C++ Std::String Buffer Overflow And Integer Overflow

Interators are usually implemented using signed integers like the typical "for (int i=0; ..." and in fact is the type used indexing "cstr[i]", most of methods use the signed int, int by default is signed.
Nevertheless, the "std::string::operator[]" index is size_t which is unsigned, and so does size(), and same happens with vectors.
Besides the operator[] lack of negative index control, I will explain this later.

Do the compilers doesn't warn about this?

If his code got a large input it would index a negative numer, let see g++ and clang++ warnings:

No warnings so many bugs out there...

In order to reproduce the crash we can load a big string or vector from file, for example:

I've implemented a loading function, getting the file size with tellg() and malloc to allocate the buffer, then in this case used as a string.
Let see how the compiler write asm code based on this c++ code.

So the string constructor, getting size and adding -2 is clear. Then come the operator<< to concat the strings.
Then we see the operator[] when it will crash with the negative index.
In assembly is more clear, it will call operator[] to get the value, and there will hapen the magic dereference happens. The operator[] will end up returning an invalid address that will crash at [RAX]

In gdb the operator[] is a  allq  0x555555555180 <_znst7__cxx1112basic_stringicst11char_traitsicesaiceeixem plt="">

(gdb) i r rsi
rsi            0xfffffffffffefffe  -65538


The implmementation of operator ins in those functions below:

(gdb) bt
#0  0x00007ffff7feebf3 in strcmp () from /lib64/ld-linux-x86-64.so.2
#1  0x00007ffff7fdc9a5 in check_match () from /lib64/ld-linux-x86-64.so.2
#2  0x00007ffff7fdce7b in do_lookup_x () from /lib64/ld-linux-x86-64.so.2
#3  0x00007ffff7fdd739 in _dl_lookup_symbol_x () from /lib64/ld-linux-x86-64.so.2
#4  0x00007ffff7fe1eb7 in _dl_fixup () from /lib64/ld-linux-x86-64.so.2
#5  0x00007ffff7fe88ee in _dl_runtime_resolve_xsavec () from /lib64/ld-linux-x86-64.so.2
#6  0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29

Then crashes on the MOVZX EAX, byte ptr [RAX]

Program received signal SIGSEGV, Segmentation fault.

0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29
29     cout << "penultimate byte is " << hex << s[i] << endl;
(gdb)


What about negative indexing in std::string::operator[] ?
It's exploitable!

In a C char array is known that having control of the index, we can address memory.
Let's see what happens with C++ strings:

The operator[] function call returns the address of string plus 10, and yes, we can do abitrary writes.

Note that gdb displays by default with at&t asm format wich the operands are in oposite order:

And having a string that is in the stack, controlling the index we can perform a write on the stack.

To make sure we are writing outside the string, I'm gonna do 3 writes:

 See below the command "i r rax" to view the address where the write will be performed.

The beginning of the std::string object is 0x7fffffffde50.
Write -10 writes before the string 0x7fffffffde46.
And write -100 segfaults because is writting in non paged address.



So, C++ std::string probably is not vulnerable to buffer overflow based in concatenation, but the std::string::operator[] lack of negative indexing control and this could create vulnerable and exploitable situations, some times caused by a signed used of the unsigned std::string.size()

