C++ Std::String Buffer Overflow And Integer Overflow

Interators are usually implemented using signed integers like the typical "for (int i=0; ..." and in fact is the type used indexing "cstr[i]", most of methods use the signed int, int by default is signed.
Nevertheless, the "std::string::operator[]" index is size_t which is unsigned, and so does size(), and same happens with vectors.
Besides the operator[] lack of negative index control, I will explain this later.

Do the compilers doesn't warn about this?

If his code got a large input it would index a negative numer, let see g++ and clang++ warnings:

No warnings so many bugs out there...

In order to reproduce the crash we can load a big string or vector from file, for example:

I've implemented a loading function, getting the file size with tellg() and malloc to allocate the buffer, then in this case used as a string.
Let see how the compiler write asm code based on this c++ code.

So the string constructor, getting size and adding -2 is clear. Then come the operator<< to concat the strings.
Then we see the operator[] when it will crash with the negative index.
In assembly is more clear, it will call operator[] to get the value, and there will hapen the magic dereference happens. The operator[] will end up returning an invalid address that will crash at [RAX]

In gdb the operator[] is a  allq  0x555555555180 <_znst7__cxx1112basic_stringicst11char_traitsicesaiceeixem plt="">

(gdb) i r rsi
rsi            0xfffffffffffefffe  -65538


The implmementation of operator ins in those functions below:

(gdb) bt
#0  0x00007ffff7feebf3 in strcmp () from /lib64/ld-linux-x86-64.so.2
#1  0x00007ffff7fdc9a5 in check_match () from /lib64/ld-linux-x86-64.so.2
#2  0x00007ffff7fdce7b in do_lookup_x () from /lib64/ld-linux-x86-64.so.2
#3  0x00007ffff7fdd739 in _dl_lookup_symbol_x () from /lib64/ld-linux-x86-64.so.2
#4  0x00007ffff7fe1eb7 in _dl_fixup () from /lib64/ld-linux-x86-64.so.2
#5  0x00007ffff7fe88ee in _dl_runtime_resolve_xsavec () from /lib64/ld-linux-x86-64.so.2
#6  0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29

Then crashes on the MOVZX EAX, byte ptr [RAX]

Program received signal SIGSEGV, Segmentation fault.

0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29
29     cout << "penultimate byte is " << hex << s[i] << endl;
(gdb)


What about negative indexing in std::string::operator[] ?
It's exploitable!

In a C char array is known that having control of the index, we can address memory.
Let's see what happens with C++ strings:

The operator[] function call returns the address of string plus 10, and yes, we can do abitrary writes.

Note that gdb displays by default with at&t asm format wich the operands are in oposite order:

And having a string that is in the stack, controlling the index we can perform a write on the stack.

To make sure we are writing outside the string, I'm gonna do 3 writes:

 See below the command "i r rax" to view the address where the write will be performed.

The beginning of the std::string object is 0x7fffffffde50.
Write -10 writes before the string 0x7fffffffde46.
And write -100 segfaults because is writting in non paged address.



So, C++ std::string probably is not vulnerable to buffer overflow based in concatenation, but the std::string::operator[] lack of negative indexing control and this could create vulnerable and exploitable situations, some times caused by a signed used of the unsigned std::string.size()

Read more

1. Hacks And Tools
2. Bluetooth Hacking Tools Kali
3. Install Pentest Tools Ubuntu
4. Nsa Hack Tools Download
5. Hack Tools Online
6. Hacking Tools And Software
7. Hacking Tools For Windows 7
8. Hacking Tools Hardware
9. Hack Tools For Games
10. Blackhat Hacker Tools
11. Hack Tools Online
12. Pentest Tools Website
13. Nsa Hacker Tools
14. Hacker
15. What Are Hacking Tools
16. Hacker Tools 2019
17. Pentest Tools Open Source
18. Hacking Tools Windows
19. Hacking Tools Download
20. Hack Website Online Tool
21. Hacking Tools Pc
22. Hacker Tools Free
23. Tools Used For Hacking
24. Tools 4 Hack
25. Pentest Tools Android
26. Hack Tools
27. Hacking Tools 2019
28. Pentest Tools Review
29. Hack Tool Apk
30. Hacker
31. Pentest Tools Find Subdomains
32. Pentest Tools Framework
33. Hack Tools
34. Hacking Tools For Mac
35. Pentest Box Tools Download
36. Pentest Tools Nmap
37. Hacking Tools Pc
38. Hack Tools For Mac
39. Pentest Tools Open Source
40. Hacking Tools Hardware
41. Hacking Tools Download
42. Hacking Tools Hardware
43. How To Hack
44. Top Pentest Tools
45. Pentest Automation Tools
46. Install Pentest Tools Ubuntu
47. Usb Pentest Tools
48. Best Hacking Tools 2019
49. Hacking Tools Hardware
50. Top Pentest Tools
51. Blackhat Hacker Tools
52. Hacking Tools Pc
53. New Hacker Tools
54. Hacking Tools 2020
55. Hack Tools Github
56. Hacker Search Tools
57. Underground Hacker Sites
58. Hacker Tools Mac
59. Pentest Reporting Tools
60. How To Make Hacking Tools
61. Hack App
62. Pentest Tools Github
63. Wifi Hacker Tools For Windows
64. Pentest Tools
65. What Are Hacking Tools
66. What Is Hacking Tools
67. Hacker Tools Online
68. Hacking Tools Kit
69. How To Install Pentest Tools In Ubuntu
70. How To Make Hacking Tools
71. Hacker Tools 2020
72. Hacker Tools For Ios
73. Hacker Tools For Ios
74. Pentest Tools For Mac
75. Hack Tools Github
76. Pentest Tools Review
77. Hacking Tools Kit
78. Pentest Tools Website
79. Best Hacking Tools 2020
80. Pentest Box Tools Download
81. Hacking Tools For Pc
82. Nsa Hack Tools Download