SlideShare a Scribd company logo

Pwning in c++ (basic)

A
Angel Boy

Security in c++

1 of 83
Download to read offline
Linux Binary Exploitation
C++ Exploitation
angelboy@chroot.org
1
Outline
• Name Mangling
• Virtual function table
• Vtable Hijacking
• Vector & String
• New & delete
• Copy constructor & assignment operator
2
Outline
• Name Mangling
• Virtual function table
• Vtable Hijacking
• Vector & String
• New & delete
• Copy constructor & assignment operator
3
Name Mangling
• C++ 為了了 Overloading 時,可以讓 compiler 和
linker 可以辨別出相同 function 名稱,參參數不同的
function 引⽤用的機制
• 使 programer 在不同的 namespace 底下可以有
著多個相同名稱的 function
4
Name Mangling
• ⽽而在 compiler 和 linker 處理理 symbol 時,就會使
⽤用該機制讓每個 function 名對應到⼀一個修飾過後
的名稱
• C++ 中全域變數和靜態變數也有相同的機制
5
Name Mangling
• 在 gdb 中可以使⽤用下列列指令讓 function 好看⼀一點
• set print asm-demangle on
6
Ad

Recommended

Heap exploitation
Heap exploitationHeap exploitation
Heap exploitationAngel Boy
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3Angel Boy
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaionAngel Boy
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Angel Boy
 

More Related Content

What's hot

台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報耀德 蔡
 
Linux SMEP bypass techniques
Linux SMEP bypass techniquesLinux SMEP bypass techniques
Linux SMEP bypass techniquesVitaly Nikolenko
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationAngel Boy
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolveAngel Boy
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented ProgrammingAngel Boy
 
Solid C++ by Example
Solid C++ by ExampleSolid C++ by Example
Solid C++ by ExampleOlve Maudal
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsoViller Hsiao
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache ExploitationAngel Boy
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Angel Boy
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeAngel Boy
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowAngel Boy
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and  techniquesDebugging linux kernel tools and  techniques
Debugging linux kernel tools and techniquesSatpal Parmar
 
Insecure coding in C (and C++)
Insecure coding in C (and C++)Insecure coding in C (and C++)
Insecure coding in C (and C++)Olve Maudal
 
滲透測試 Talk @ Nisra
滲透測試 Talk @ Nisra滲透測試 Talk @ Nisra
滲透測試 Talk @ NisraOrange Tsai
 
The Microkernel Mach Under NeXTSTEP
The Microkernel Mach Under NeXTSTEPThe Microkernel Mach Under NeXTSTEP
The Microkernel Mach Under NeXTSTEPGregor Schmidt
 

What's hot (20)

台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報
 
Linux SMEP bypass techniques
Linux SMEP bypass techniquesLinux SMEP bypass techniques
Linux SMEP bypass techniques
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolve
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented Programming
 
Solid C++ by Example
Solid C++ by ExampleSolid C++ by Example
Solid C++ by Example
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdso
 
x86
x86x86
x86
 
Execution
ExecutionExecution
Execution
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache Exploitation
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflow
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and  techniquesDebugging linux kernel tools and  techniques
Debugging linux kernel tools and techniques
 
Insecure coding in C (and C++)
Insecure coding in C (and C++)Insecure coding in C (and C++)
Insecure coding in C (and C++)
 
How A Compiler Works: GNU Toolchain
How A Compiler Works: GNU ToolchainHow A Compiler Works: GNU Toolchain
How A Compiler Works: GNU Toolchain
 
The Internals of "Hello World" Program
The Internals of "Hello World" ProgramThe Internals of "Hello World" Program
The Internals of "Hello World" Program
 
滲透測試 Talk @ Nisra
滲透測試 Talk @ Nisra滲透測試 Talk @ Nisra
滲透測試 Talk @ Nisra
 
The Microkernel Mach Under NeXTSTEP
The Microkernel Mach Under NeXTSTEPThe Microkernel Mach Under NeXTSTEP
The Microkernel Mach Under NeXTSTEP
 

Similar to Pwning in c++ (basic)

