SlideShare a Scribd company logo

Pwning in c++ (basic)

A
Angel Boy

Security in c++

Technology
1 of 83
Download to read offline
Linux Binary Exploitation C++ Exploitation angelboy@chroot.org 1
Outline • Name Mangling • Virtual function table • Vtable Hijacking • Vector & String • New & delete • Copy constructor & assignment operator 2
Outline • Name Mangling • Virtual function table • Vtable Hijacking • Vector & String • New & delete • Copy constructor & assignment operator 3
Name Mangling • C++ 為了了 Overloading 時,可以讓 compiler 和 linker 可以辨別出相同 function 名稱,參參數不同的 function 引⽤用的機制 • 使 programer 在不同的 namespace 底下可以有 著多個相同名稱的 function 4
Name Mangling • ⽽而在 compiler 和 linker 處理理 symbol 時,就會使 ⽤用該機制讓每個 function 名對應到⼀一個修飾過後 的名稱 • C++ 中全域變數和靜態變數也有相同的機制 5
Name Mangling • 在 gdb 中可以使⽤用下列列指令讓 function 好看⼀一點 • set print asm-demangle on 6
Outline • Name Mangling • Virtual function table • Vector & String • New & delete • Copy constructor & assignment operator 7
Virtual function table • Virtual function is a key mechanism to support polymorphism in C++ • For each class with virtual functions, depending on the class inheritance hierarchy, the compiler will create one or more associated virtual function table 8
Virtual function table 9 writable section (heap) typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu compiler generates the table for all class
Virtual function table 10 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu new a Person and a Stu object
Virtual function table 11 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu ddaa->speak()
Virtual function table 12 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu vfptr == *ddaa 取 vfptr
Virtual function table 13 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu call *vfptr (Person::speak(ddaa))
Virtual function table 14 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu meh->speak()
Virtual function table 15 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu vfptr == *meh 取 vfptr
Virtual function table 16 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu call *vfptr (Stu::speak(meh))
Virtual function table 17 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu meh->pwn()
Virtual function table 18 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu vfptr == *meh 取 vfptr
Virtual function table 19 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu call *(vfptr+0x10) (Stu::pwn(meh))
Vtable Hijacking • Need other vulnerabilities • Use-after-free, Heap overflow …. • Force the table and Hijack the vfptr • Because the vfptr is writable 20
Vtable Hijacking 21 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu
Vtable Hijacking 22 writable section (heap) meh &shellcode 0xddaa ddaa 0xdead typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu heap overflow forces a vtabe in ddaa and hijack the vfptr of meh ddaa
Vtable Hijacking 23 writable section (heap) meh &shellcode 0xddaa ddaa 0xdead typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu meh->speak() ddaa
Vtable Hijacking 24 writable section (heap) meh &shellcode 0xddaa ddaa 0xdead typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu vfptr = *meh 取 vfptr ddaa
Vtable Hijacking 25 writable section (heap) meh &shellcode 0xddaa ddaa 0xdead typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu ddaa call *(vfptr) (call shellcode(meh))
Vtable Hijacking 26 writable section (heap) meh &shellcode 0xddaa ddaa 0xdead 0xbeef typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu ddaa call *(vfptr) (call shellcode(meh)) PWN !! 但通常會有 DEP/NX 保護,可能要跳 libc 中的 one-gadget 或是其他可利利⽤用的地⽅方
Outline • Name Mangling • Virtual function table • Vector & String • New & delete • Copy constructor & assignment operator 27
Vector & String • Vector • A dynamic array • 分配在 heap 段 • 比⼀一般 c 中的陣列列更更有彈性,當空間不夠⼤大時 會重新兩兩倍⼤大的的⼩小來來放置新的 vector ,再把 原本的空間還給系統 28
Vector & String • Vector • member • _M_start : vector 起始位置 • vector::begin() • _M_finish : vector 結尾位置 • vector::end() • _M_end_of_storage :容器最後位置 • if _M_finish == _M_end_of_storage in push_back • It will alloca a new space for the vector • 以這個來來判斷空間是否⾜足夠放元素 29
Vector & String • Vector • member function • push_back : 在 vector 最後加入新元素 • pop_back : 移除 vector 最後⼀一個元素 • insert :插入元素到 vector 第 n 個位置 • erase :移除 vector 中第 n 個元素 • …… 30
