Differences
This shows you the differences between two versions of the page.
|
cns:labs:lab-10 [2021/01/10 21:21] mihai.dumitru2201 |
cns:labs:lab-10 [2021/01/11 16:59] (current) mihai.dumitru2201 [C++ objects memory layout] |
||
|---|---|---|---|
| Line 86: | Line 86: | ||
| - | Use the program from ''malloc_addr'' to see how ''malloc'' manifests for different sizes. | + | Use the program from ''00-malloc-addr'' to see how ''malloc'' manifests for different sizes. |
| The program does pairs of ''malloc'' + ''free'' to inspect for what range of sizes will | The program does pairs of ''malloc'' + ''free'' to inspect for what range of sizes will | ||
| the returned pointer be the same. | the returned pointer be the same. | ||
| Line 177: | Line 177: | ||
| ==== Tutorial ==== | ==== Tutorial ==== | ||
| - | Enter the ''c_tutorial/'' directory and check the source code for bugs. | + | Enter the ''00-c-tutorial/'' directory and check the source code for bugs. |
| We can see that in the ''default'' case of the ''switch'' the object is freed but the program | We can see that in the ''default'' case of the ''switch'' the object is freed but the program | ||
| Line 190: | Line 190: | ||
| </code> | </code> | ||
| - | The ''post_action_msg'' buffer is //conveniently// conveniently allocated to a size similar to that | + | The ''post_action_msg'' buffer is //conveniently// allocated to a size similar to that |
| of ''struct person'' and ''fgets'' is used to read something in the newly allocated buffer. | of ''struct person'' and ''fgets'' is used to read something in the newly allocated buffer. | ||
| Line 310: | Line 310: | ||
| class B { | class B { | ||
| int a, b; | int a, b; | ||
| + | public: | ||
| virtual void f(void); | virtual void f(void); | ||
| }; | }; | ||
| Line 315: | Line 316: | ||
| class B1 { | class B1 { | ||
| int x, y; | int x, y; | ||
| + | public: | ||
| virtual void z(void); | virtual void z(void); | ||
| }; | }; | ||
| - | class D: B, B1 { | + | class D: public B, public B1 { |
| int c, d; | int c, d; | ||
| + | public: | ||
| void f(void); | void f(void); | ||
| void z(void); | void z(void); | ||
| }; | }; | ||
| - | D objD; B1 * ptrB1; | + | int main() |
| - | ptrB1 = &objD; | + | { |
| - | ptrB1->f(); | + | D objD; B1 * ptrB1; |
| + | ptrB1 = &objD; | ||
| + | ptrB1->z(); | ||
| + | } | ||
| </code> | </code> | ||
| Line 346: | Line 352: | ||
| We can also use the compiler to see the data layout. Copy the code above into | We can also use the compiler to see the data layout. Copy the code above into | ||
| - | a file ''dummy.cpp'' and add a main function to make it a valid program: | + | a file ''dummy.cpp''. |
| - | <code cpp> | + | |
| - | int main() { return sizeof(D); } | + | |
| - | </code> | + | |
| Then run: | Then run: | ||
| Line 389: | Line 392: | ||
| ==== Tutorial ==== | ==== Tutorial ==== | ||
| - | Go to the ''cpp_tutorial/'' directory and look at the source code. | + | Go to the ''00-cpp-tutorial/'' directory and look at the source code. |
| The bug is related to an error check prematurely deleting the object: | The bug is related to an error check prematurely deleting the object: | ||
| Line 484: | Line 487: | ||
| <code bash> | <code bash> | ||
| $ python2 exploit.py | $ python2 exploit.py | ||
| - | [*] '/home/student/lab-10/cpp_tutorial/cpp_tut' | + | [*] '/home/student/cns/10-UAF/00-cpp-tutorial/cpp_tut' |
| Arch: amd64-64-little | Arch: amd64-64-little | ||
| RELRO: Partial RELRO | RELRO: Partial RELRO | ||
| Line 505: | Line 508: | ||
| ==== List Printer - C++ ==== | ==== List Printer - C++ ==== | ||
| - | Go to the ''list_printer/'' directory and examine the code/binary to find the | + | Go to the ''01-list-printer/'' directory and examine the code/binary to find the |
| use-after-free bug. Create an exploit to run a shell. | use-after-free bug. Create an exploit to run a shell. | ||
| ==== Point - C ==== | ==== Point - C ==== | ||
| - | Go to the ''point/'' directory and examine the code/binary to find the | + | Go to the ''02-point/'' directory and examine the code/binary to find the |
| use-after-free bug. Create an exploit to run ''system("sh")'' | use-after-free bug. Create an exploit to run ''system("sh")'' | ||
| Line 560: | Line 563: | ||
| * [[https://github.com/lattera/glibc/blob/master/malloc/malloc.c |malloc.c]] | * [[https://github.com/lattera/glibc/blob/master/malloc/malloc.c |malloc.c]] | ||
| * [[http://security.cs.rpi.edu/courses/binexp-spring2015/lectures/17/10_lecture.pdf |Heap Exploitation lecture - Markus Gaaseedelen, CSCI 4968, Sprint 2015]] | * [[http://security.cs.rpi.edu/courses/binexp-spring2015/lectures/17/10_lecture.pdf |Heap Exploitation lecture - Markus Gaaseedelen, CSCI 4968, Sprint 2015]] | ||
| + | * [[https://devel0pment.de/?p=688#basic|Heap Exploitation: Off-By-One / Poison Null Byte]] | ||
| * [[https://www.geeksforgeeks.org/virtual-function-cpp/ |Virtual functions]] | * [[https://www.geeksforgeeks.org/virtual-function-cpp/ |Virtual functions]] | ||
| * [[https://en.wikipedia.org/wiki/Virtual_method_table |Virtual Method Table]] | * [[https://en.wikipedia.org/wiki/Virtual_method_table |Virtual Method Table]] | ||
| * [[https://stackoverflow.com/a/2392656/4804196|Why Do We Need Virtual Functions in C++]] | * [[https://stackoverflow.com/a/2392656/4804196|Why Do We Need Virtual Functions in C++]] | ||