Writing good std::future<c++>
Writing good std::future<c++>Writing good std::future<c++>
Writing good std::future<c++>Anton Bikineev
 
Writing good std::future<c++>
Writing good std::future<c++>Writing good std::future<c++>
Writing good std::future<c++>corehard_by
 
An Introduction to MATLAB for beginners
An Introduction to MATLAB for beginnersAn Introduction to MATLAB for beginners
An Introduction to MATLAB for beginnersMurshida ck
 
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2PVS-Studio
 
lldb – Debugger auf Abwegen
lldb – Debugger auf Abwegenlldb – Debugger auf Abwegen
lldb – Debugger auf Abwegeninovex GmbH
 
Format String Vulnerability
Format String VulnerabilityFormat String Vulnerability
Format String VulnerabilityJian-Yu Li
 
C++ process new
C++ process newC++ process new
C++ process new敬倫 林
 
An overview of Python 2.7
An overview of Python 2.7An overview of Python 2.7
An overview of Python 2.7decoupled
 
Web-Scale Graph Analytics with Apache® Spark™
Web-Scale Graph Analytics with Apache® Spark™Web-Scale Graph Analytics with Apache® Spark™
Web-Scale Graph Analytics with Apache® Spark™Databricks
 
C++ nothrow movable types
C++ nothrow movable typesC++ nothrow movable types
C++ nothrow movable typesarvidn
 
The Vanishing Pattern: from iterators to generators in Python
The Vanishing Pattern: from iterators to generators in PythonThe Vanishing Pattern: from iterators to generators in Python
The Vanishing Pattern: from iterators to generators in PythonOSCON Byrum
 
Lines and planes in space
Lines and planes in spaceLines and planes in space
Lines and planes in spaceFaizan Shabbir
 
Антон Бикинеев, Writing good std::future< C++ >
Антон Бикинеев, Writing good std::future< C++ >Антон Бикинеев, Writing good std::future< C++ >
Антон Бикинеев, Writing good std::future< C++ >Sergey Platonov
 
JVM performance options. How it works
JVM performance options. How it worksJVM performance options. How it works
JVM performance options. How it worksDmitriy Dumanskiy
 
Analyzing the Performance Effects of Meltdown + Spectre on Apache Spark Workl...
Analyzing the Performance Effects of Meltdown + Spectre on Apache Spark Workl...Analyzing the Performance Effects of Meltdown + Spectre on Apache Spark Workl...
Analyzing the Performance Effects of Meltdown + Spectre on Apache Spark Workl...Databricks
 

Similar to Pwning in c++ (basic) (20)

Writing good std::future<c++>
Writing good std::future<c++>Writing good std::future<c++>
Writing good std::future<c++>
 
Writing good std::future<c++>
Writing good std::future<c++>Writing good std::future<c++>
Writing good std::future<c++>
 
An Introduction to MATLAB for beginners
An Introduction to MATLAB for beginnersAn Introduction to MATLAB for beginners
An Introduction to MATLAB for beginners
 
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2
Analysis of Haiku Operating System (BeOS Family) by PVS-Studio. Part 2
 
lldb – Debugger auf Abwegen
lldb – Debugger auf Abwegenlldb – Debugger auf Abwegen
lldb – Debugger auf Abwegen
 
Format String Vulnerability
Format String VulnerabilityFormat String Vulnerability
Format String Vulnerability
 
Python
PythonPython
Python
 
Python_Functions_Unit1.pptx
Python_Functions_Unit1.pptxPython_Functions_Unit1.pptx
Python_Functions_Unit1.pptx
 
C++ process new
C++ process newC++ process new
C++ process new
 
An overview of Python 2.7
An overview of Python 2.7An overview of Python 2.7
An overview of Python 2.7
 
A tour of Python
A tour of PythonA tour of Python
A tour of Python
 
Web-Scale Graph Analytics with Apache® Spark™
Web-Scale Graph Analytics with Apache® Spark™Web-Scale Graph Analytics with Apache® Spark™
Web-Scale Graph Analytics with Apache® Spark™
 
C++ nothrow movable types
C++ nothrow movable typesC++ nothrow movable types
C++ nothrow movable types
 