Vector & String • Vector layout 31 vector <string> vec _M_start _M_finish _M_end_of_storage
Vector & String • Vector layout 32 vec.push_back(“meh”) _M_start _M_finish _M_end_of_storage address of meh string
Vector & String • Vector layout 33 vec.push_back(“meheap”) _M_start _M_finish _M_end_of_storage address of meh string 因為 _M_finish == _ M_end_of_storage 所以會先從新 new ⼀一塊新的 vector 並把舊的值複製過去 再將藍藍⾊色那塊 delete 掉
Vector & String • Vector layout 34 vec.push_back(“meheap”) _M_start _M_finish _M_end_of_storage address of meh string address of meh string address of meheap string
Vector & String • Vector layout 35 vec.push_back(“meh.py”) _M_start _M_finish _M_end_of_storage address of meh string address of meh string address of meheap string address of meh string address of meheap string address of meh.py string
Vector & String • Vector layout 36 vec.push_back(“pwn”) _M_start _M_finish _M_end_of_storage address of meh string address of meh string address of meheap string address of meh string address of meheap string address of meh.py string address of pwn string
Vector & String • Vector layout 37 vec.pop_back() _M_start _M_finish _M_end_of_storage address of meh string address of meh string address of meheap string address of meh string address of meheap string address of meh.py string address of pwn string call destructor of pwn string
Vector & String • Vector layout 38 vec.pop_back() _M_start _M_finish _M_end_of_storage address of meh string address of meh string address of meheap string address of meh string address of meheap string address of meh.py string address of pwn string
Vector & String • String • a dynamic char array • 比起以往的字串串陣列列更更加安全,全部動態配置記憶體空間, 減少⼀一般 buffer overflow 的發⽣生 • 在給定 input 時,會不斷重新分配空間給 user 直到結束後, 就會回傳適當的⼤大⼩小給 user • 有許多種實作⽅方式,這邊介紹最常⾒見見的⼀一種 • g++ < 5 39
Vector & String • String • member • size :字串串的長度 • Capacity : 該 string 空間的容量量 • reference count : 引⽤用計數 • 只要有其他元素引⽤用該字串串就會增加 • 如果其他元素不引⽤用了了,也會減少 • 當 reference == 0 時就會,將空間 delete 掉 • value : 存放字串串內容 40
Vector & String • String • member function • length() : string ⼤大⼩小 • capacity() : ⽬目前 string 空間容量量 • c_str() : Get C string equivalent • …… 41
Vector & String • String layout 42 str string str cin >> str
Vector & String • String layout 43 str string str cin >> str input : aa size = 2 capacity = 2 refcnt = 0 aa
Vector & String • String layout 44 str string str cin >> str input : aaa size = 2 capacity = 2 refcnt = -1 aa size = 3 capacity = 4 refcnt = 0 aaa
Vector & String • String layout 45 str string str cin >> str input : aaaaa size = 2 capacity = 2 refcnt = -1 aa size = 4 capacity = 4 refcnt = -1 aaaa size = 5 capacity = 8 refcnt = 0 aaaaa
Vector & String • String layout 46 str string str cin >> str input : a*125 size = 2 capacity = 2 refcnt = -1 aa size = 4 capacity = 4 refcnt = -1 aaaa size = 8 capacity = 8 refcnt = -1 aaaaaaaa size = 125 capacity = 128 refcnt = 0 a*125 依此類推 capacity 會 不斷以⼆二的指數倍增長 直到 input 結束 . . .
Vector & String • String layout 47 str vector<string> vec vec.push_back(str) size = 2 capacity = 2 refcnt = -1 aa size = 4 capacity = 4 refcnt = -1 aaaa size = 8 capacity = 8 refcnt = -1 aaaaaaaa size = 125 capacity = 128 refcnt = 1 a*125 _M_start _M_finish _M_end_of_storage str . . .
Vector & String • String layout 48 str size = 2 capacity = 2 refcnt = -1 aa size = 4 capacity = 4 refcnt = -1 aaaa size = 8 capacity = 8 refcnt = -1 aaaaaaaa size = 125 capacity = 128 refcnt = 2 a*125 _M_start _M_finish _M_end_of_storage str str str vector<string> vec vec.push_back(str) vec.push_back(str) . . .
Vector & String • String layout 49 str size = 2 capacity = 2 refcnt = -1 aa size = 4 capacity = 4 refcnt = -1 aaaa size = 8 capacity = 8 refcnt = -1 aaaaaaaa size = 125 capacity = 128 refcnt = 1 a*125 _M_start _M_finish _M_end_of_storage str str str vec.pop_back() 這邊會 call str destuctor 但不會 delete 空間 . . .
Vector & String • String layout 50 str size = 2 capacity = 2 refcnt = -1 aa size = 4 capacity = 4 refcnt = -1 aaaa size = 8 capacity = 8 refcnt = -1 aaaaaaaa size = 125 capacity = 128 refcnt = 0 a*125 _M_start _M_finish _M_end_of_storage str str str vec.pop_back() 這邊會 call str destuctor 但不會 delete 空間 . . .
