Show page

Differences

This shows you the differences between two versions of the page.

--- cns:labs:lab-10 [2019/12/02 14:12]
razvan.deaconescu [Virtual Function Tables]
+++ cns:labs:lab-10 [2021/01/11 16:59] (current)
mihai.dumitru2201 [C++ objects memory layout]
@@ Line 1: / Line 1: @@
 ====== Lab 10 - Use After Free ======
-===== Resources =====
-  * [[https://ocw.cs.pub.ro/courses/cpl/labs/06 |CPL Lab 06 -  Structure of data and objects in memory]]
-  * [[https://ocw.cs.pub.ro/courses/so/laboratoare/laborator-05 |SO Lab 06 -  Memory management]]
-  * [[https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/ |Understanding glibc malloc]]
-  * [[https://github.com/lattera/glibc/blob/master/malloc/malloc.c |malloc.c]]
-  * [[http://security.cs.rpi.edu/courses/binexp-spring2015/lectures/17/10_lecture.pdf |Heap Exploitation lecture - Markus Gaaseedelen, CSCI 4968, Sprint 2015]]
-  * [[https://www.geeksforgeeks.org/virtual-function-cpp/ |Virtual functions]]
-  * [[https://en.wikipedia.org/wiki/Virtual_method_table |Virtual Method Table]]
-===== Supporting files =====
-You will use this [[http://elf.cs.pub.ro/oss/res/labs/lab-10.tar.gz|lab archive]] throughout the lab.
-Please download the lab archive an then unpack it using the commands below:
-<code bash>
-$ wget http://elf.cs.pub.ro/oss/res/labs/lab-10.tar.gz
-$ tar xzf lab-10.tar.gz
-</code>
-After unpacking, you will get the ''lab-10/'' folder:
-<code bash>
-$ cd lab-10/
-$ ls -F
-TODO: add files
-</code>
 ===== Introduction =====
-**Use-after-free** refers to the bug in which the data from a memory region is
+**Use-after-free** refers to a class of bugs in which the data from a memory region is
 still used after the region is freed.
-The most common causes are of use-after-free bugs are:
+The most common causes of use-after-free bugs are:
   * Wrongly handled error conditions
   * Unaccounted for program states
   * Confusion over which part of the program is responsible for freeing the memory
-Such bugs can have various adverse consequances:
+Such bugs can have various adverse consequences:
   * crashes
   * corruption of valid data
@@ Line 60: / Line 35: @@
 The innards of ''malloc'' aren't trivial to understand so we will work with
-more of an general overview of what it does and how can we predict what it
+more of a general overview of what it does and how can we predict what it
-will do so we can create a repetable exploit.
+will do so we can create a repeatable exploit.
 The first thing worth mentioning is that **not all addresses returned by malloc
@@ Line 111: / Line 86: @@
-Use the program from ''malloc_addr'' to see how ''malloc'' manifests for different sizes.
+Use the program from ''00-malloc-addr'' to see how ''malloc'' manifests for different sizes.
 The program does pairs of ''malloc'' + ''free'' to inspect for what range of sizes will
 the returned pointer be the same.
@@ Line 161: / Line 136: @@
 ===== Dangling Pointers =====
 A **dangling pointer** is a pointer variable through which the freed memory is accessed. For example:
@@ Line 200: / Line 176: @@
 ==== Tutorial ====
-Enter the ''c_tutorial/'' directory and check the source code for bugs.
+Enter the ''00-c-tutorial/'' directory and check the source code for bugs.
 We can see that in the ''default'' case of the ''switch'' the object is freed but the program
@@ Line 213: / Line 190: @@
 </code>
-The ''post_action_msg'' buffer is //conveniently// conveniently allocated to a size similar to that
+The ''post_action_msg'' buffer is //conveniently// allocated to a size similar to that
 of ''struct person'' and ''fgets'' is used to read something in the newly allocated buffer.
@@ Line 289: / Line 266: @@
 Afterward we reach the following code where it tries to ''call rdx''.
-If we print its value we see that its value concides with the 8 bytes read