The Vanishing Pattern: from iterators to generators in Python
The Vanishing Pattern: from iterators to generators in PythonThe Vanishing Pattern: from iterators to generators in Python
The Vanishing Pattern: from iterators to generators in Python
 
Lines and planes in space
Lines and planes in spaceLines and planes in space
Lines and planes in space
 
R and cpp
R and cppR and cpp
R and cpp
 
Matlab introduction
Matlab introductionMatlab introduction
Matlab introduction
 
Антон Бикинеев, Writing good std::future< C++ >
Антон Бикинеев, Writing good std::future< C++ >Антон Бикинеев, Writing good std::future< C++ >
Антон Бикинеев, Writing good std::future< C++ >
 
JVM performance options. How it works
JVM performance options. How it worksJVM performance options. How it works
JVM performance options. How it works
 
Analyzing the Performance Effects of Meltdown + Spectre on Apache Spark Workl...
Analyzing the Performance Effects of Meltdown + Spectre on Apache Spark Workl...Analyzing the Performance Effects of Meltdown + Spectre on Apache Spark Workl...
Analyzing the Performance Effects of Meltdown + Spectre on Apache Spark Workl...
 

Recently uploaded

Bit N Build Poland
Bit N Build PolandBit N Build Poland
Bit N Build PolandGDSC PJATK
 
The Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolThe Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolProduct School
 
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxVotarikari Shravan
 
Importance of magazines in education ppt
Importance of magazines in education pptImportance of magazines in education ppt
Importance of magazines in education pptsafnarafeek2002
 
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre..."Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...shaiyuvasv
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Umar Saif
 
IT Nation Evolve event 2024 - Quarter 1
IT Nation Evolve event 2024  - Quarter 1IT Nation Evolve event 2024  - Quarter 1
IT Nation Evolve event 2024 - Quarter 1Inbay UK
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stackSummit
 
2024 February Patch Tuesday
2024 February Patch Tuesday2024 February Patch Tuesday
2024 February Patch TuesdayIvanti
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVARobert McDermott
 
"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura RochniakFwdays
 
My self introduction to know others abut me
My self  introduction to know others abut meMy self  introduction to know others abut me
My self introduction to know others abut meManoj Prabakar B
 
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17Ana-Maria Mihalceanu
 
How to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanHow to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanDatabarracks
 
Campotel: Telecommunications Infra and Network Builder - Company Profile
Campotel: Telecommunications Infra and Network Builder - Company ProfileCampotel: Telecommunications Infra and Network Builder - Company Profile
Campotel: Telecommunications Infra and Network Builder - Company ProfileCampotelPhilippines
 
Breaking Barriers & Leveraging the Latest Developments in AI Technology
Breaking Barriers & Leveraging the Latest Developments in AI TechnologyBreaking Barriers & Leveraging the Latest Developments in AI Technology
Breaking Barriers & Leveraging the Latest Developments in AI TechnologySafe Software
 
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions..."How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...Fwdays
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr TsapFwdays
 
Power of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfPower of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfkatalinjordans1
 

Recently uploaded (20)

Bit N Build Poland
Bit N Build PolandBit N Build Poland
Bit N Build Poland
 
The Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolThe Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product School
 
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
 
Importance of magazines in education ppt
Importance of magazines in education pptImportance of magazines in education ppt
Importance of magazines in education ppt
 
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre..."Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
 
5 Tech Trend to Notice in ESG Landscape- 47Billion
5 Tech Trend to Notice in ESG Landscape- 47Billion5 Tech Trend to Notice in ESG Landscape- 47Billion
5 Tech Trend to Notice in ESG Landscape- 47Billion
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
 
IT Nation Evolve event 2024 - Quarter 1
IT Nation Evolve event 2024  - Quarter 1IT Nation Evolve event 2024  - Quarter 1
IT Nation Evolve event 2024 - Quarter 1
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stack
 
2024 February Patch Tuesday
2024 February Patch Tuesday2024 February Patch Tuesday
2024 February Patch Tuesday
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVA
 
