C++ Differences and Concepts
Modern Binary Exploitation CSCI 4968 - Spring 2015 Branden Clark
MBE - 04/24/2015 C++ Differences and Concepts 1 Overview
• C++ Differences • Class layout • VTables – Definition – Exploitation
MBE - 04/24/2015 C++ Differences and Concepts 2 C++ Differences
• Standard library • Memory management • Exceptions • Classes
MBE - 04/24/2015 C++ Differences and Concepts 3 Standard library
• std::cout << “Hello world!” << std::endl; – printf(“Hello world!\n”); • std::cin >> string_buf; – scanf(“%s”, char_buf);
MBE - 04/24/2015 C++ Differences and Concepts 4 Standard library
• std::cout << “Hello world!” << std::endl; – printf(“Hello world!\n”); • std::cin >> string_buf; – scanf(“%s”, char_buf);
Use of C++ std::string removes a lot of potential memory corruption introduced by C-style strings :(
MBE - 04/24/2015 C++ Differences and Concepts 5 Standard library
• Makes for good obfuscation ;) – std::cout << msg << std::endl
ASM SHOT HERE
MBE - 04/24/2015 C++ Differences and Concepts 6 Standard library
• Makes for good obfuscation ;) – std::cout << msg << std::endl
C++ name mangling
MBE - 04/24/2015 C++ Differences and Concepts 7 Memory Management
• char *buf = new char[10]; – char *buf = (char *)malloc(sizeof(char) * 10);
• delete [] buf; – free(buf);
MBE - 04/24/2015 C++ Differences and Concepts 8 Memory Management
• char *buf = new char[10]; – char *buf = (char *)malloc(sizeof(char) * 10);
• delete [] buf; – free(buf); need ‘[]’ for arrays
MBE - 04/24/2015 C++ Differences and Concepts 9 Exceptions
MBE - 04/24/2015 C++ Differences and Concepts 10 Exceptions
• On Windows: SEH – Structured Exception Handling – It’s pwnable – For the curious
MBE - 04/24/2015 C++ Differences and Concepts 11 Classes
• Structs group elements in C • Classes are (usually) used in C++
MBE - 04/24/2015 C++ Differences and Concepts 12 Classes
• “this” pointer – Pointer to the calling object – The first argument to a member function
MBE - 04/24/2015 C++ Differences and Concepts 13 Class layout
• Basic classes look like structs
MBE - 04/24/2015 C++ Differences and Concepts 14 Class layout
• Inheritance
MBE - 04/24/2015 C++ Differences and Concepts 15 Class layout
• Inheritance introduces (non-standard) complexity • Ordering of VTables and variables can change via compiler, system, etc.
MBE - 04/24/2015 C++ Differences and Concepts 16 VTables
• Virtual (function|method) table • A pointer to an array of function pointers – Usually first (4|8) bytes of the class – Pointers to virtual functions only
MBE - 04/24/2015 C++ Differences and Concepts 17 VTables
• Virtual (function|method) table • A pointer to an array of function pointers – Usually first (4|8) bytes of the class – Pointers to virtual functions only
VTables enable polymorphism
MBE - 04/24/2015 C++ Differences and Concepts 18 VTables
• List of most-derived functions to a class – closest one going up the hierarchy
Square
set_vals
Rect set_vals width height
MBE - 04/24/2015 C++ Differences and Concepts 19 VTables
• List of most-derived functions to a class – closest one going up the hierarchy
Parallelogram
set_vals
Rectangle Rhombus set_vals
Square
MBE - 04/24/2015 C++ Differences and Concepts 20 Exercise 1
• What is the vtable for each of the objects? • cpp_lec01 – Guess, or use gdb
MBE - 04/24/2015 C++ Differences and Concepts 21 VTables - Exploitation
• Instance replacement – What if we change which VTable is used?
MBE - 04/24/2015 C++ Differences and Concepts 22 VTables - Exploitation
• Function pointers are memory, too – What if we overwrite them? – Modify the VTable
MBE - 04/24/2015 C++ Differences and Concepts 23 Exercise 2
• Try triggering the other calls (or get a shell) • cpp_lec02 – Need a pointer to the final address
MBE - 04/24/2015 C++ Differences and Concepts 24 Additional Reading
• https://defuse.ca/exploiting-cpp-vtables.htm • http://imchris.org/projects/overflows/cpp- vptrs.html
MBE - 04/24/2015 C++ Differences and Concepts 25 Labs
• There will be lab as usual next class
MBE - 04/24/2015 C++ Differences and Concepts 26