Vector & String • String layout 51 size = 2 capacity = 2 refcnt = -1 aa size = 4 capacity = 4 refcnt = -1 aaaa size = 8 capacity = 8 refcnt = -1 aaaaaaaa size = 125 capacity = 128 refcnt = -1 a*125 _M_start _M_finish _M_end_of_storage str str str end of scope 這邊會 call str destuctor 因 refcnt < 0 會做 delete . . .
Vector & String • String • g++ > 5 之後取消了了 Copy-on-Write 機制 • 所以少掉了了 reference count 這個欄欄位 • 在 data length • <= 15 時會⽤用 local buffer • > 15 時則會在 heap allocate 空間給 data 使⽤用 52
Vector & String • String • data pointer : 指向 data 位置 • size : 分配出去 string 的長度 • union • local buffer : 在 size <= 15 時會直接把這欄欄位拿來來存 data • allocated capacity : size > 15 時會拿來來紀錄 capcity 53
Vector & String • String • size < 15 54 data pointer size = 15 aaaaaaaa aaaaaaaa
Vector & String • String • size > 15 55 data pointer size = 17 capacity = 30 0 aaaaaaaa aaaaaaaa a heap
Outline • Name Mangling • Virtual function table • Vector & String • New & delete • Copy constructor & assignment operator 56
New & Delete • 在 c++ 預設的情況下 ,new/delete 的最底層實作依舊是靠 malloc/free 去處理理記憶體管理理 • 在 c++ 中,記憶體配置池稱為 free store ,但預設情況下 free store 位置是在 heap • 不過事實上 new/delete 是可以 overloading 的,也就是⾃自⾏行行去 做記憶體管理理,另外最⼤大差別就是new/delete 實際上會去 call constructor/destructor ⽽而 malloc/free 只做單純的記憶體配置 • 因此盡量量不要讓 malloc/free 與 new/delete 混⽤用,不然可能會 出現⼀一些不可預期的狀狀況 57
New & Delete • new ⼤大致上流程 • operator new • 與 malloc 類似,單純配置記憶體空間,但配置失敗會進入 exception ⽽而 malloc 則是返回 null ,有點像在 malloc 上⼀一層 wrapper • constructor • delete ⼤大致上流程 • destructor • operator delete • 與 free 類似,釋放⼀一塊記憶體空間,有點像是在 free 上⼀一層 wrapper 58
New & Delete • 因此 new/delete 及 operator new / operator delete 也應該成對配對 • 記憶體函式配對 59 配置函式 解除函式 new delete new [] delete [] operator new operator delete operator new[] operator delete[] malloc free
Outline • Name Mangling • Virtual function table • Vector & String • New & delete • Copy constructor & assignment operator 60
What’s wrong in this code 61
What’s wrong in this code 62
Copy constructor & assignment operator • shallow copy • 只做單純 pointer (value) 的複製,複製完後內 容與原本的相同 • deep copy • 會在配置更更多記憶體空間,包含 pointer 所指向 的內容也都⼀一併複製 63
Copy constructor & assignment operator • shallow copy 64 name orange StuA
Copy constructor & assignment operator • shallow copy 65 name orange name StuA StuB
Copy constructor & assignment operator • deep copy 66 name orange StuA
Copy constructor & assignment operator • deep copy 67 name orange name StuA StuB orange
Copy constructor & assignment operator • Copy constructor • c++ 在進⾏行行複製 object 會使⽤用 copy constructor • 通常 class 的 member 有指標時,就需要⾃自⾏行行 去實作 • 若若未特別定義則會使⽤用 default copy constructor • 只做 shallow copy 68
Copy constructor & assignment operator • Assignment operator • c++ 在進⾏行行 “=“ 這個 operator 時 object 會使⽤用 assignment operator 這個 function 去 assign object 的 值 • 通常 class 的 member 有指標時,就需要⾃自⾏行行去實作 • 若若未特別定義則會使⽤用 default assignment operator • 只做 shallow copy 69
Copy constructor & assignment operator • 何時會使⽤用 copy constructor • func(Stu stu) • return stu • vector 等 STL 容器 • …. 70
Copy constructor & assignment operator • 何時會使⽤用 assignment operator • stuA = stuB • vector 等 STL 容器 • e.g. vector.erase() • … 71
Copy constructor & assignment operator 72 call constructor id name vector
Copy constructor & assignment operator 73 new char [str.length() + 1] id = 1337 name orange vector
Copy constructor & assignment operator 74 push_back(student) id = 1337 name orange vector id = 1337 name copy the value to vector using shadow copy
Copy constructor & assignment operator 75 ~Stu() id = 1337 name orange vector id = 1337 name 因 student 的 life time 結束 所以 call destructor
Copy constructor & assignment operator 76 delete [] name id = 1337 name orange vector id = 1337 name
Copy constructor & assignment operator 77 ~vector() id = 1337 name orange vector id = 1337 name 因 stulist 的 life time 結束 所以 call destructor
Copy constructor & assignment operator 78 ~Stu() id = 1337 name orange vector id = 1337 name vector 會去 依次去呼叫 內容的 destructor
Copy constructor & assignment operator 79 delete [] name id = 1337 name orange vector id = 1337 name
Copy constructor & assignment operator 80 delete [] name id = 1337 name orange vector id = 1337 name double free
Copy constructor & assignment operator • 總結 • 基本上 c++ 在只要做任何複製的動作時通常都 會去使⽤用 copy constructor 或者是 assignment operator • 所以基本上物件只要有 pointer 都盡量量養成習慣 去定義 copy constructor 跟 assignment opeator 81
Lab 15 • zoo 82
Q & A

