C++ Std::String Buffer Overflow And Integer Overflow

Interators are usually implemented using signed integers like the typical "for (int i=0; ..." and in fact is the type used indexing "cstr[i]", most of methods use the signed int, int by default is signed.
Nevertheless, the "std::string::operator[]" index is size_t which is unsigned, and so does size(), and same happens with vectors.
Besides the operator[] lack of negative index control, I will explain this later.

Do the compilers doesn't warn about this?

If his code got a large input it would index a negative numer, let see g++ and clang++ warnings:

No warnings so many bugs out there...

In order to reproduce the crash we can load a big string or vector from file, for example:

I've implemented a loading function, getting the file size with tellg() and malloc to allocate the buffer, then in this case used as a string.
Let see how the compiler write asm code based on this c++ code.

So the string constructor, getting size and adding -2 is clear. Then come the operator<< to concat the strings.
Then we see the operator[] when it will crash with the negative index.
In assembly is more clear, it will call operator[] to get the value, and there will hapen the magic dereference happens. The operator[] will end up returning an invalid address that will crash at [RAX]

In gdb the operator[] is a  allq  0x555555555180 <_znst7__cxx1112basic_stringicst11char_traitsicesaiceeixem plt="">

(gdb) i r rsi
rsi            0xfffffffffffefffe  -65538


The implmementation of operator ins in those functions below:

(gdb) bt
#0  0x00007ffff7feebf3 in strcmp () from /lib64/ld-linux-x86-64.so.2
#1  0x00007ffff7fdc9a5 in check_match () from /lib64/ld-linux-x86-64.so.2
#2  0x00007ffff7fdce7b in do_lookup_x () from /lib64/ld-linux-x86-64.so.2
#3  0x00007ffff7fdd739 in _dl_lookup_symbol_x () from /lib64/ld-linux-x86-64.so.2
#4  0x00007ffff7fe1eb7 in _dl_fixup () from /lib64/ld-linux-x86-64.so.2
#5  0x00007ffff7fe88ee in _dl_runtime_resolve_xsavec () from /lib64/ld-linux-x86-64.so.2
#6  0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29

Then crashes on the MOVZX EAX, byte ptr [RAX]

Program received signal SIGSEGV, Segmentation fault.

0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29
29     cout << "penultimate byte is " << hex << s[i] << endl;
(gdb)


What about negative indexing in std::string::operator[] ?
It's exploitable!

In a C char array is known that having control of the index, we can address memory.
Let's see what happens with C++ strings:

The operator[] function call returns the address of string plus 10, and yes, we can do abitrary writes.

Note that gdb displays by default with at&t asm format wich the operands are in oposite order:

And having a string that is in the stack, controlling the index we can perform a write on the stack.

To make sure we are writing outside the string, I'm gonna do 3 writes:

 See below the command "i r rax" to view the address where the write will be performed.

The beginning of the std::string object is 0x7fffffffde50.
Write -10 writes before the string 0x7fffffffde46.
And write -100 segfaults because is writting in non paged address.



So, C++ std::string probably is not vulnerable to buffer overflow based in concatenation, but the std::string::operator[] lack of negative indexing control and this could create vulnerable and exploitable situations, some times caused by a signed used of the unsigned std::string.size()

Related word

1. Pentest Tools Free
2. Pentest Tools Subdomain
3. Tools Used For Hacking
4. Hacker
5. Hacker Tools Apk Download
6. Game Hacking
7. Hacking Tools For Mac
8. Hacking Tools Name
9. Hacking Tools Windows 10
10. Pentest Tools Apk
11. Hacking Tools Pc
12. Hacking Tools Mac
13. Hacking Tools For Mac
14. Pentest Tools
15. Pentest Tools
16. Nsa Hack Tools Download
17. Hacking Tools Windows
18. Hack Tool Apk
19. Hacking Tools Kit
20. Pentest Reporting Tools
21. Hacks And Tools
22. Pentest Tools Find Subdomains
23. Hacking App
24. Best Hacking Tools 2019
25. Hack Apps
26. Hacker Tools For Pc
27. Hacking Tools Windows 10
28. Free Pentest Tools For Windows
29. Pentest Tools Find Subdomains
30. Hacker Tools List
31. Pentest Tools Online
32. Pentest Tools Apk
33. Hacking Tools Download
34. Hacker Tools Github
35. How To Install Pentest Tools In Ubuntu
36. Hacking Tools Mac
37. Hacker Tools Apk Download
38. Computer Hacker
39. Pentest Tools Linux
40. Hacker Tools Apk Download
41. Nsa Hack Tools
42. Pentest Tools Port Scanner
43. Black Hat Hacker Tools
44. Hack Tools Online
45. Pentest Recon Tools
46. Hack Apps
47. Computer Hacker
48. Hack Tools Github
49. Hacker Techniques Tools And Incident Handling
50. Bluetooth Hacking Tools Kali
51. Hacking Tools Online
52. Hacking Tools For Games
53. Hacking Tools Mac
54. Pentest Tools Bluekeep
55. Hacker Tools Mac
56. Hack Tools Download
57. How To Hack
58. Hack Tools Github
59. World No 1 Hacker Software
60. Pentest Tools Online
61. Pentest Recon Tools
62. Pentest Tools Framework
63. Hacker Search Tools
64. Hack Tools For Ubuntu
65. Hack Tools Mac
66. Hacker Tools Apk
67. Hack Tools 2019
68. Pentest Tools For Mac
69. Underground Hacker Sites
70. Hacker Tools Windows
71. Pentest Tools Url Fuzzer
72. Pentest Tools Alternative
73. Hacker Tools Free
74. Hacking Tools Github
75. Hackers Toolbox
76. Pentest Tools Website Vulnerability
77. Game Hacking
78. Hacker Tools Apk
79. Android Hack Tools Github
80. Hack Tools For Games
81. Pentest Tools Framework
82. Hack Tools For Ubuntu
83. Hacker
84. Hacker Tools Software
85. Github Hacking Tools
86. Hacker Tools Online
87. Blackhat Hacker Tools
88. Hack Tools Online
89. Pentest Tools For Mac
90. Hack And Tools
91. Hacker Tools Apk Download
92. Pentest Tools For Mac
93. Hacker Security Tools
94. Pentest Box Tools Download