"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak
 
My self introduction to know others abut me
My self  introduction to know others abut meMy self  introduction to know others abut me
My self introduction to know others abut me
 
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
 
How to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanHow to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response Plan
 
Campotel: Telecommunications Infra and Network Builder - Company Profile
Campotel: Telecommunications Infra and Network Builder - Company ProfileCampotel: Telecommunications Infra and Network Builder - Company Profile
Campotel: Telecommunications Infra and Network Builder - Company Profile
 
Breaking Barriers & Leveraging the Latest Developments in AI Technology
Breaking Barriers & Leveraging the Latest Developments in AI TechnologyBreaking Barriers & Leveraging the Latest Developments in AI Technology
Breaking Barriers & Leveraging the Latest Developments in AI Technology
 
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions..."How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
 
Power of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfPower of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdf
 

Pwning in c++ (basic)

  • 1. Linux Binary Exploitation C++ Exploitation angelboy@chroot.org 1
  • 2. Outline • Name Mangling • Virtual function table • Vtable Hijacking • Vector & String • New & delete • Copy constructor & assignment operator 2
  • 3. Outline • Name Mangling • Virtual function table • Vtable Hijacking • Vector & String • New & delete • Copy constructor & assignment operator 3
  • 4. Name Mangling • C++ 為了了 Overloading 時,可以讓 compiler 和 linker 可以辨別出相同 function 名稱,參參數不同的 function 引⽤用的機制 • 使 programer 在不同的 namespace 底下可以有 著多個相同名稱的 function 4
  • 5. Name Mangling • ⽽而在 compiler 和 linker 處理理 symbol 時,就會使 ⽤用該機制讓每個 function 名對應到⼀一個修飾過後 的名稱 • C++ 中全域變數和靜態變數也有相同的機制 5
  • 6. Name Mangling • 在 gdb 中可以使⽤用下列列指令讓 function 好看⼀一點 • set print asm-demangle on 6
  • 7. Outline • Name Mangling • Virtual function table • Vector & String • New & delete • Copy constructor & assignment operator 7
  • 8. Virtual function table • Virtual function is a key mechanism to support polymorphism in C++ • For each class with virtual functions, depending on the class inheritance hierarchy, the compiler will create one or more associated virtual function table 8
  • 9. Virtual function table 9 writable section (heap) typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu compiler generates the table for all class
  • 10. Virtual function table 10 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu new a Person and a Stu object
  • 11. Virtual function table 11 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu ddaa->speak()
  • 12. Virtual function table 12 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu vfptr == *ddaa 取 vfptr
  • 13. Virtual function table 13 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu call *vfptr (Person::speak(ddaa))
  • 14. Virtual function table 14 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu meh->speak()
  • 15. Virtual function table 15 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu vfptr == *meh 取 vfptr
  • 16. Virtual function table 16 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu call *vfptr (Stu::speak(meh))
  • 17. Virtual function table 17 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu meh->pwn()
