C++ Std::String Buffer Overflow And Integer Overflow

Interators are usually implemented using signed integers like the typical "for (int i=0; ..." and in fact is the type used indexing "cstr[i]", most of methods use the signed int, int by default is signed.
Nevertheless, the "std::string::operator[]" index is size_t which is unsigned, and so does size(), and same happens with vectors.
Besides the operator[] lack of negative index control, I will explain this later.

Do the compilers doesn't warn about this?

If his code got a large input it would index a negative numer, let see g++ and clang++ warnings:

No warnings so many bugs out there...

In order to reproduce the crash we can load a big string or vector from file, for example:

I've implemented a loading function, getting the file size with tellg() and malloc to allocate the buffer, then in this case used as a string.
Let see how the compiler write asm code based on this c++ code.

So the string constructor, getting size and adding -2 is clear. Then come the operator<< to concat the strings.
Then we see the operator[] when it will crash with the negative index.
In assembly is more clear, it will call operator[] to get the value, and there will hapen the magic dereference happens. The operator[] will end up returning an invalid address that will crash at [RAX]

In gdb the operator[] is a  allq  0x555555555180 <_znst7__cxx1112basic_stringicst11char_traitsicesaiceeixem plt="">

(gdb) i r rsi
rsi            0xfffffffffffefffe  -65538


The implmementation of operator ins in those functions below:

(gdb) bt
#0  0x00007ffff7feebf3 in strcmp () from /lib64/ld-linux-x86-64.so.2
#1  0x00007ffff7fdc9a5 in check_match () from /lib64/ld-linux-x86-64.so.2
#2  0x00007ffff7fdce7b in do_lookup_x () from /lib64/ld-linux-x86-64.so.2
#3  0x00007ffff7fdd739 in _dl_lookup_symbol_x () from /lib64/ld-linux-x86-64.so.2
#4  0x00007ffff7fe1eb7 in _dl_fixup () from /lib64/ld-linux-x86-64.so.2
#5  0x00007ffff7fe88ee in _dl_runtime_resolve_xsavec () from /lib64/ld-linux-x86-64.so.2
#6  0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29

Then crashes on the MOVZX EAX, byte ptr [RAX]

Program received signal SIGSEGV, Segmentation fault.

0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29
29     cout << "penultimate byte is " << hex << s[i] << endl;
(gdb)


What about negative indexing in std::string::operator[] ?
It's exploitable!

In a C char array is known that having control of the index, we can address memory.
Let's see what happens with C++ strings:

The operator[] function call returns the address of string plus 10, and yes, we can do abitrary writes.

Note that gdb displays by default with at&t asm format wich the operands are in oposite order:

And having a string that is in the stack, controlling the index we can perform a write on the stack.

To make sure we are writing outside the string, I'm gonna do 3 writes:

 See below the command "i r rax" to view the address where the write will be performed.

The beginning of the std::string object is 0x7fffffffde50.
Write -10 writes before the string 0x7fffffffde46.
And write -100 segfaults because is writting in non paged address.



So, C++ std::string probably is not vulnerable to buffer overflow based in concatenation, but the std::string::operator[] lack of negative indexing control and this could create vulnerable and exploitable situations, some times caused by a signed used of the unsigned std::string.size()

More articles

1. Pentest Tools Website
2. Hacker Tools Github
3. Hacks And Tools
4. Game Hacking
5. Hack Tools
6. Nsa Hack Tools Download
7. World No 1 Hacker Software
8. Blackhat Hacker Tools
9. Best Pentesting Tools 2018
10. Hacking Tools For Windows
11. Best Pentesting Tools 2018
12. Hacking Tools Online
13. Growth Hacker Tools
14. How To Install Pentest Tools In Ubuntu
15. Pentest Tools Apk
16. Hacking Tools Usb
17. Hack Tools Online
18. Hacker Tools Github
19. Hack Tools
20. Pentest Tools Free
21. Pentest Tools Bluekeep
22. Hack Tools Pc
23. New Hack Tools
24. Pentest Recon Tools
25. Hacking Tools 2019
26. Pentest Tools Find Subdomains
27. Hackers Toolbox
28. Pentest Tools Website Vulnerability
29. Hacker Tools For Windows
30. Nsa Hacker Tools
31. Ethical Hacker Tools
32. Pentest Tools Apk
33. Underground Hacker Sites
34. Wifi Hacker Tools For Windows
35. Install Pentest Tools Ubuntu
36. Hacker Search Tools
37. Hack Rom Tools
38. Hacking Tools
39. Top Pentest Tools
40. Hacking Tools For Pc
41. Wifi Hacker Tools For Windows
42. Pentest Tools Tcp Port Scanner
43. Hack App
44. Hacking Tools For Windows 7
45. Pentest Tools Port Scanner
46. Hacking Tools
47. Hacking Tools Download
48. Termux Hacking Tools 2019
49. Hacker Tools Online
50. Pentest Recon Tools
51. Hacker Tools 2020
52. Pentest Tools For Mac
53. How To Install Pentest Tools In Ubuntu
54. Hack Tools Online
55. Blackhat Hacker Tools
56. Pentest Tools Android
57. Hacker Tools Windows
58. Hacks And Tools
59. Github Hacking Tools
60. Hacking Tools For Kali Linux
61. Nsa Hack Tools
62. Hacking Tools Pc
63. Hacking Tools Windows
64. Kik Hack Tools
65. Hacking Tools 2019
66. World No 1 Hacker Software
67. Hacker Tool Kit
68. Hack Tools For Ubuntu
69. Hacking Tools For Windows 7
70. Hacking Tools For Kali Linux
71. Hack Tools Pc
72. Hacking Tools
73. Hacking Tools For Pc
74. Hacker Tools For Mac
75. Hacker Hardware Tools
76. Nsa Hack Tools
77. Best Hacking Tools 2019
78. Hack Tools Online
79. Hack Tools Mac
80. Hacker Tools Windows
81. Hacking Tools For Kali Linux
82. Pentest Tools Online
83. Pentest Reporting Tools
84. Hacker Tools Apk
85. Hack Tools
86. Hacker Tool Kit
87. Hack Tool Apk
88. Hacking Tools Hardware
89. Hacker Tools Online
90. Pentest Tools Linux
91. Hacking Tools And Software
92. New Hack Tools
93. Hacker Techniques Tools And Incident Handling
94. Pentest Tools Find Subdomains
95. Hacker Tools Free
96. Hacker
97. Hack Tools Download
98. Pentest Tools Url Fuzzer
99. Pentest Tools Port Scanner
100. How To Make Hacking Tools
101. Pentest Tools For Ubuntu
102. Hack Tools
103. Hacking Tools For Pc
104. Hacking Tools
105. Android Hack Tools Github