Recommended

Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitationAngel Boy
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache ExploitationAngel Boy
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaionAngel Boy
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented ProgrammingAngel Boy
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3Angel Boy
 

Recommended

Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitationAngel Boy
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache ExploitationAngel Boy
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaionAngel Boy
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented ProgrammingAngel Boy
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3Angel Boy
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeAngel Boy
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Angel Boy
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Angel Boy
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
Execution
ExecutionExecution
ExecutionAngel Boy
 
台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報耀德 蔡
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowAngel Boy
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27Sheng-Hao Ma
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationAngel Boy
 
Kernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uringKernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uringAnne Nicolas
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolveAngel Boy
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsoViller Hsiao
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Capturing NIC and Kernel TX and RX Timestamps for Packets in Go
Capturing NIC and Kernel TX and RX Timestamps for Packets in GoCapturing NIC and Kernel TX and RX Timestamps for Packets in Go
Capturing NIC and Kernel TX and RX Timestamps for Packets in GoScyllaDB
 
x86
x86x86
x86Wei-Bo Chen
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtAnne Nicolas
 
Integrated Register Allocation introduction
Integrated Register Allocation introductionIntegrated Register Allocation introduction
Integrated Register Allocation introductionShiva Chen
 
Writing good std::future&lt;c++>
Writing good std::future&lt;c++>Writing good std::future&lt;c++>
Writing good std::future&lt;c++>corehard_by
 
Writing good std::future&lt;c++>
Writing good std::future&lt;c++>Writing good std::future&lt;c++>
Writing good std::future&lt;c++>Anton Bikineev
 

More Related Content

What's hot

Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeAngel Boy
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Angel Boy
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Angel Boy
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報耀德 蔡
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowAngel Boy
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27Sheng-Hao Ma
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationAngel Boy
 
Kernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uringKernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uringAnne Nicolas
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolveAngel Boy
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsoViller Hsiao
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Capturing NIC and Kernel TX and RX Timestamps for Packets in Go
Capturing NIC and Kernel TX and RX Timestamps for Packets in GoCapturing NIC and Kernel TX and RX Timestamps for Packets in Go
Capturing NIC and Kernel TX and RX Timestamps for Packets in GoScyllaDB
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtAnne Nicolas
 
Integrated Register Allocation introduction
Integrated Register Allocation introductionIntegrated Register Allocation introduction
Integrated Register Allocation introductionShiva Chen
 

What's hot (20)

Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
 
Execution
ExecutionExecution
Execution
 
台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflow
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
 
Kernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uringKernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uring
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolve
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdso
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
 
Capturing NIC and Kernel TX and RX Timestamps for Packets in Go
Capturing NIC and Kernel TX and RX Timestamps for Packets in GoCapturing NIC and Kernel TX and RX Timestamps for Packets in Go
Capturing NIC and Kernel TX and RX Timestamps for Packets in Go
 
x86
x86x86
x86
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
 
Integrated Register Allocation introduction
Integrated Register Allocation introductionIntegrated Register Allocation introduction
Integrated Register Allocation introduction
 

Similar to Pwning in c++ (basic)

Writing good std::future&lt;c++>
Writing good std::future&lt;c++>Writing good std::future&lt;c++>
Writing good std::future&lt;c++>corehard_by
 
Writing good std::future&lt;c++>
Writing good std::future&lt;c++>Writing good std::future&lt;c++>
Writing good std::future&lt;c++>Anton Bikineev
 
An Introduction to MATLAB for beginners
An Introduction to MATLAB for beginnersAn Introduction to MATLAB for beginners
An Introduction to MATLAB for beginnersMurshida ck
 
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2PVS-Studio
 
lldb – Debugger auf Abwegen
lldb – Debugger auf Abwegenlldb – Debugger auf Abwegen
lldb – Debugger auf Abwegeninovex GmbH
 
Format String Vulnerability
Format String VulnerabilityFormat String Vulnerability
Format String VulnerabilityJian-Yu Li
 
C++ process new
C++ process newC++ process new
C++ process new敬倫 林
 
An overview of Python 2.7
An overview of Python 2.7An overview of Python 2.7
An overview of Python 2.7decoupled
 