  • 18. Virtual function table 18 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu vfptr == *meh 取 vfptr
  • 19. Virtual function table 19 writable section (heap) ddaa meh vfptr a vfptr b typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu call *(vfptr+0x10) (Stu::pwn(meh))
  • 20. Vtable Hijacking • Need other vulnerabilities • Use-after-free, Heap overflow …. • Force the table and Hijack the vfptr • Because the vfptr is writable 20
  • 22. Vtable Hijacking 22 writable section (heap) meh &shellcode 0xddaa ddaa 0xdead typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu heap overflow forces a vtabe in ddaa and hijack the vfptr of meh ddaa
  • 26. Vtable Hijacking 26 writable section (heap) meh &shellcode 0xddaa ddaa 0xdead 0xbeef typeinfo Person::speak() Person::phd() typeinfo Stu::speak() Person::phd() Stu::pwn() read-only section vtable for Person vtable for Stu ddaa call *(vfptr) (call shellcode(meh)) PWN !! 但通常會有 DEP/NX 保護,可能要跳 libc 中的 one-gadget 或是其他可利利⽤用的地⽅方
  • 27. Outline • Name Mangling • Virtual function table • Vector & String • New & delete • Copy constructor & assignment operator 27
  • 28. Vector & String • Vector • A dynamic array • 分配在 heap 段 • 比⼀一般 c 中的陣列列更更有彈性,當空間不夠⼤大時 會重新兩兩倍⼤大的的⼩小來來放置新的 vector ,再把 原本的空間還給系統 28
  • 29. Vector & String • Vector • member • _M_start : vector 起始位置 • vector::begin() • _M_finish : vector 結尾位置 • vector::end() • _M_end_of_storage :容器最後位置 • if _M_finish == _M_end_of_storage in push_back • It will alloca a new space for the vector • 以這個來來判斷空間是否⾜足夠放元素 29
  • 30. Vector & String • Vector • member function • push_back : 在 vector 最後加入新元素 • pop_back : 移除 vector 最後⼀一個元素 • insert :插入元素到 vector 第 n 個位置 • erase :移除 vector 中第 n 個元素 • …… 30
  • 31. Vector & String • Vector layout 31 vector <string> vec _M_start _M_finish _M_end_of_storage
  • 32. Vector & String • Vector layout 32 vec.push_back(“meh”) _M_start _M_finish _M_end_of_storage address of meh string
  • 33. Vector & String • Vector layout 33 vec.push_back(“meheap”) _M_start _M_finish _M_end_of_storage address of meh string 因為 _M_finish == _ M_end_of_storage 所以會先從新 new ⼀一塊新的 vector 並把舊的值複製過去 再將藍藍⾊色那塊 delete 掉
  • 34. Vector & String • Vector layout 34 vec.push_back(“meheap”) _M_start _M_finish _M_end_of_storage address of meh string address of meh string address of meheap string
  • 35. Vector & String • Vector layout 35 vec.push_back(“meh.py”) _M_start _M_finish _M_end_of_storage address of meh string address of meh string address of meheap string address of meh string address of meheap string address of meh.py string
  • 36. Vector & String • Vector layout 36 vec.push_back(“pwn”) _M_start _M_finish _M_end_of_storage address of meh string address of meh string address of meheap string address of meh string address of meheap string address of meh.py string address of pwn string
  • 37. Vector & String • Vector layout 37 vec.pop_back() _M_start _M_finish _M_end_of_storage address of meh string address of meh string address of meheap string address of meh string address of meheap string address of meh.py string address of pwn string call destructor of pwn string
  • 38. Vector & String • Vector layout 38 vec.pop_back() _M_start _M_finish _M_end_of_storage address of meh string address of meh string address of meheap string address of meh string address of meheap string address of meh.py string address of pwn string
  • 39. Vector & String • String • a dynamic char array • 比起以往的字串串陣列列更更加安全,全部動態配置記憶體空間, 減少⼀一般 buffer overflow 的發⽣生 • 在給定 input 時,會不斷重新分配空間給 user 直到結束後, 就會回傳適當的⼤大⼩小給 user • 有許多種實作⽅方式,這邊介紹最常⾒見見的⼀一種 • g++ < 5 39