Related posts

1. Hacking Tools Online
2. Hacking Tools Kit
3. Hacker Tools Apk Download
4. Hackers Toolbox
5. Free Pentest Tools For Windows
6. Hacker Hardware Tools
7. Hacking Tools 2019
8. Pentest Tools List
9. Nsa Hack Tools Download
10. Pentest Tools Find Subdomains
11. Hacking Tools Online
12. Hacking Tools Download
13. Pentest Recon Tools
14. How To Hack
15. Pentest Tools
16. Hack Tools Pc
17. Pentest Tools Url Fuzzer
18. Pentest Tools Android
19. Hacker Tools 2020
20. Hack Tools For Windows
21. Bluetooth Hacking Tools Kali
22. Hacking Tools For Windows Free Download
23. Pentest Tools Apk
24. Hacking Tools Hardware
25. Pentest Tools For Windows
26. How To Install Pentest Tools In Ubuntu
27. Hacker Tools Hardware
28. Pentest Tools Online
29. Hacking Tools Github
30. Hack Tools 2019
31. Pentest Reporting Tools
32. New Hack Tools
33. Hacks And Tools
34. Hacker Tools Windows
35. Hacker Tools Linux
36. Hack Tools Online
37. Pentest Tools Review
38. Hacker Hardware Tools
39. Pentest Tools Kali Linux
40. Pentest Tools Download
41. Hacking Tools Windows
42. Wifi Hacker Tools For Windows
43. Hacking Tools Free Download
44. Hacking Tools For Mac
45. Pentest Tools Website
46. Hacker Tools Apk Download
47. Black Hat Hacker Tools
48. Pentest Tools
49. Hacking Tools Hardware
50. Hacking Tools Online
51. Hack Tools Mac
52. Hacker Tools 2020
53. Hack Tools For Windows
54. Pentest Tools Linux
55. Hacker Tools
56. Hacking Tools For Mac
57. Nsa Hacker Tools
58. Pentest Automation Tools
59. Pentest Reporting Tools
60. Pentest Tools List
61. Pentest Tools Alternative
62. Hacker
63. Hacker Tools 2019
64. Hackrf Tools
65. Hacker Tools Free Download
66. Hacking Tools For Windows
67. Best Hacking Tools 2020
68. Hack Tools For Games
69. Black Hat Hacker Tools
70. Pentest Tools Linux
71. Best Pentesting Tools 2018
72. Hacker Tools Online
73. Hacking Tools For Kali Linux
74. Hacker Tools 2019
75. Install Pentest Tools Ubuntu
76. Pentest Tools List
77. Hacker Tools 2019
78. New Hack Tools
79. Hack Tools For Pc
80. Hacker Hardware Tools
81. Blackhat Hacker Tools
82. Pentest Tools Download
83. Hack Tools For Pc
84. Hacking Tools For Games
85. Hacking Tools 2020
86. Hack Tools Online
87. Hacks And Tools
88. Hacking App
89. Hacking Tools Usb
90. Best Hacking Tools 2020
91. Hacking Tools Download
92. Pentest Tools Url Fuzzer
93. Hack Apps
94. Pentest Tools For Ubuntu
95. Hacker Tools Mac
96. Pentest Tools Apk
97. Pentest Tools Review
98. Hack App
99. Hack Tools Download
100. Pentest Tools Alternative
101. Hacking Tools 2020
102. Pentest Tools Website Vulnerability
103. Hacking Tools For Windows Free Download
104. Hack Tools Online
105. Pentest Tools Review
106. Hack Tools For Mac
107. Hacker Tools Free Download
108. Pentest Tools Url Fuzzer
109. Pentest Tools Subdomain
110. Usb Pentest Tools
111. Hacking Tools 2019
112. Physical Pentest Tools
113. Pentest Tools Url Fuzzer
114. Hack Tools Online
115. Hack Tools Pc
116. How To Install Pentest Tools In Ubuntu
117. Free Pentest Tools For Windows
118. Hacker Search Tools
119. Hacking Tools Free Download
120. Nsa Hacker Tools
121. Best Hacking Tools 2020
122. What Are Hacking Tools
123. Hacker Tools Online
124. How To Make Hacking Tools
125. Hacking Tools For Windows 7
126. Hack Tools For Ubuntu
127. Pentest Tools Alternative
128. Pentest Tools Apk
129. Hacker Tools Github
130. How To Hack
131. Hacking Tools Windows 10
132. Pentest Tools Find Subdomains
133. Pentest Tools Apk
134. Top Pentest Tools
135. Bluetooth Hacking Tools Kali
136. Hack Tools
137. Nsa Hacker Tools
138. Hacking Tools For Mac
139. What Are Hacking Tools
140. Bluetooth Hacking Tools Kali
141. Pentest Box Tools Download
142. Pentest Tools List
143. Pentest Tools Nmap
144. Hack Tools
145. Hacker Tool Kit
146. Pentest Automation Tools
147. Pentest Tools Alternative
148. Hacking Tools For Windows Free Download
149. How To Make Hacking Tools
150. Hack Tools Pc
151. Pentest Tools Apk
152. How To Install Pentest Tools In Ubuntu
153. Hack Tools For Windows
154. Termux Hacking Tools 2019
155. Underground Hacker Sites
156. Pentest Tools Open Source
157. Pentest Tools
158. Blackhat Hacker Tools
159. Physical Pentest Tools
160. Beginner Hacker Tools
161. Hacker Tools Windows
162. Hack Tools
163. Hack Tools Github
164. Blackhat Hacker Tools
165. Tools 4 Hack
166. Hack Tools For Pc
167. Termux Hacking Tools 2019
168. Pentest Tools Nmap
169. Best Pentesting Tools 2018
170. Hacker Tool Kit