C++ Std::String Buffer Overflow And Integer Overflow

Interators are usually implemented using signed integers like the typical "for (int i=0; ..." and in fact is the type used indexing "cstr[i]", most of methods use the signed int, int by default is signed.
Nevertheless, the "std::string::operator[]" index is size_t which is unsigned, and so does size(), and same happens with vectors.
Besides the operator[] lack of negative index control, I will explain this later.

Do the compilers doesn't warn about this?

If his code got a large input it would index a negative numer, let see g++ and clang++ warnings:

No warnings so many bugs out there...

In order to reproduce the crash we can load a big string or vector from file, for example:

I've implemented a loading function, getting the file size with tellg() and malloc to allocate the buffer, then in this case used as a string.
Let see how the compiler write asm code based on this c++ code.

So the string constructor, getting size and adding -2 is clear. Then come the operator<< to concat the strings.
Then we see the operator[] when it will crash with the negative index.
In assembly is more clear, it will call operator[] to get the value, and there will hapen the magic dereference happens. The operator[] will end up returning an invalid address that will crash at [RAX]

In gdb the operator[] is a  allq  0x555555555180 <_znst7__cxx1112basic_stringicst11char_traitsicesaiceeixem plt="">

(gdb) i r rsi
rsi            0xfffffffffffefffe  -65538


The implmementation of operator ins in those functions below:

(gdb) bt
#0  0x00007ffff7feebf3 in strcmp () from /lib64/ld-linux-x86-64.so.2
#1  0x00007ffff7fdc9a5 in check_match () from /lib64/ld-linux-x86-64.so.2
#2  0x00007ffff7fdce7b in do_lookup_x () from /lib64/ld-linux-x86-64.so.2
#3  0x00007ffff7fdd739 in _dl_lookup_symbol_x () from /lib64/ld-linux-x86-64.so.2
#4  0x00007ffff7fe1eb7 in _dl_fixup () from /lib64/ld-linux-x86-64.so.2
#5  0x00007ffff7fe88ee in _dl_runtime_resolve_xsavec () from /lib64/ld-linux-x86-64.so.2
#6  0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29

Then crashes on the MOVZX EAX, byte ptr [RAX]

Program received signal SIGSEGV, Segmentation fault.

0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29
29     cout << "penultimate byte is " << hex << s[i] << endl;
(gdb)


What about negative indexing in std::string::operator[] ?
It's exploitable!

In a C char array is known that having control of the index, we can address memory.
Let's see what happens with C++ strings:

The operator[] function call returns the address of string plus 10, and yes, we can do abitrary writes.

Note that gdb displays by default with at&t asm format wich the operands are in oposite order:

And having a string that is in the stack, controlling the index we can perform a write on the stack.

To make sure we are writing outside the string, I'm gonna do 3 writes:

 See below the command "i r rax" to view the address where the write will be performed.

The beginning of the std::string object is 0x7fffffffde50.
Write -10 writes before the string 0x7fffffffde46.
And write -100 segfaults because is writting in non paged address.



So, C++ std::string probably is not vulnerable to buffer overflow based in concatenation, but the std::string::operator[] lack of negative indexing control and this could create vulnerable and exploitable situations, some times caused by a signed used of the unsigned std::string.size()

