C++ Std::String Buffer Overflow And Integer Overflow

Interators are usually implemented using signed integers like the typical "for (int i=0; ..." and in fact is the type used indexing "cstr[i]", most of methods use the signed int, int by default is signed.
Nevertheless, the "std::string::operator[]" index is size_t which is unsigned, and so does size(), and same happens with vectors.
Besides the operator[] lack of negative index control, I will explain this later.

Do the compilers doesn't warn about this?

If his code got a large input it would index a negative numer, let see g++ and clang++ warnings:

No warnings so many bugs out there...

In order to reproduce the crash we can load a big string or vector from file, for example:

I've implemented a loading function, getting the file size with tellg() and malloc to allocate the buffer, then in this case used as a string.
Let see how the compiler write asm code based on this c++ code.

So the string constructor, getting size and adding -2 is clear. Then come the operator<< to concat the strings.
Then we see the operator[] when it will crash with the negative index.
In assembly is more clear, it will call operator[] to get the value, and there will hapen the magic dereference happens. The operator[] will end up returning an invalid address that will crash at [RAX]

In gdb the operator[] is a  allq  0x555555555180 <_znst7__cxx1112basic_stringicst11char_traitsicesaiceeixem plt="">

(gdb) i r rsi
rsi            0xfffffffffffefffe  -65538


The implmementation of operator ins in those functions below:

(gdb) bt
#0  0x00007ffff7feebf3 in strcmp () from /lib64/ld-linux-x86-64.so.2
#1  0x00007ffff7fdc9a5 in check_match () from /lib64/ld-linux-x86-64.so.2
#2  0x00007ffff7fdce7b in do_lookup_x () from /lib64/ld-linux-x86-64.so.2
#3  0x00007ffff7fdd739 in _dl_lookup_symbol_x () from /lib64/ld-linux-x86-64.so.2
#4  0x00007ffff7fe1eb7 in _dl_fixup () from /lib64/ld-linux-x86-64.so.2
#5  0x00007ffff7fe88ee in _dl_runtime_resolve_xsavec () from /lib64/ld-linux-x86-64.so.2
#6  0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29

Then crashes on the MOVZX EAX, byte ptr [RAX]

Program received signal SIGSEGV, Segmentation fault.

0x00005555555554b3 in main (argc=2, argv=0x7fffffffe118) at main.cpp:29
29     cout << "penultimate byte is " << hex << s[i] << endl;
(gdb)


What about negative indexing in std::string::operator[] ?
It's exploitable!

In a C char array is known that having control of the index, we can address memory.
Let's see what happens with C++ strings:

The operator[] function call returns the address of string plus 10, and yes, we can do abitrary writes.

Note that gdb displays by default with at&t asm format wich the operands are in oposite order:

And having a string that is in the stack, controlling the index we can perform a write on the stack.

To make sure we are writing outside the string, I'm gonna do 3 writes:

 See below the command "i r rax" to view the address where the write will be performed.

The beginning of the std::string object is 0x7fffffffde50.
Write -10 writes before the string 0x7fffffffde46.
And write -100 segfaults because is writting in non paged address.



So, C++ std::string probably is not vulnerable to buffer overflow based in concatenation, but the std::string::operator[] lack of negative indexing control and this could create vulnerable and exploitable situations, some times caused by a signed used of the unsigned std::string.size()

More info

1. Physical Pentest Tools
2. New Hack Tools
3. Hacking Tools For Kali Linux
4. Pentest Tools Alternative
5. Hacking Tools Software
6. World No 1 Hacker Software
7. Pentest Tools Bluekeep
8. Beginner Hacker Tools
9. Hacks And Tools
10. Hacking App
11. Hacks And Tools
12. Hacking Tools Windows
13. Pentest Tools Tcp Port Scanner
14. Pentest Recon Tools
15. Hack Tools Mac
16. Hacking Tools For Games
17. Game Hacking
18. Hacker Tools For Ios
19. Free Pentest Tools For Windows
20. Hack Tools Mac
21. Hack Tools For Mac
22. Hack Tools 2019
23. Hacker Tools For Ios
24. Pentest Tools Kali Linux
25. Pentest Tools For Mac
26. Best Hacking Tools 2019
27. Hacker Tools List
28. Hacker Tools Online
29. Github Hacking Tools
30. Hack Tools Download
31. Pentest Tools Apk
32. Hacker Tools Free Download
33. Termux Hacking Tools 2019
34. Hacking Tools Software
35. Hak5 Tools
36. New Hacker Tools
37. Hack Apps
38. Hacker
39. Pentest Tools Android
40. Hacking Tools Name
41. Hacker Tools Free
42. Nsa Hack Tools Download
43. Pentest Tools Online
44. Pentest Tools Apk
45. Hacking Tools For Kali Linux
46. Hacker Tools Apk
47. Ethical Hacker Tools
48. Pentest Tools Download
49. Pentest Tools Open Source
50. Hacker
51. Usb Pentest Tools
52. Hacking Tools For Kali Linux
53. Best Hacking Tools 2020
54. Hack Tools Mac
55. Pentest Tools Nmap
56. Hack Tools Online
57. Pentest Tools Nmap
58. Hacker Tools For Ios
59. Pentest Tools Port Scanner
60. Top Pentest Tools
61. Nsa Hack Tools
62. Hak5 Tools
63. Hack Tools For Ubuntu
64. Best Hacking Tools 2020
65. Hacking Tools Online
66. Growth Hacker Tools
67. World No 1 Hacker Software
68. Pentest Tools Url Fuzzer
69. Termux Hacking Tools 2019
70. Hacking Tools Free Download
71. Pentest Tools Linux
72. Hacking Tools Name
73. What Is Hacking Tools
74. Hacker Tools 2019
75. Hacker Tool Kit
76. Hacking Tools For Windows Free Download
77. Best Pentesting Tools 2018
78. Hacking Tools Download
79. Tools For Hacker
80. Bluetooth Hacking Tools Kali
81. Hacker Search Tools