Web-Scale Graph Analytics with Apache® Spark™
Web-Scale Graph Analytics with Apache® Spark™Web-Scale Graph Analytics with Apache® Spark™
Web-Scale Graph Analytics with Apache® Spark™Databricks
 
C++ nothrow movable types
C++ nothrow movable typesC++ nothrow movable types
C++ nothrow movable typesarvidn
 
The Vanishing Pattern: from iterators to generators in Python
The Vanishing Pattern: from iterators to generators in PythonThe Vanishing Pattern: from iterators to generators in Python
The Vanishing Pattern: from iterators to generators in PythonOSCON Byrum
 
Lines and planes in space
Lines and planes in spaceLines and planes in space
Lines and planes in spaceFaizan Shabbir
 
Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Sergey Platonov
 
constructorsfjy5ediykEASFul;IUWORHusi;gfb.pptx
constructorsfjy5ediykEASFul;IUWORHusi;gfb.pptxconstructorsfjy5ediykEASFul;IUWORHusi;gfb.pptx
constructorsfjy5ediykEASFul;IUWORHusi;gfb.pptxAshrithaRokkam
 
JVM performance options. How it works
JVM performance options. How it worksJVM performance options. How it works
JVM performance options. How it worksDmitriy Dumanskiy
 

Similar to Pwning in c++ (basic) (20)

Writing good std::future&lt;c++>
Writing good std::future&lt;c++>Writing good std::future&lt;c++>
Writing good std::future&lt;c++>
 
Writing good std::future&lt;c++>
Writing good std::future&lt;c++>Writing good std::future&lt;c++>
Writing good std::future&lt;c++>
 
An Introduction to MATLAB for beginners
An Introduction to MATLAB for beginnersAn Introduction to MATLAB for beginners
An Introduction to MATLAB for beginners
 
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2
 
lldb – Debugger auf Abwegen
lldb – Debugger auf Abwegenlldb – Debugger auf Abwegen
lldb – Debugger auf Abwegen
 
Format String Vulnerability
Format String VulnerabilityFormat String Vulnerability
Format String Vulnerability
 
Python
PythonPython
Python
 
Python_Functions_Unit1.pptx
Python_Functions_Unit1.pptxPython_Functions_Unit1.pptx
Python_Functions_Unit1.pptx
 
C++ process new
C++ process newC++ process new
C++ process new
 
An overview of Python 2.7
An overview of Python 2.7An overview of Python 2.7
An overview of Python 2.7
 
A tour of Python
A tour of PythonA tour of Python
A tour of Python
 
Web-Scale Graph Analytics with Apache® Spark™
Web-Scale Graph Analytics with Apache® Spark™Web-Scale Graph Analytics with Apache® Spark™
Web-Scale Graph Analytics with Apache® Spark™
 
C++ nothrow movable types
C++ nothrow movable typesC++ nothrow movable types
C++ nothrow movable types
 
The Vanishing Pattern: from iterators to generators in Python
The Vanishing Pattern: from iterators to generators in PythonThe Vanishing Pattern: from iterators to generators in Python
The Vanishing Pattern: from iterators to generators in Python
 
Lines and planes in space
Lines and planes in spaceLines and planes in space
Lines and planes in space
 
R and cpp
R and cppR and cpp
R and cpp
 
Matlab introduction
Matlab introductionMatlab introduction
Matlab introduction
 
Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >
 
constructorsfjy5ediykEASFul;IUWORHusi;gfb.pptx
constructorsfjy5ediykEASFul;IUWORHusi;gfb.pptxconstructorsfjy5ediykEASFul;IUWORHusi;gfb.pptx
constructorsfjy5ediykEASFul;IUWORHusi;gfb.pptx
 
JVM performance options. How it works
JVM performance options. How it worksJVM performance options. How it works
JVM performance options. How it works
 

Recently uploaded

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 

Recently uploaded (20)

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

Pwning in c++ (basic)