+If we print its value we see that its value coincides with the 8 bytes read
 with the previous ''fgets''.
 <code asm>
@@ Line 325: / Line 302: @@
 (or virtual function tables) are used to facilitate polymorphism and inheritance. An object will
 contain a pointer to a list of functions (only the [[https://www.geeksforgeeks.org/virtual-function-cpp/ |virtual]]
-ones) so that it maintains the methods of its type even if casted to another
+ones) so that it maintains the methods of its type even if cast to another
 one upper in the inheritance tree.
@@ Line 333: / Line 310: @@
 class B {
   int a, b;
+public:
   virtual void f(void);
 };
@@ Line 338: / Line 316: @@
 class B1 {
   int x, y;
+public:
   virtual void z(void);
 };
-class D: B, B1 {
+class D: public B, public B1 {
   int c, d;
+public:
   void f(void);
   void z(void);
 };
-D objD; B1 * ptrB1;
+int main()
-ptrB1 = &objD;
+{
-ptrB1->f();
+  D objD; B1 * ptrB1;
+  ptrB1 = &objD;
+  ptrB1->z();
+}
 </code>
@@ Line 359: / Line 342: @@
 ''D'' will contain its own methods.
-When doing an upcast (cast to a parent class) the pointer is just offseted to
+When doing an upcast (cast to a parent class) the pointer is just offset to
 the correct subobject (e.g.: when casting to ''B1'' ''ptrB1'' will start from
 ''PVTable1'').
@@ Line 369: / Line 352: @@
 We can also use the compiler to see the data layout. Copy the code above into
-a file ''dummy.cpp'' and add a main function to make it a valid program:
+a file ''dummy.cpp''.
-<code cpp>
-int main() { return sizeof(D); }
-</code>
 Then run:
@@ Line 412: / Line 392: @@
 ==== Tutorial ====
-Go to the ''cpp_tutorial/'' directory and look at the source code.
+Go to the ''00-cpp-tutorial/'' directory and look at the source code.
 The bug is related to an error check prematurely deleting the object:
@@ Line 507: / Line 487: @@
 <code bash>
 $ python2 exploit.py
-[*] '/home/student/lab-10/cpp_tutorial/cpp_tut'
+[*] '/home/student/cns/10-UAF/00-cpp-tutorial/cpp_tut'
     Arch:     amd64-64-little
     RELRO:    Partial RELRO
@@ Line 522: / Line 502: @@
 ===== Tasks =====
+All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]].
 ==== List Printer - C++ ====
-Go to the ''list_printer/'' directory and examine the code/binary to find the
+Go to the ''01-list-printer/'' directory and examine the code/binary to find the
 use-after-free bug. Create an exploit to run a shell.
 ==== Point - C ====
-Go to the ''point/'' directory and examine the code/binary to find the
+Go to the ''02-point/'' directory and examine the code/binary to find the
 use-after-free bug. Create an exploit to run ''system("sh")''
@@ Line 572: / Line 555: @@
 It should be enough to set ''x'' to ''"sh\x00\x00"'' unpacked.
 </note>
+===== Resources =====
+  * [[https://ocw.cs.pub.ro/courses/cpl/labs/06 |CPL Lab 06 -  Structure of data and objects in memory]]
+  * [[https://ocw.cs.pub.ro/courses/so/laboratoare/laborator-05 |SO Lab 06 -  Memory management]]
+  * [[https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/ |Understanding glibc malloc]]
+  * [[https://github.com/lattera/glibc/blob/master/malloc/malloc.c |malloc.c]]
+  * [[http://security.cs.rpi.edu/courses/binexp-spring2015/lectures/17/10_lecture.pdf |Heap Exploitation lecture - Markus Gaaseedelen, CSCI 4968, Sprint 2015]]
+  * [[https://devel0pment.de/?p=688#basic|Heap Exploitation: Off-By-One / Poison Null Byte]]
+  * [[https://www.geeksforgeeks.org/virtual-function-cpp/ |Virtual functions]]
+  * [[https://en.wikipedia.org/wiki/Virtual_method_table |Virtual Method Table]]
+  * [[https://stackoverflow.com/a/2392656/4804196|Why Do We Need Virtual Functions in C++]]

Resources

Labs

Lectures

Assignments

Extra

cns/labs/lab-10.1575288742.txt.gz · Last modified: 2019/12/02 14:12 by razvan.deaconescu

Show page Old revisions

Media Manager Back to top