hak5 Tools
122. Hacker Hardware Tools
123. Hacking Tools Online
124. Tools 4 Hack
125. Hacker Tools Software
126. Hacker Tools
127. Pentest Tools For Windows
128. Hacker Tools Free Download
129. How To Install Pentest Tools In Ubuntu
130. Kik Hack Tools
131. Pentest Box Tools Download
132. Hackers Toolbox
133. Hacking Tools Windows
134. Pentest Tools Alternative
135. What Is Hacking Tools
136. Best Hacking Tools 2020
137. Termux Hacking Tools 2019
138. Hacking Tools Software
139. Nsa Hacker Tools
140. New Hacker Tools
141. Pentest Tools Alternative
142. Pentest Tools Android
143. Ethical Hacker Tools
144. Pentest Tools For Ubuntu
145. Hacking Tools And Software
146. Pentest Tools For Android
147. Physical Pentest Tools
148. Black Hat Hacker Tools
149. Hacking Tools And Software
150. Hacking Tools For Pc
151. Growth Hacker Tools
152. Hak5 Tools
153. Hacking Tools Hardware
154. Hack Tools Download
155. Wifi Hacker Tools For Windows
156. Best Hacking Tools 2020
157. Hackrf Tools
158. Black Hat Hacker Tools
159. Pentest Tools Kali Linux
160. Nsa Hack Tools Download
161. Hacking Tools For Windows
162. Best Hacking Tools 2019
163. Game Hacking

Posted by K. Lianne on Friday, January 19, 2024 at 2:08 PM | Permalink