  • 1. Linux Binary Exploitation C++ Exploitation angelboy@chroot.org 1
  • 2. Outline • Name Mangling • Virtual function table • Vtable Hijacking • Vector & String • New & delete • Copy constructor & assignment operator 2
  • 3. Outline • Name Mangling • Virtual function table • Vtable Hijacking • Vector & String • New & delete • Copy constructor & assignment operator 3
  • 4. Name Mangling • C++ 為了了 Overloading 時,可以讓 compiler 和 linker 可以辨別出相同 function 名稱,參參數不同的 function 引⽤用的機制 • 使 programer 在不同的 namespace 底下可以有 著多個相同名稱的 function 4
  • 5. Name Mangling • ⽽而在 compiler 和 linker 處理理 symbol 時,就會使 ⽤用該機制讓每個 function 名對應到⼀一個修飾過後 的名稱 • C++ 中全域變數和靜態變數也有相同的機制 5
  • 6. Name Mangling • 在 gdb 中可以使⽤用下列列指令讓 function 好看⼀一點 • set print asm-demangle on 6
  • 7. Outline • Name Mangling • Virtual function table • Vector & String • New & delete • Copy constructor & assignment operator 7
  • 8. Virtual function table • Virtual function is a key mechanism to support polymorphism in C++ • For each class with virtual functions, depending on the class inheritance hierarchy, the compiler will create one or more associated virtual function table 8
  • 9. Virtual function table 9 writable section (heap) typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu compiler generates the table for all class
  • 10. Virtual function table 10 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu new a Person and a Stu object
  • 11. Virtual function table 11 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu ddaa->speak()
  • 12. Virtual function table 12 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu vfptr == *ddaa 取 vfptr
  • 13. Virtual function table 13 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu call *vfptr (Person::speak(ddaa))
  • 14. Virtual function table 14 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu meh->speak()
  • 15. Virtual function table 15 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu vfptr == *meh 取 vfptr
  • 16. Virtual function table 16 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu call *vfptr (Stu::speak(meh))
  • 17. Virtual function table 17 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu meh->pwn()
  • 18. Virtual function table 18 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu vfptr == *meh 取 vfptr
  • 19. Virtual function table 19 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu call *(vfptr+0x10) (Stu::pwn(meh))
  • 20. Vtable Hijacking • Need other vulnerabilities • Use-after-free, Heap overflow …. • Force the table and Hijack the vfptr • Because the vfptr is writable 20
  • 22. Vtable Hijacking 22 writable section (heap) meh &shellcode 0xddaa ddaa 0xdead typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu heap overflow forces a vtabe in ddaa and hijack the vfptr of meh ddaa
  • 26. Vtable Hijacking 26 writable section (heap) meh &shellcode 0xddaa ddaa 0xdead 0xbeef typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu ddaa call *(vfptr) (call shellcode(meh)) PWN !! 但通常會有 DEP/NX 保護,可能要跳 libc 中的 one-gadget 或是其他可利利⽤用的地⽅方
  • 27. Outline • Name Mangling • Virtual function table • Vector & String • New & delete • Copy constructor & assignment operator 27
  • 28. Vector & String • Vector • A dynamic array • 分配在 heap 段 • 比⼀一般 c 中的陣列列更更有彈性,當空間不夠⼤大時 會重新兩兩倍⼤大的的⼩小來來放置新的 vector ,再把 原本的空間還給系統 28
  • 29. Vector & String • Vector • member • _M_start : vector 起始位置 • vector::begin() • _M_finish : vector 結尾位置 • vector::end() • _M_end_of_storage :容器最後位置 • if _M_finish == _M_end_of_storage in push_back • It will alloca a new space for the vector • 以這個來來判斷空間是否⾜足夠放元素 29
  • 30. Vector & String • Vector • member function • push_back : 在 vector 最後加入新元素 • pop_back : 移除 vector 最後⼀一個元素 • insert :插入元素到 vector 第 n 個位置 • erase :移除 vector 中第 n 個元素 • …… 30
  • 31. Vector & String • Vector layout 31 vector <string> vec _M_start _M_finish _M_end_of_storage
  • 32. Vector & String • Vector layout 32 vec.push_back(“meh”) _M_start _M_finish _M_end_of_storage address of meh string
  • 33. Vector & String • Vector layout 33 vec.push_back(“meheap”) _M_start _M_finish _M_end_of_storage address of meh string 因為 _M_finish == _ M_end_of_storage 所以會先從新 new ⼀一塊新的 vector 並把舊的值複製過去 再將藍藍⾊色那塊 delete 掉