  • 40. Vector & String • String • member • size :字串串的長度 • Capacity : 該 string 空間的容量量 • reference count : 引⽤用計數 • 只要有其他元素引⽤用該字串串就會增加 • 如果其他元素不引⽤用了了,也會減少 • 當 reference == 0 時就會,將空間 delete 掉 • value : 存放字串串內容 40
  • 41. Vector & String • String • member function • length() : string ⼤大⼩小 • capacity() : ⽬目前 string 空間容量量 • c_str() : Get C string equivalent • …… 41
  • 42. Vector & String • String layout 42 str string str cin >> str
  • 43. Vector & String • String layout 43 str string str cin >> str input : aa size = 2 capacity = 2 refcnt = 0 aa
  • 44. Vector & String • String layout 44 str string str cin >> str input : aaa size = 2 capacity = 2 refcnt = -1 aa size = 3 capacity = 4 refcnt = 0 aaa
  • 45. Vector & String • String layout 45 str string str cin >> str input : aaaaa size = 2 capacity = 2 refcnt = -1 aa size = 4 capacity = 4 refcnt = -1 aaaa size = 5 capacity = 8 refcnt = 0 aaaaa
  • 46. Vector & String • String layout 46 str string str cin >> str input : a*125 size = 2 capacity = 2 refcnt = -1 aa size = 4 capacity = 4 refcnt = -1 aaaa size = 8 capacity = 8 refcnt = -1 aaaaaaaa size = 125 capacity = 128 refcnt = 0 a*125 依此類推 capacity 會 不斷以⼆二的指數倍增長 直到 input 結束 . . .
  • 47. Vector & String • String layout 47 str vector<string> vec vec.push_back(str) size = 2 capacity = 2 refcnt = -1 aa size = 4 capacity = 4 refcnt = -1 aaaa size = 8 capacity = 8 refcnt = -1 aaaaaaaa size = 125 capacity = 128 refcnt = 1 a*125 _M_start _M_finish _M_end_of_storage str . . .
  • 48. Vector & String • String layout 48 str size = 2 capacity = 2 refcnt = -1 aa size = 4 capacity = 4 refcnt = -1 aaaa size = 8 capacity = 8 refcnt = -1 aaaaaaaa size = 125 capacity = 128 refcnt = 2 a*125 _M_start _M_finish _M_end_of_storage str str str vector<string> vec vec.push_back(str) vec.push_back(str) . . .
  • 49. Vector & String • String layout 49 str size = 2 capacity = 2 refcnt = -1 aa size = 4 capacity = 4 refcnt = -1 aaaa size = 8 capacity = 8 refcnt = -1 aaaaaaaa size = 125 capacity = 128 refcnt = 1 a*125 _M_start _M_finish _M_end_of_storage str str str vec.pop_back() 這邊會 call str destuctor 但不會 delete 空間 . . .
  • 50. Vector & String • String layout 50 str size = 2 capacity = 2 refcnt = -1 aa size = 4 capacity = 4 refcnt = -1 aaaa size = 8 capacity = 8 refcnt = -1 aaaaaaaa size = 125 capacity = 128 refcnt = 0 a*125 _M_start _M_finish _M_end_of_storage str str str vec.pop_back() 這邊會 call str destuctor 但不會 delete 空間 . . .
  • 51. Vector & String • String layout 51 size = 2 capacity = 2 refcnt = -1 aa size = 4 capacity = 4 refcnt = -1 aaaa size = 8 capacity = 8 refcnt = -1 aaaaaaaa size = 125 capacity = 128 refcnt = -1 a*125 _M_start _M_finish _M_end_of_storage str str str end of scope 這邊會 call str destuctor 因 refcnt < 0 會做 delete . . .
  • 52. Vector & String • String • g++ > 5 之後取消了了 Copy-on-Write 機制 • 所以少掉了了 reference count 這個欄欄位 • 在 data length • <= 15 時會⽤用 local buffer • > 15 時則會在 heap allocate 空間給 data 使⽤用 52
  • 53. Vector & String • String • data pointer : 指向 data 位置 • size : 分配出去 string 的長度 • union • local buffer : 在 size <= 15 時會直接把這欄欄位拿來來存 data • allocated capacity : size > 15 時會拿來來紀錄 capcity 53
  • 54. Vector & String • String • size < 15 54 data pointer size = 15 aaaaaaaa aaaaaaaa
  • 55. Vector & String • String • size > 15 55 data pointer size = 17 capacity = 30 0 aaaaaaaa aaaaaaaa a heap
  • 56. Outline • Name Mangling • Virtual function table • Vector & String • New & delete • Copy constructor & assignment operator 56
