C++ Differences and Concepts Modern Binary Exploitation CSCI 4968 - Spring 2015 Branden Clark MBE - 04/24/2015 C++ Differences and Concepts 1 Overview • C++ Differences • Class layout • VTables – Definition – Exploitation MBE - 04/24/2015 C++ Differences and Concepts 2 C++ Differences • Standard library • Memory management • Exceptions • Classes MBE - 04/24/2015 C++ Differences and Concepts 3 Standard library • std::cout << “Hello world!” << std::endl; – printf(“Hello world!\n”); • std::cin >> string_buf; – scanf(“%s”, char_buf); MBE - 04/24/2015 C++ Differences and Concepts 4 Standard library • std::cout << “Hello world!” << std::endl; – printf(“Hello world!\n”); • std::cin >> string_buf; – scanf(“%s”, char_buf); Use of C++ std::string removes a lot of potential memory corruption introduced by C-style strings :( MBE - 04/24/2015 C++ Differences and Concepts 5 Standard library • Makes for good obfuscation ;) – std::cout << msg << std::endl ASM SHOT HERE MBE - 04/24/2015 C++ Differences and Concepts 6 Standard library • Makes for good obfuscation ;) – std::cout << msg << std::endl C++ name mangling MBE - 04/24/2015 C++ Differences and Concepts 7 Memory Management • char *buf = new char[10]; – char *buf = (char *)malloc(sizeof(char) * 10); • delete [] buf; – free(buf); MBE - 04/24/2015 C++ Differences and Concepts 8 Memory Management • char *buf = new char[10]; – char *buf = (char *)malloc(sizeof(char) * 10); • delete [] buf; – free(buf); need ‘[]’ for arrays MBE - 04/24/2015 C++ Differences and Concepts 9 Exceptions MBE - 04/24/2015 C++ Differences and Concepts 10 Exceptions • On Windows: SEH – Structured Exception Handling – It’s pwnable – For the curious MBE - 04/24/2015 C++ Differences and Concepts 11 Classes • Structs group elements in C • Classes are (usually) used in C++ MBE - 04/24/2015 C++ Differences and Concepts 12 Classes • “this” pointer – Pointer to the calling object – The first argument to a member function MBE - 04/24/2015 C++ Differences and Concepts 13 Class layout • Basic classes look like structs MBE - 04/24/2015 C++ Differences and Concepts 14 Class layout • Inheritance MBE - 04/24/2015 C++ Differences and Concepts 15 Class layout • Inheritance introduces (non-standard) complexity • Ordering of VTables and variables can change via compiler, system, etc. MBE - 04/24/2015 C++ Differences and Concepts 16 VTables • Virtual (function|method) table • A pointer to an array of function pointers – Usually first (4|8) bytes of the class – Pointers to virtual functions only MBE - 04/24/2015 C++ Differences and Concepts 17 VTables • Virtual (function|method) table • A pointer to an array of function pointers – Usually first (4|8) bytes of the class – Pointers to virtual functions only VTables enable polymorphism MBE - 04/24/2015 C++ Differences and Concepts 18 VTables • List of most-derived functions to a class – closest one going up the hierarchy Square set_vals Rect set_vals width height MBE - 04/24/2015 C++ Differences and Concepts 19 VTables • List of most-derived functions to a class – closest one going up the hierarchy Parallelogram set_vals Rectangle Rhombus set_vals Square MBE - 04/24/2015 C++ Differences and Concepts 20 Exercise 1 • What is the vtable for each of the objects? • cpp_lec01 – Guess, or use gdb MBE - 04/24/2015 C++ Differences and Concepts 21 VTables - Exploitation • Instance replacement – What if we change which VTable is used? MBE - 04/24/2015 C++ Differences and Concepts 22 VTables - Exploitation • Function pointers are memory, too – What if we overwrite them? – Modify the VTable MBE - 04/24/2015 C++ Differences and Concepts 23 Exercise 2 • Try triggering the other calls (or get a shell) • cpp_lec02 – Need a pointer to the final address MBE - 04/24/2015 C++ Differences and Concepts 24 Additional Reading • https://defuse.ca/exploiting-cpp-vtables.htm • http://imchris.org/projects/overflows/cpp- vptrs.html MBE - 04/24/2015 C++ Differences and Concepts 25 Labs • There will be lab as usual next class MBE - 04/24/2015 C++ Differences and Concepts 26.