More information

1. Hack Tools Pc
2. Computer Hacker
3. Pentest Tools Tcp Port Scanner
4. Pentest Reporting Tools
5. Free Pentest Tools For Windows
6. Hacker Tools Mac
7. Hack Tools For Ubuntu
8. Hacking Tools For Mac
9. Game Hacking
10. Pentest Tools Framework
11. Hacker Tools Apk Download
12. What Are Hacking Tools
13. Pentest Tools List
14. Hack Tools For Pc
15. Hacking Tools For Windows
16. Wifi Hacker Tools For Windows
17. Hacking Tools Name
18. Hak5 Tools
19. Hacking App
20. Nsa Hack Tools
21. Best Hacking Tools 2020
22. Kik Hack Tools
23. Pentest Tools
24. Hack Tools Online
25. Beginner Hacker Tools
26. Hack Tools For Games
27. Best Hacking Tools 2019
28. Hack Tools For Ubuntu
29. Hacking Tools For Games
30. Hack Website Online Tool
31. Hacking Tools Free Download
32. Hack Tools For Pc
33. Hacker Tools For Ios
34. Hacking Tools For Windows
35. Top Pentest Tools
36. Hacker Tools For Pc
37. Hack Tools
38. Hacker Tools Apk
39. Hacker Tools Windows
40. Hacking Tools For Games
41. Pentest Tools For Android
42. Hacking Tools Download
43. Pentest Tools Android
44. Hacker Tools Free Download
45. How To Hack
46. Hacker Techniques Tools And Incident Handling
47. Hacks And Tools
48. Game Hacking
49. Hack Rom Tools
50. Hack App
51. Pentest Reporting Tools
52. Pentest Tools Bluekeep
53. Pentest Tools Nmap
54. Hack And Tools
55. Hacking Tools 2019
56. Pentest Box Tools Download
57. Pentest Tools For Ubuntu
58. Pentest Tools Website
59. Tools 4 Hack
60. Hacker Tools For Windows
61. Ethical Hacker Tools
62. Computer Hacker
63. Hacker Tools For Ios
64. New Hack Tools
65. Beginner Hacker Tools
66. Free Pentest Tools For Windows
67. Hacker Tools 2020
68. Hacking Tools Mac
69. Hack App
70. Kik Hack Tools
71. Hacker
72. Nsa Hack Tools Download
73. Hackers Toolbox
74. Termux Hacking Tools 2019
75. Hacking Tools For Windows Free Download
76. Hacking Tools For Mac
77. Github Hacking Tools
78. Hacker Tools For Mac
79. Bluetooth Hacking Tools Kali
80. World No 1 Hacker Software
81. Bluetooth Hacking Tools Kali
82. Pentest Tools Port Scanner
83. Pentest Tools Port Scanner
84. Pentest Tools Linux
85. Hack Tools Online
86. Computer Hacker
87. Hack Tools 2019
88. Tools 4 Hack
89. Black Hat Hacker Tools
90. Hack Tools For Mac
91. Hacking Tools For Mac
92. Pentest Tools Bluekeep
93. Pentest Tools Android
94. Pentest Tools Subdomain
95. Pentest Tools Android
96. Pentest Tools List
97. Hacking App
98. Pentest Tools Kali Linux
99. Best Hacking Tools 2020
100. Pentest Tools Download
101. Hacking Tools Windows
102. Hack Tool Apk
103. Hack And Tools
104. Black Hat Hacker Tools
105. Pentest Tools Alternative
106. Underground Hacker Sites
107. Hacker Tools Software
108. Growth Hacker Tools
109. Pentest Tools Port Scanner
110. Pentest Tools Find Subdomains
111. Underground Hacker Sites
112. Growth Hacker Tools
113. Pentest Tools Website Vulnerability
114. Game Hacking
115. Hack Tools Mac
116. Hacking Tools And Software
117. Blackhat Hacker Tools
118. Hacker Security Tools
119. Usb Pentest Tools
120. Pentest Tools Bluekeep
121. New Hacker Tools
122. Underground Hacker Sites
123. Hacker Hardware Tools
124. Pentest Reporting Tools
125. Hacking Tools Software
126. Hacker Tools Online
127. Pentest Tools Windows
128. Hack Tools 2019
129. Pentest Tools Alternative
130. Hack Tools
131. Hacking Tools For Windows
132. New Hacker Tools
133. Hacker Tools 2020
134. Hacking Tools For Windows
135. Pentest Tools List
136. Tools For Hacker
137. Github Hacking Tools
138. Hacking Tools Kit
139. Physical Pentest Tools
140. Pentest Tools Kali Linux
141. Hacker Tools For Mac
142. Hacker Tools Apk
143. Hacker Tools 2019
144. Pentest Tools Review
145. Pentest Tools Github
146. Hack Tools
147. New Hacker Tools
148. Hacker Tools 2019
149. Pentest Tools Kali Linux
150. What Are Hacking Tools
151. Hacking Tools Online
152. Pentest Tools Url Fuzzer
153. Beginner Hacker Tools
154. Hack Tools Online
155. Hacking Tools Kit
156. Physical Pentest Tools
157. Hacks And Tools
158. Pentest Tools Android
159. How To Make Hacking Tools
160. What Is Hacking Tools
161. Hacking Tools Github
162. Hackers Toolbox
163. Pentest Tools Website
164. Ethical Hacker Tools
165. Hacker Search Tools
166. Hacker Tools Apk
167. Hack App
168. Hack Tools Mac
169. Hacking Tools Free Download
170. Underground Hacker Sites
171. Easy Hack Tools
172. Pentest Automation Tools