  • 57. New & Delete • 在 c++ 預設的情況下 ,new/delete 的最底層實作依舊是靠 malloc/free 去處理理記憶體管理理 • 在 c++ 中,記憶體配置池稱為 free store ,但預設情況下 free store 位置是在 heap • 不過事實上 new/delete 是可以 overloading 的,也就是⾃自⾏行行去 做記憶體管理理,另外最⼤大差別就是new/delete 實際上會去 call constructor/destructor ⽽而 malloc/free 只做單純的記憶體配置 • 因此盡量量不要讓 malloc/free 與 new/delete 混⽤用,不然可能會 出現⼀一些不可預期的狀狀況 57
  • 58. New & Delete • new ⼤大致上流程 • operator new • 與 malloc 類似,單純配置記憶體空間,但配置失敗會進入 exception ⽽而 malloc 則是返回 null ,有點像在 malloc 上⼀一層 wrapper • constructor • delete ⼤大致上流程 • destructor • operator delete • 與 free 類似,釋放⼀一塊記憶體空間,有點像是在 free 上⼀一層 wrapper 58
  • 59. New & Delete • 因此 new/delete 及 operator new / operator delete 也應該成對配對 • 記憶體函式配對 59 配置函式 解除函式 new delete new [] delete [] operator new operator delete operator new[] operator delete[] malloc free
  • 60. Outline • Name Mangling • Virtual function table • Vector & String • New & delete • Copy constructor & assignment operator 60
  • 61. What’s wrong in this code 61
  • 62. What’s wrong in this code 62
  • 63. Copy constructor & assignment operator • shallow copy • 只做單純 pointer (value) 的複製,複製完後內 容與原本的相同 • deep copy • 會在配置更更多記憶體空間,包含 pointer 所指向 的內容也都⼀一併複製 63
  • 64. Copy constructor & assignment operator • shallow copy 64 name orange StuA
  • 65. Copy constructor & assignment operator • shallow copy 65 name orange name StuA StuB
  • 66. Copy constructor & assignment operator • deep copy 66 name orange StuA
  • 67. Copy constructor & assignment operator • deep copy 67 name orange name StuA StuB orange
  • 68. Copy constructor & assignment operator • Copy constructor • c++ 在進⾏行行複製 object 會使⽤用 copy constructor • 通常 class 的 member 有指標時,就需要⾃自⾏行行 去實作 • 若若未特別定義則會使⽤用 default copy constructor • 只做 shallow copy 68
  • 69. Copy constructor & assignment operator • Assignment operator • c++ 在進⾏行行 “=“ 這個 operator 時 object 會使⽤用 assignment operator 這個 function 去 assign object 的 值 • 通常 class 的 member 有指標時,就需要⾃自⾏行行去實作 • 若若未特別定義則會使⽤用 default assignment operator • 只做 shallow copy 69
  • 70. Copy constructor & assignment operator • 何時會使⽤用 copy constructor • func(Stu stu) • return stu • vector 等 STL 容器 • …. 70
  • 71. Copy constructor & assignment operator • 何時會使⽤用 assignment operator • stuA = stuB • vector 等 STL 容器 • e.g. vector.erase() • … 71
  • 72. Copy constructor & assignment operator 72 call constructor id name vector
  • 73. Copy constructor & assignment operator 73 new char [str.length() + 1] id = 1337 name orange vector
  • 74. Copy constructor & assignment operator 74 push_back(student) id = 1337 name orange vector id = 1337 name copy the value to vector using shadow copy
  • 75. Copy constructor & assignment operator 75 ~Stu() id = 1337 name orange vector id = 1337 name 因 student 的 life time 結束 所以 call destructor
  • 76. Copy constructor & assignment operator 76 delete [] name id = 1337 name orange vector id = 1337 name
  • 77. Copy constructor & assignment operator 77 ~vector() id = 1337 name orange vector id = 1337 name 因 stulist 的 life time 結束 所以 call destructor
  • 78. Copy constructor & assignment operator 78 ~Stu() id = 1337 name orange vector id = 1337 name vector 會去 依次去呼叫 內容的 destructor
  • 79. Copy constructor & assignment operator 79 delete [] name id = 1337 name orange vector id = 1337 name
  • 80. Copy constructor & assignment operator 80 delete [] name id = 1337 name orange vector id = 1337 name double free
  • 81. Copy constructor & assignment operator • 總結 • 基本上 c++ 在只要做任何複製的動作時通常都 會去使⽤用 copy constructor 或者是 assignment operator • 所以基本上物件只要有 pointer 都盡量量養成習慣 去定義 copy constructor 跟 assignment opeator 81
  • 83. Q & A