  • 34. Vector & String • Vector layout 34 vec.push_back(“meheap”) _M_start _M_finish _M_end_of_storage address of meh string address of meh string address of meheap string
  • 35. Vector & String • Vector layout 35 vec.push_back(“meh.py”) _M_start _M_finish _M_end_of_storage address of meh string address of meh string address of meheap string address of meh string address of meheap string address of meh.py string
  • 36. Vector & String • Vector layout 36 vec.push_back(“pwn”) _M_start _M_finish _M_end_of_storage address of meh string address of meh string address of meheap string address of meh string address of meheap string address of meh.py string address of pwn string
  • 37. Vector & String • Vector layout 37 vec.pop_back() _M_start _M_finish _M_end_of_storage address of meh string address of meh string address of meheap string address of meh string address of meheap string address of meh.py string address of pwn string call destructor of pwn string
  • 38. Vector & String • Vector layout 38 vec.pop_back() _M_start _M_finish _M_end_of_storage address of meh string address of meh string address of meheap string address of meh string address of meheap string address of meh.py string address of pwn string
  • 39. Vector & String • String • a dynamic char array • 比起以往的字串串陣列列更更加安全,全部動態配置記憶體空間, 減少⼀一般 buffer overflow 的發⽣生 • 在給定 input 時,會不斷重新分配空間給 user 直到結束後, 就會回傳適當的⼤大⼩小給 user • 有許多種實作⽅方式,這邊介紹最常⾒見見的⼀一種 • g++ < 5 39
  • 40. Vector & String • String • member • size :字串串的長度 • Capacity : 該 string 空間的容量量 • reference count : 引⽤用計數 • 只要有其他元素引⽤用該字串串就會增加 • 如果其他元素不引⽤用了了,也會減少 • 當 reference == 0 時就會,將空間 delete 掉 • value : 存放字串串內容 40
  • 41. Vector & String • String • member function • length() : string ⼤大⼩小 • capacity() : ⽬目前 string 空間容量量 • c_str() : Get C string equivalent • …… 41
  • 42. Vector & String • String layout 42 str string str cin >> str
  • 43. Vector & String • String layout 43 str string str cin >> str input : aa size = 2 capacity = 2 refcnt = 0 aa
  • 44. Vector & String • String layout 44 str string str cin >> str input : aaa size = 2 capacity = 2 refcnt = -1 aa size = 3 capacity = 4 refcnt = 0 aaa
  • 45. Vector & String • String layout 45 str string str cin >> str input : aaaaa size = 2 capacity = 2 refcnt = -1 aa size = 4 capacity = 4 refcnt = -1 aaaa size = 5 capacity = 8 refcnt = 0 aaaaa
  • 46. Vector & String • String layout 46 str string str cin >> str input : a*125 size = 2 capacity = 2 refcnt = -1 aa size = 4 capacity = 4 refcnt = -1 aaaa size = 8 capacity = 8 refcnt = -1 aaaaaaaa size = 125 capacity = 128 refcnt = 0 a*125 依此類推 capacity 會 不斷以⼆二的指數倍增長 直到 input 結束 . . .
  • 47. Vector & String • String layout 47 str vector<string> vec vec.push_back(str) size = 2 capacity = 2 refcnt = -1 aa size = 4 capacity = 4 refcnt = -1 aaaa size = 8 capacity = 8 refcnt = -1 aaaaaaaa size = 125 capacity = 128 refcnt = 1 a*125 _M_start _M_finish _M_end_of_storage str . . .
  • 48. Vector & String • String layout 48 str size = 2 capacity = 2 refcnt = -1 aa size = 4 capacity = 4 refcnt = -1 aaaa size = 8 capacity = 8 refcnt = -1 aaaaaaaa size = 125 capacity = 128 refcnt = 2 a*125 _M_start _M_finish _M_end_of_storage str str str vector<string> vec vec.push_back(str) vec.push_back(str) . . .
  • 49. Vector & String • String layout 49 str size = 2 capacity = 2 refcnt = -1 aa size = 4 capacity = 4 refcnt = -1 aaaa size = 8 capacity = 8 refcnt = -1 aaaaaaaa size = 125 capacity = 128 refcnt = 1 a*125 _M_start _M_finish _M_end_of_storage str str str vec.pop_back() 這邊會 call str destuctor 但不會 delete 空間 . . .
  • 50. Vector & String • String layout 50 str size = 2 capacity = 2 refcnt = -1 aa size = 4 capacity = 4 refcnt = -1 aaaa size = 8 capacity = 8 refcnt = -1 aaaaaaaa size = 125 capacity = 128 refcnt = 0 a*125 _M_start _M_finish _M_end_of_storage str str str vec.pop_back() 這邊會 call str destuctor 但不會 delete 空間 . . .
  • 51. Vector & String • String layout 51 size = 2 capacity = 2 refcnt = -1 aa size = 4 capacity = 4 refcnt = -1 aaaa size = 8 capacity = 8 refcnt = -1 aaaaaaaa size = 125 capacity = 128 refcnt = -1 a*125 _M_start _M_finish _M_end_of_storage str str str end of scope 這邊會 call str destuctor 因 refcnt < 0 會做 delete . . .
  • 52. Vector & String • String • g++ > 5 之後取消了了 Copy-on-Write 機制 • 所以少掉了了 reference count 這個欄欄位 • 在 data length • <= 15 時會⽤用 local buffer • > 15 時則會在 heap allocate 空間給 data 使⽤用 52
  • 53. Vector & String • String • data pointer : 指向 data 位置 • size : 分配出去 string 的長度 • union • local buffer : 在 size <= 15 時會直接把這欄欄位拿來來存 data • allocated capacity : size > 15 時會拿來來紀錄 capcity 53
  • 54. Vector & String • String • size < 15 54 data pointer size = 15 aaaaaaaa aaaaaaaa
  • 55. Vector & String • String • size > 15 55 data pointer size = 17 capacity = 30 0 aaaaaaaa aaaaaaaa a heap
  • 56. Outline • Name Mangling • Virtual function table • Vector & String • New & delete • Copy constructor & assignment operator 56
  • 57. New & Delete • 在 c++ 預設的情況下 ,new/delete 的最底層實作依舊是靠 malloc/free 去處理理記憶體管理理 • 在 c++ 中,記憶體配置池稱為 free store ,但預設情況下 free store 位置是在 heap • 不過事實上 new/delete 是可以 overloading 的,也就是⾃自⾏行行去 做記憶體管理理,另外最⼤大差別就是new/delete 實際上會去 call constructor/destructor ⽽而 malloc/free 只做單純的記憶體配置 • 因此盡量量不要讓 malloc/free 與 new/delete 混⽤用,不然可能會 出現⼀一些不可預期的狀狀況 57
  • 58. New & Delete • new ⼤大致上流程 • operator new • 與 malloc 類似,單純配置記憶體空間,但配置失敗會進入 exception ⽽而 malloc 則是返回 null ,有點像在 malloc 上⼀一層 wrapper • constructor • delete ⼤大致上流程 • destructor • operator delete • 與 free 類似,釋放⼀一塊記憶體空間,有點像是在 free 上⼀一層 wrapper 58
  • 59. New & Delete • 因此 new/delete 及 operator new / operator delete 也應該成對配對 • 記憶體函式配對 59 配置函式 解除函式 new delete new [] delete [] operator new operator delete operator new[] operator delete[] malloc free
  • 60. Outline • Name Mangling • Virtual function table • Vector & String • New & delete • Copy constructor & assignment operator 60
  • 61. What’s wrong in this code 61
  • 62. What’s wrong in this code 62
  • 63. Copy constructor & assignment operator • shallow copy • 只做單純 pointer (value) 的複製,複製完後內 容與原本的相同 • deep copy • 會在配置更更多記憶體空間,包含 pointer 所指向 的內容也都⼀一併複製 63
  • 64. Copy constructor & assignment operator • shallow copy 64 name orange StuA
  • 65. Copy constructor & assignment operator • shallow copy 65 name orange name StuA StuB
  • 66. Copy constructor & assignment operator • deep copy 66 name orange StuA
  • 67. Copy constructor & assignment operator • deep copy 67 name orange name StuA StuB orange
  • 68. Copy constructor & assignment operator • Copy constructor • c++ 在進⾏行行複製 object 會使⽤用 copy constructor • 通常 class 的 member 有指標時,就需要⾃自⾏行行 去實作 • 若若未特別定義則會使⽤用 default copy constructor • 只做 shallow copy 68
  • 69. Copy constructor & assignment operator • Assignment operator • c++ 在進⾏行行 “=“ 這個 operator 時 object 會使⽤用 assignment operator 這個 function 去 assign object 的 值 • 通常 class 的 member 有指標時,就需要⾃自⾏行行去實作 • 若若未特別定義則會使⽤用 default assignment operator • 只做 shallow copy 69
  • 70. Copy constructor & assignment operator • 何時會使⽤用 copy constructor • func(Stu stu) • return stu • vector 等 STL 容器 • …. 70
  • 71. Copy constructor & assignment operator • 何時會使⽤用 assignment operator • stuA = stuB • vector 等 STL 容器 • e.g. vector.erase() • … 71
  • 72. Copy constructor & assignment operator 72 call constructor id name vector
  • 73. Copy constructor & assignment operator 73 new char [str.length() + 1] id = 1337 name orange vector
  • 74. Copy constructor & assignment operator 74 push_back(student) id = 1337 name orange vector id = 1337 name copy the value to vector using shadow copy
  • 75. Copy constructor & assignment operator 75 ~Stu() id = 1337 name orange vector id = 1337 name 因 student 的 life time 結束 所以 call destructor
  • 76. Copy constructor & assignment operator 76 delete [] name id = 1337 name orange vector id = 1337 name
  • 77. Copy constructor & assignment operator 77 ~vector() id = 1337 name orange vector id = 1337 name 因 stulist 的 life time 結束 所以 call destructor
  • 78. Copy constructor & assignment operator 78 ~Stu() id = 1337 name orange vector id = 1337 name vector 會去 依次去呼叫 內容的 destructor
  • 79. Copy constructor & assignment operator 79 delete [] name id = 1337 name orange vector id = 1337 name
  • 80. Copy constructor & assignment operator 80 delete [] name id = 1337 name orange vector id = 1337 name double free
  • 81. Copy constructor & assignment operator • 總結 • 基本上 c++ 在只要做任何複製的動作時通常都 會去使⽤用 copy constructor 或者是 assignment operator • 所以基本上物件只要有 pointer 都盡量量養成習慣 去定義 copy constructor 跟 assignment opeator 81
  • 83. Q & A